B2B Cold Email Deliverability: How to Stay Out of Spam in 2026

Most cold email deliverability problems are not copy problems — they are infrastructure problems that no amount of A/B testing subject lines will fix. If your authentication records are misconfigured, your domain is unwarm, or your list is dirty, your emails are hitting spam before a human ever makes a judgment call. The good news: every technical cause has a specific, fixable solution. This guide covers all of them in order.

Why do cold emails go to spam in the first place?

Cold emails land in spam for one of three reasons: technical authentication failures, behavioural signals that match spammer patterns, or poor list quality that generates high bounce and complaint rates. In 2026, Gmail and Outlook use a layered filtering system — machine learning models trained on billions of signals — that evaluates all three simultaneously.

The most important shift in the last two years is that spam placement is now largely algorithmic and domain-reputation-based, not just content-based. The old advice — avoid words like "free" and "limited time" — is still valid but secondary. A well-worded email from a damaged domain will still land in spam. A plain-text email with a healthy sender reputation will reach the inbox even if it contains promotional language.

According to Google's 2024 email sender guidelines, bulk senders who exceed a 0.3% spam rate face automatic deliverability throttling — meaning Gmail actively reduces how many of your emails reach inboxes, often without notifying you. This threshold is lower than most SDRs realise, and it can be triggered faster than you expect if your list has quality problems.

The practical implication: fix the infrastructure first, then optimise the copy. In that order, every time.

How do you set up SPF, DKIM, and DMARC for cold outreach?

SPF, DKIM, and DMARC are three DNS-level records that prove to receiving mail servers that you are who you say you are. All three must be present and correctly configured. Missing even one puts your emails at a measurable disadvantage in inbox placement.

SPF (Sender Policy Framework)

SPF tells receiving servers which IP addresses are authorised to send email on behalf of your domain. You set it by adding a TXT record to your domain's DNS. If you're sending through Google Workspace, your SPF record should include include:_spf.google.com. If you use a separate sending tool like Instantly or Smartlead, add their SPF include as well. Keep your SPF record under the 10-lookup limit — too many includes and the record fails silently.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The receiving server uses a public key published in your DNS to verify the signature hasn't been tampered with in transit. Google Workspace and most ESPs generate the DKIM key pair for you — you just need to publish the public key as a TXT record at the specific selector they provide. Use 2048-bit keys in 2026; 1024-bit is now considered insufficient.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails: nothing (p=none), send to spam (p=quarantine), or reject outright (p=reject). Start with p=none and a rua address to collect aggregate reports for 2–3 weeks before moving to a stricter policy. DMARC reports will show you exactly which sources are sending email on your behalf — including any that shouldn't be.

"Authentication alone won't guarantee inbox placement, but its absence almost guarantees you won't get there. SPF, DKIM, and DMARC are the floor, not the ceiling."

— Laura Lopuch, email deliverability consultant, writing in Mailgun's Deliverability Guide

One practical note: always send cold outreach from a subdomain or a dedicated sending domain, never from your primary company domain. If yourcompany.com gets flagged, your entire organisation's email infrastructure is at risk. Use mail.yourcompany.com or a closely related domain like getyourproduct.com instead. Set up SPF, DKIM, and DMARC on that dedicated domain separately.

How does email warmup work and how long does it take?

Email warmup is the process of gradually building sending volume and positive engagement history on a new domain or inbox, so that receiving servers learn to trust it before you scale to real prospects. A domain with zero history sending 200 emails on day one looks identical to a spammer's throwaway domain to algorithmic filters.

A proper warmup takes 4–6 weeks. The basic pattern:

• Week 1: 5–10 emails per day, sent to real inboxes that will open and reply
• Week 2: 20–30 emails per day
• Week 3–4: 40–60 emails per day
• Week 5–6: 80–100 emails per day

Manual warmup — emailing friends and colleagues — works but doesn't scale. Warmup tools like Instantly, Mailreach, or Lemwarm automate this by routing your inbox into a network of real inboxes that automatically open, reply to, and rescue your emails from spam. The engagement signals this generates build your sender reputation quickly and measurably.

The most common warmup mistake is stopping too early. Four weeks feels long when you have pipeline targets. But sending 150 cold emails per day from a 3-week-old domain will undo the warmup progress within 48 hours. Stay patient — the compounding return on a fully warmed domain is worth it.

What sending behaviour protects your sender reputation?

Your sender reputation is built incrementally and destroyed quickly. The behavioural signals Gmail and Outlook weight most heavily are: spam complaint rate, bounce rate, and engagement rate (opens and replies relative to sends). Here's how to manage each.

Send volume limits

For cold outreach, cap each inbox at 40–50 emails per day after warmup is complete. If you need higher volume, add more inboxes on separate warmed domains — don't push a single inbox beyond its limit. Most sending tools let you rotate across multiple inboxes automatically.

Bounce rate

Keep hard bounces below 2%. Above that threshold, you're signalling to receiving servers that your list is low-quality. Hard bounces (invalid addresses) are permanent — a single high-bounce send can set your reputation back weeks. Verify every list before importing it into your sending tool.

Spam complaint rate

Gmail's published tolerance is 0.3% — meaning 3 complaints per 1,000 emails sent. In practice, aim to stay below 0.1%. One way to reduce complaints is to include a simple one-click unsubscribe link in every email. As of February 2024, Google requires this for bulk senders. It feels counterintuitive for cold outreach, but a prospect clicking unsubscribe is infinitely better for your domain than one clicking "Report Spam."

Send timing and cadence

Spread sends throughout the business day rather than blasting at 9am. A natural sending pattern — a few emails per hour between 8am and 5pm — looks like a human, not a bot. Most sending tools have "send window" settings for exactly this purpose. Use them.

How does list quality affect cold email deliverability?

List quality is the most underestimated deliverability variable. A technically perfect sending setup with a dirty list will still fail — every bounce chips your reputation, and every complaint accelerates the damage.

The problem with most purchased or scraped prospect lists is that they contain a significant proportion of invalid, catch-all, or role-based addresses. According to ZeroBounce's email decay research, B2B email lists decay at approximately 22.5% per year — meaning a list you built 12 months ago has roughly one in five invalid addresses. Sending to those addresses generates bounces you could have avoided.

The fix is a two-step verification process before every send:

1. Bulk list verification: Run your list through a tool like ZeroBounce, NeverBounce, or Bouncer before importing it. Remove hard bounces, spam traps, and catch-all addresses flagged as high-risk.
2. Real-time verification at import: Most sending platforms now support real-time verification at the point of upload. Enable it — it catches addresses that have gone invalid since your last bulk clean.

This is where the quality of your prospecting source matters directly to your deliverability. If you're building lists from job postings and verified company data — for example, using a tool like Stealery to find companies actively using a competitor, then enriching those accounts with verified contacts — you start with higher-quality data than a generic scraped list, which reduces bounce risk before verification even begins.

What email copy patterns trigger spam filters in 2026?

Content-based spam filtering is less dominant than it was five years ago, but it still matters — especially when your sender reputation is in a neutral range where algorithmic decisions are less clear-cut. These are the copy patterns that consistently cause problems.

Spam-trigger words and phrases

Words like "guaranteed," "no risk," "act now," "limited time offer," and "100% free" trained spam filters for two decades and still carry negative weight. The broader rule: if the phrase could appear in a promotional email or a scam, avoid it. This doesn't mean sterile copy — it means writing like a human talking to another human, not a marketer talking at a customer.

Link-heavy emails

Cold emails with 3+ links in the body score poorly with spam filters. Limit outbound links to one — ideally your calendar link or a case study. If you need to reference multiple resources, put them in a follow-up after you get a reply.

Image-only or HTML-heavy emails

Spam filters are suspicious of emails where the text-to-image ratio is low, because bulk spammers historically hid content in images to evade keyword filters. For cold outreach, plain text or minimal HTML consistently outperforms designed email templates — both for deliverability and reply rate. Remove your company banner. Remove the formatted footer with your logo. Write like you're sending from Gmail, not Mailchimp.

Unsubscribe link absence

Since Google's February 2024 sender requirements update, missing one-click unsubscribe links in commercial email is a direct deliverability risk for senders at volume. Include it. Make it visible. The marginal increase in unsubscribes is worth the deliverability protection.

How do you monitor and recover a damaged sender reputation?

Reputation problems are much easier to fix early than late. The tools below let you see exactly where you stand and catch degradation before it compounds.

Google Postmaster Tools

This is the most important monitoring tool for any team sending to Gmail addresses — which covers most of your B2B prospects. It shows your domain reputation (High / Medium / Low / Bad), spam rate, and authentication status. Set it up before you start sending, not after problems appear. Check it weekly. A drop from High to Medium is a warning sign; a drop to Low requires immediate action — pause sending, audit your list, investigate complaint sources.

Mail-Tester

Mail-Tester (mail-tester.com) gives you a score out of 10 by analysing a test email you send to a generated address. It checks SPF, DKIM, DMARC, blacklist status, content, and HTML structure simultaneously. Run it after any infrastructure change and before any new sending sequence launches.

MXToolbox Blacklist Check

Checks whether your sending IP or domain appears on any of the major spam blacklists (Spamhaus, Barracuda, SORBS, etc.). A blacklist listing will stop deliverability across entire ISPs. Check monthly; if you appear on one, follow the specific delisting process for that registry — most have a manual request form and a 24–72 hour resolution window.

Recovering from a damaged reputation

If your reputation has already dropped: stop sending immediately, verify and clean your list, fix any authentication misconfiguration, and restart warmup from a lower daily volume. Recovery typically takes 2–4 weeks of clean sending behaviour. There is no shortcut. Continuing to send at volume from a damaged domain accelerates the damage and can result in permanent blacklisting.