Lead Generation

Deliverability for Founders: Why Cold Email Lands in Spam

Your cold email isn't getting ignored. Most of the time it's never being seen. While you rewrite the subject line for the fourth time and A/B test two calls-to-action, a mailbox provider has already made the only decision that matters, it quietly routed your message to spam before a human had the chance to ignore it. Better copy can't rescue a cold email that never reaches the inbox: authentication (SPF, DKIM, DMARC), a warmed-up dedicated domain, and a spam-complaint rate under 0.10% decide whether your prospect ever sees the message at all. So the real question isn't "how do I write a better cold email." The real question is: did the email reach a human at all? Because better copy can't fix a deliverability problem. It just means more people don't see better copy. Since February 2024, Google and Yahoo stopped treating email authentication as a "best practice" and turned it into the price of admission. Most founders never got the memo. This piece is the memo, and the checklist underneath it.

Joshua Agonya Pi'Rwot

By Joshua Agonya Pi'Rwot

Founder, Business Growth Accelerator

Executive summary

Since Feb 2024, Gmail and Yahoo made SPF, DKIM, and DMARC the price of admission. The Authenticate, Warm, Behave checklist that gets cold email into the inbox.

Section 1

Key takeaways

• The gate decides before the copy does. Roughly one in six emails never reaches the inbox, and cold mail from an unauthenticated, un-warmed domain performs far worse than the 84% average, so deliverability, not wording, is the first thing to fix. • Authentication is now mandatory, not optional. Since February 1, 2024, Gmail and Yahoo require SPF, DKIM, and DMARC; a one-time DNS setup with DMARC at p=none satisfies the rule, with no recurring cost. • Reputation is earned by warmup. A brand-new sending domain needs 2–4 weeks of warmup, starting at no more than 5 emails a day to engaged contacts, volume spikes from a cold domain read as spam. • Behavior keeps the score. Keep your spam-complaint rate below 0.10% and never near 0.30%, include one-click unsubscribe, and honor opt-outs within two days. • The sequence is the system. Run Authenticate, then Warm, then Behave, in order, because skipping a step just moves the failure to a stage that's harder to diagnose.

Section 2

What actually happens between "send" and "spam"

Picture a consulting firm that does, say, $1.2M a year placing fractional CFOs. The founder buys a list of 1,500 finance directors, writes a genuinely good three-touch sequence, loads it into a sending tool, and hits go. Two weeks later: four replies, two of them angry, zero meetings. The founder's conclusion is "cold email doesn't work in our space." That conclusion is wrong, and expensively so. Here's what likely happened. The sequence sent from a domain with no authentication records and no sending history, at a volume that looked, to Gmail's filters, exactly like a spammer's first run. Most of those emails were filed in spam or quietly dropped. The handful of replies came from the small fraction that slipped through. The angry ones marked the message as spam, which made the next batch land even worse. The founder optimized the message. The problem was the machinery carrying it. This is the same mistake that makes founders agonize over whether the channel itself is the problem when the real failure is upstream of the channel entirely. Mailbox providers run two systems in sequence. First, an authentication check: can they verify the message actually came from who it claims to come from? Second, a reputation and behavior check: does this sender have a track record of sending mail people want? Fail the first and you may be rejected outright. Fail the second and you're filtered to spam, which is functionally the same as not sending at all. The stakes here are not marginal. Roughly one in six emails never reaches the inbox, the global average inbox placement sits around 84%, which means that missing one-in-six is legitimate mail lost to spam folders or vanishing entirely . That's the average across all senders, including well-run ones. Cold outreach from an unauthenticated, un-warmed domain performs far worse than average. And the gatekeeping is tightening, not loosening. Even Gmail's own inbox placement slid from 89.8% in early 2024 to 87.2% by the fourth quarter of 2024 . When the biggest provider on earth is letting less mail through year over year, "it'll probably get there" is not a strategy. The job is not to write your way past the filter. The job is to stop tripping it in the first place.

Section 3

Authentication is now the cover charge, not the upsell

Here's the line in the sand most founders missed. Starting February 1, 2024, email senders who send more than 5,000 messages per day to Gmail accounts must authenticate with SPF, DKIM, and DMARC . That threshold is the official bulk-sender definition, and Yahoo adopted the same rules in lockstep . Quick translation, because these three acronyms are where most founders' eyes glaze over and the deliverability dies: • SPF (Sender Policy Framework) is a DNS record that lists which servers are allowed to send email for your domain. It answers: "is this server permitted to send as us?" • DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to each message, proving it wasn't forged or tampered with in transit. It answers: "is this message genuinely from us, unaltered?" • DMARC (Domain-based Message Authentication, Reporting and Conformance) ties the two together and tells providers what to do if a message fails the checks. It answers: "and if something claims to be us but fails, what should you do about it?" You do not need to understand the cryptography. You need all three records to exist and pass. A DMARC policy set to p=none, the least aggressive setting, which only monitors rather than blocks, is enough to satisfy the requirement . This is a one-time DNS setup, usually well under an hour with your email provider's documentation, or a quick task handed to whoever manages your domain. There is no recurring cost and no ongoing maintenance once the records are live and verified. Two details founders skip and shouldn't. First, the 5,000/day threshold is a floor for mandatory enforcement, not a safe zone below it. Sending 200 cold emails a day from an unauthenticated domain isn't compliant just because you're under the bulk line, it's just invisible enough that no one warned you before the filtering started. And as of late 2025, enforcement escalated further: non-compliant mail now faces temporary or permanent rejection rather than a quiet pass . Second, authentication proves identity, not welcomeness. It gets you to the gate. It does not get you through it. Plenty of fully authenticated domains still land in spam every day, because authentication is the prerequisite, not the prize.

Section 4

Reputation is a credit score your domain is building whether you watch it or not

Once you've proven who you are, the provider asks the harder question: has this domain earned any trust? This is where the fractional-CFO firm's campaign actually died. A brand-new sending domain starts at zero reputation. It has no history, so providers treat it with suspicion by default. The fix is warmup, gradually ramping send volume so the domain builds a track record of mail that gets opened, read, and replied to. A brand-new domain needs 2–4 weeks of warmup minimum, starting at no more than 5 emails a day to engaged contacts . Established domains with existing history need less, but a fresh domain bought specifically for outreach is the riskiest possible starting point, it has no history at all to borrow against. Read that against the consulting firm's launch: 1,500 emails in a two-week window from a domain that had sent essentially nothing before. To a filter, that pattern is indistinguishable from a spammer who just registered a domain and started blasting. The volume spike itself is the signal. It doesn't matter that the CFOs were a relevant audience or that the copy was good. The behavior read as "spammer," and the domain's reputation was set accordingly, fast, and slow to reverse. Two patterns torch domain reputation, and they look like opposites: 1. Volume spikes. Going from near-zero to hundreds or thousands of sends overnight. Filters read sudden volume from a cold domain as an attack. 2. Dead silence followed by a blast. A domain that sends nothing for months, then erupts, looks like a dormant account that got compromised. The discipline that prevents both is the same: ramp slowly, send consistently, and keep volume proportional to your domain's track record. A useful rule of thumb for a non-technical founder, if you bought the domain in the last month, you have no business sending more than a trickle from it, no matter how good the list is. The list will still be there in three weeks. The domain's reputation, once burned, often won't recover on the same timeline. Yahoo says the quiet part directly. Its stated filtering mission is the whole game: providers actively sort wanted mail from unwanted mail, and your sending reputation is what decides which pile you land in. In Yahoo's own words, "A key mission of Yahoo is to deliver messages that consumers want to receive and filter out the messages they don't" . Your authentication proves you're real. Your reputation decides whether "real" means "welcome."

Section 5

Behavior: the two fastest ways to torch everything

Reputation isn't static, it's a running tally of how humans react to your mail. Two behavioral signals matter more than the rest, and both have hard numbers attached. The first is the spam-complaint rate. Google tells senders to keep their Postmaster Tools spam rate below 0.10% and to never reach 0.30% or higher . Postmaster Tools is Google's free dashboard showing how Gmail sees your sending, you should set it up the same day you set up authentication. Sit with what 0.30% means in practice: it is a vanishingly thin tolerance, and crossing it too often collapses your domain reputation. For a founder sending 300 cold emails, a single angry "mark as spam" can push that batch past the line. This is precisely why list quality and relevance aren't soft virtues, they're the difference between a campaign and a domain funeral. The second signal is the unsubscribe experience. Gmail and Yahoo now require one-click unsubscribe functionality, and senders must follow through with those unsubscribe requests within two days . Ignoring opt-outs used to be merely rude. Now it's a deliverability liability. When someone wants out and the easy exit isn't there, they don't shrug, they hit the spam button, which feeds directly into the complaint rate that's already trying to kill you. There's a strategic point hiding in here that most cold-email advice misses. The single best protection against spam complaints is not sending to people who don't want to hear from you in the first place. Tighter targeting lowers complaints, raises replies, and builds reputation, all at once. The founders who "scale" by buying bigger, colder lists are accelerating in the wrong direction. Every name you add that has no reason to care about you is a small bet against your own deliverability. The same relevance discipline that protects your domain also earns the opening read, which is why the first line of a cold email and genuine personalization that survives at volume are deliverability tools, not just copywriting ones.

Section 6

The BGA framework: the Inbox Tollgate

Every cold email passes three gates before your prospect decides anything. Founders pour nearly all of their effort into the message and almost none into the gates, which is exactly backwards. Fix the tollgate first. The message only matters once it arrives. We call the operating routine Authenticate, Warm, Behave. 1. Authenticate, set the records once. Publish SPF, DKIM, and DMARC for your sending domain. DMARC at p=none satisfies the requirement ; you can tighten it later. Metric: all three checks pass on a test send before you send anything real. Turn on Google Postmaster Tools the same day so you can watch your spam rate. Rule of thumb: if you can't confirm all three pass, you are not allowed to start a campaign, full stop. 2. Warm, earn the reputation before you spend it. Use a dedicated outreach domain, never your primary company domain, so a bad campaign can't poison your client and invoice email. Warm any new domain for 2–4 weeks minimum, starting at no more than 5 emails a day to engaged contacts . Metric: ramp volume gradually, small, steady increases week over week, never big jumps, and don't touch real cold volume until the domain has its 2–4 weeks of clean history. Rule of thumb: if the domain is younger than a month, it sends a trickle, no exceptions. 3. Behave, send like a human, not a machine. Keep your spam-complaint rate below 0.10% and never near 0.30% by sending only to relevant, well-targeted prospects. Include one-click unsubscribe and honor every opt-out within two days . Cap daily volume well under the 5,000/day bulk line, most founders should be sending dozens, not thousands. Metric: watch reply rate as your north star, not open rate; a healthy targeted cold sequence earns replies, and replies are the strongest positive reputation signal there is. Rule of thumb: if a list segment is generating complaints or total silence, cut it before it cuts your domain. Run them in order. Authentication without warmup still lands in spam. Warmup without good behavior burns the reputation you just built. The sequence is the system, and skipping a step doesn't speed it up, it just moves the failure to a stage where it's harder to diagnose. Once the tollgate is clear and your mail actually arrives, the rest of the cold-outreach game comes back into play: getting the single, unambiguous ask right, and running a disciplined multi-touch follow-up without re-tripping the very filters you just cleared. The detailed playbook for each gate lives in the LeadOS playbook, and the deliverability checklist is included in the free template pack.

Section 7

You're running Authenticate, Warm, Behave right when…

You can answer four questions without flinching. One: do SPF, DKIM, and DMARC all pass on your sending domain right now, and is it a separate domain from the one you bill clients on? Two: is every new domain warmed for at least 2–4 weeks before it touches a real prospect, starting at no more than five sends a day? Three: is your Postmaster Tools spam rate sitting below 0.10%, nowhere near 0.30%, because your targeting is tight enough that almost nobody wants to flag you? Four: does every email carry a one-click unsubscribe that you honor inside two days? If all four are yes, your message finally gets to do its job, because it's actually arriving. If any is no, that's not a copywriting problem to solve next week. That's the reason your last campaign failed, and it's the thing to fix before you send another email.

FAQ

Direct answers for operators.

Do the Gmail and Yahoo rules apply to me if I send fewer than 5,000 emails a day?

The 5,000/day threshold is the floor for mandatory enforcement, not a safe zone beneath it. Sending 200 cold emails a day from an unauthenticated domain isn't compliant just because you're under the bulk line, it's simply invisible enough that no one warned you before the filtering started. As of late 2025, non-compliant mail now faces temporary or permanent rejection rather than a quiet pass.

If I set up SPF, DKIM, and DMARC, will my cold email reach the inbox?

Not by itself. Authentication proves identity, not welcomeness, it gets you to the gate, it doesn't get you through it. Plenty of fully authenticated domains still land in spam every day, because authentication is the prerequisite, not the prize. You also need a warmed domain and clean sending behavior.

How long do I need to warm up a new sending domain?

A brand-new domain needs 2–4 weeks of warmup minimum, starting at no more than 5 emails a day to engaged contacts, ramping volume gradually. A fresh domain bought specifically for outreach is the riskiest possible starting point because it has no history to borrow against, so if you bought the domain in the last month, it sends a trickle, no exceptions.

What spam-complaint rate is safe?

Google tells senders to keep their Postmaster Tools spam rate below 0.10% and to never reach 0.30% or higher. That tolerance is vanishingly thin, for a founder sending 300 cold emails, a single angry "mark as spam" can push a batch past the line. The best protection is tight targeting: not sending to people who have no reason to care about you in the first place.

Joshua Agonya Pi'Rwot

Written by

Joshua Agonya Pi'Rwot

Founder, Business Growth Accelerator · Country Director, AVODA Group Uganda · EMBA

Joshua helps service-business operators turn scattered marketing into a clear path from first attention to booked call. He is Founder of Business Growth Accelerator and Country Director of AVODA Group Uganda.