23 years from Stockholm
Operator notes · From the Stockholm desk

Cold email infrastructure without avoidable deliverability mistakes

Cold Email Infrastructure Dedicated Email Servers Managed Deliverability

Most cold email programs fail for reasons that were decided before the first campaign ever shipped. The sender used the wrong domain. The sending infrastructure shared reputation with transactional mail. The authentication posture was incomplete. The warmup was skipped because a tool said it was optional. Each of those decisions has a fix, and almost all of them are cheaper to make up front than to repair afterward.

Key takeaways

  • The February 2024 Gmail and Yahoo bulk-sender rules turned SPF, DKIM, and DMARC into deliverability gates, not best practices. Cold senders who ignored them saw placement drop sharply through the year.
  • Never send cold traffic from your primary corporate domain. A dedicated sending domain protects the reputation your customers, billing, and transactional mail depend on.
  • Stream separation — transactional on one IP pool, cold outbound on another, marketing on a third — is the single most durable reputation protection a multi-stream sender can deploy.
  • Warmup is six to eight weeks, not ten days. Starting real campaigns on day fourteen is the most common way to burn a new domain.
  • List hygiene before warmup matters more than the warmup tool. A 12% bounce rate on day one ends the program before it starts.

Why most cold programs fail before the first send

There is a recurring story in outbound. A company stands up a sales team, subscribes to an outreach platform, imports a list, writes a sequence and pushes send. Two weeks later, replies have dried up, the bounce rate is double digits, and nobody can explain why. Someone blames the copy. Someone blames the list. Almost nobody looks at the infrastructure, because the infrastructure did not exist — and that is the point.

Cold email is an infrastructure problem wearing a copywriting costume. The sequence matters, the targeting matters, the offer matters, and all of that is real work. But if the domain is wrong, the authentication is incomplete, the IP pool is contaminated, or the sending pattern looks suspicious to Gmail's filtering layer, none of the craft on top of that foundation can be seen. The message is filtered before a human ever sees it.

What changed this year is that the floor of acceptable infrastructure moved up. Practices that used to be "recommended" are now "enforced." Gmail, Yahoo and — as of late 2024 — Apple require authentication and complaint thresholds that a lot of cold programs were treating as optional through 2023. Programs that adapted early are seeing noticeably better placement. Programs that did not are seeing the opposite.

Cold email is not fundamentally about copy. It is about whether your infrastructure looks trustworthy to filtering systems that have gotten faster, stricter and less forgiving over the last twelve months. — Outbound Deliverability Team, Authorize Hosting

This article walks the setup end-to-end. The goal is not a checklist to skim; it is the full operational picture — domains, authentication, infrastructure separation, warmup, list hygiene, content, monitoring — in the order a competent team would tackle them. Every section is written assuming you are building for the rules that apply today, not the ones that applied eighteen months ago.

The 2024 rule shift and what it actually changed

On February 1, 2024, Gmail and Yahoo activated a new baseline for any sender pushing more than 5,000 messages a day to their users. The changes are worth stating precisely, because loose reporting has made the requirements sound either scarier or easier than they actually are.

Gmail and Yahoo 2024 bulk-sender requirements (applicable to 5,000+ messages/day)
RequirementDetailEnforcement status as of Oct 2024
SPF authenticationTXT record listing authorized sending sources for the From domainLive, enforced
DKIM authenticationCryptographic signature with d= matching the From domainLive, enforced
DMARC policyPublished record, minimum p=none with rua reportingLive, enforced
DMARC alignmentSPF or DKIM aligned with the From domainLive, enforced
Spam complaint rateBelow 0.3% sustained; Gmail target is under 0.1%Live, filtering
One-click unsubscribeList-Unsubscribe-Post header + RFC 8058Required since June 2024
Valid forward/reverse DNSPTR record matching the HELO hostnameLive, enforced
TLS for transportSTARTTLS for every outbound connectionLive, enforced
Microsoft parityEquivalent rules for Outlook.com, Hotmail, LiveAnnounced for mid-2025

Two practical observations stand out. First, the 5,000-message threshold is per domain, per day, measured across all recipients at the enforcing provider. Cold programs commonly cross that line in a single morning send, which means the rules apply even to teams who think of themselves as "small."

Second, Gmail flagged early in 2024 that once a domain has ever crossed the 5,000-per-day threshold to Gmail recipients, it is treated as a bulk sender going forward — even on days when the volume drops. There is no official route off the bulk-sender list once you have been on it. That asymmetry is why some teams who reduced volume after February still saw filtering changes in subsequent months.

Cold outbound is a bulk workload Any cold program sending 5,000 or more messages a day to Gmail recipients is, by Google's definition, a bulk sender. All of the 2024 requirements apply — including the authentication baseline that many cold teams still treat as marketing-only. The enforcement does not distinguish between "marketing" and "cold outreach." They look the same from the filter's point of view.

Domain architecture that protects the main brand

The first rule of cold email infrastructure is older than this year's requirement shift, and it has only become more important: cold outbound never sends from the primary corporate domain. If your company is acme.com, the domain that signs customer contracts, the domain that ships product emails, and the domain your support team replies from, that domain is not where cold messages originate. It is the asset you are protecting.

The pattern that works at scale is a small rotation of secondary domains purchased specifically for outbound use. Common naming conventions include tryacme.com, getacme.com, acme-outreach.com, or variants that preserve brand recognition without risking the primary domain's reputation. A mature program runs three to six of these in parallel, with fresh domains coming into rotation every few months as older ones accumulate sending history and occasional reputation hits.

Why subdomain-only does not go far enough

A question that comes up often: can you just send from outreach.acme.com instead of registering tryacme.com? Technically, yes. Operationally, it is a weaker pattern.

  1. Shared root reputation. Inbox providers evaluate reputation at both the subdomain and root-domain level. A burned subdomain partially drags the root, even if the filtering models are sophisticated enough to distinguish them.
  2. DMARC policy inheritance. Subdomains inherit the DMARC policy of the root unless overridden. Cold traffic tends to need a looser alignment posture than transactional mail. Managing that on a single root gets complicated quickly.
  3. Visual brand exposure. Recipients see the full From address. A cold pitch from outreach.acme.com ties your brand directly to outbound patterns you probably do not want your customers associating with the main domain.
  4. Disposability. If a dedicated outbound domain burns, you retire it. If a subdomain of your main domain burns, the cleanup is more intrusive.

A realistic domain portfolio for a serious outbound program

Example domain portfolio for a B2B outbound team sending ~2M cold messages/month
TierPurposeCountTypical daily volume per domain
Tier 1 — ActiveRunning campaigns to cold prospects4–6 domains200–400 messages
Tier 2 — WarmingBuilding reputation, about to enter rotation2 domains20–100 messages
Tier 3 — CoolingRetired from active sending, used only for reply handling2–4 domains0 outbound; inbound only
Tier 4 — ReserveRegistered but not yet configured; held for future rotation4+ domains0

The rotation cadence matters. A Tier 1 domain that has been actively sending for six months begins to show small reputation degradation even under perfect practice — list fatigue, unavoidable bounces, occasional complaints. Moving that domain to Tier 3 and bringing a warmed Tier 2 domain into Tier 1 keeps the active pool's reputation younger and cleaner.

Authentication posture in 2024: SPF, DKIM, DMARC

Every sending domain — primary, secondary, subdomain — needs a complete authentication record set. For cold outreach domains specifically, the bar is higher than it used to be because providers now treat authentication gaps as a reason to filter, not just a reason to downrank.

SPF for cold domains

The SPF record declares which servers are allowed to send on behalf of a domain. For a cold outreach domain, SPF typically lists the mailbox provider (Google Workspace, Microsoft 365, or a dedicated SMTP relay) and nothing else. The closing mechanism should be -all (hard fail), not ~all (soft fail), because cold domains do not have legitimate outbound sources that would need the softer posture.

DNStryacme.com.  IN  TXT  "v=spf1 include:_spf.google.com include:spf.authorizehosting.com -all"

The common failure mode: the ten-lookup limit. Every include mechanism counts as one DNS lookup. SPF validators fail once the chain exceeds ten lookups, and once the validator fails, SPF silently breaks for that domain. Cold programs that layer Google Workspace + a sending platform + a tracking domain + a dedicated relay can hit the limit without realizing it. Use a flattening tool or audit manually before you ship.

DKIM with 2048-bit keys

DKIM signs each outgoing message with a private key, and the public key is published as a TXT record at selector._domainkey.yourdomain. For a cold domain, always use 2048-bit keys. The 1024-bit keys that many providers still default to are increasingly treated as weak by inbox filters — not rejected outright, but downranked.

One detail that trips cold teams: if you send from a domain via multiple providers (e.g. Google Workspace for replies and a separate SMTP relay for bulk sends), each provider needs its own DKIM selector. The selectors can coexist — google._domainkey for one, ahk1._domainkey for another — but both must be published. A missing selector produces DKIM failures that break DMARC alignment on half your traffic.

DMARC at p=none, with reporting

For a new cold domain, publish DMARC at p=none with aggregate reporting enabled. Collect reports for two weeks, review them, confirm alignment is clean, then move to p=quarantine. Most cold programs should not move to p=reject on their outbound domains — the rare false positive can kill a legitimate reply thread. The discipline here is watching the reports, not tightening the policy.

DNS_dmarc.tryacme.com.  IN  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@tryacme.com; ruf=mailto:dmarc-reports@tryacme.com; fo=1; adkim=r; aspf=r; pct=100"
On subdomain policies If you use subdomains of your main domain for cold outbound — a choice we have already recommended against — make sure the root DMARC record declares a different subdomain policy via the sp= tag. Otherwise the subdomain inherits the root's stricter posture and alignment failures will produce surprises.

Infrastructure isolation from transactional mail

Domain separation is half of the isolation story. The other half is the infrastructure behind those domains. Cold traffic should not share IPs, sending pools, or authentication keys with transactional or lifecycle email. The reputational blast radius of a bad cold campaign reaches everything that shares infrastructure with it.

A simple mental model: think of sending infrastructure as an apartment building. Each IP pool is a floor. Each domain is an apartment. If you run a loud party in apartment 3B, the noise complaint affects your reputation as a tenant — but only your floor. If 3B and 5A share the same floor (the same IP pool), the complaint also affects 5A, even if 5A was quiet. If 3B and 5A are on different floors, the isolation contains the damage.

Infrastructure isolation model for multi-stream senders Three isolated streams, one reputation strategy Each pool is independent. A reputation event in one does not contaminate the others. Transactional Highest reputation priority acme.com (primary) IP pool: mail1–mail2 Password resets Receipts, 2FA, alerts Lifecycle / Marketing High reputation priority news.acme.com IP pool: promo1–promo3 Newsletters Lifecycle sequences Cold outbound Isolated reputation tryacme.com + 3 others IP pool: out1–out4 Prospect sequences Reply threads back to the same mailbox
Cold outbound earns its own infrastructure boundary. A complaint spike in the cold pool does not cross into the transactional pool and cannot take down password resets or customer billing notifications.

This separation is not theoretical. It is the difference between a recoverable incident and a company-wide outage. If cold outbound goes sideways in week four of a campaign and complaints spike, the filtering response is local to the cold pool. Transactional mail keeps flowing. Customers do not call in because their receipts stopped arriving.

A realistic warmup curve, week by week

The temptation to skip warmup has gotten worse, not better, since the 2024 rule changes. Many cold email platforms sell the idea that their warmup tool handles it — send for a week, then start real campaigns. That is not what mature practitioners do. A proper warmup takes six to eight weeks per mailbox, and every week of that curve exists for a reason.

Six-week warmup curve per mailbox (starting from zero reputation)
WeekDaily volumeRecipientsWhat the week proves
Week 15–10 messagesWarmup network (known, engaged)Authentication is clean; no early blocks
Week 210–25 messagesWarmup network + handful of internal contactsReply signal is being received; open rate normal
Week 325–50 messagesMix of warmup + small live prospectsAcceptance at ISPs is clean; no deferrals
Week 440–80 messagesEarly live campaign, small segmentReal cold response rate is above 0 with no complaint spikes
Week 560–100 messagesFull live campaign, expanded segmentSustained volume holds; Postmaster Tools reputation appearing
Week 6+80–150 messages (cap)Full productionDomain has meaningful history; warmup traffic continues as 30–40% baseline

The numbers look small because they are. Per-mailbox volume cap for a mature cold program is typically 100-150 messages per day, not the thousands that some platforms suggest. That is why serious programs run many mailboxes across many domains, not heavy volume per mailbox. The math is the same either way; the reputation consequence is not.

Warmup is not a deliverability strategy A warmup tool is a reputation-bootstrapping mechanism, not a solution to a bad list or broken authentication. Feeding a dirty list into a well-warmed mailbox burns the mailbox. The list hygiene comes first; the warmup tool is useful only after that.

Warmup as ongoing maintenance

A common mistake is turning warmup traffic off once real campaigns start. Reputation decays when the sending pattern changes abruptly. Keep 30-40% of daily volume as warmup traffic indefinitely — the warmup network continues generating positive engagement signals in the background, cushioning the reputation impact of inevitable cold-campaign noise.

List hygiene before the first campaign

A 12% bounce rate on day one ends the program. That is the unsentimental truth every experienced cold team has learned at least once. The fix is to clean the list before the warmup even starts, not to hope that warmup somehow mitigates the bounce signal.

The minimum pre-send verification stack

Syntax validation
Remove malformed addresses, typos and obviously broken entries. Roughly 1-3% of most B2B lists fail this step and should never have survived the scraping pass.
MX and domain validation
Confirm the recipient domain exists and has a valid MX record. Dead domains are another 1-2% of a typical list.
SMTP-level verification
Attempt to validate the recipient address with the destination server without actually delivering a message. This catches inactive mailboxes, catch-all domains and explicit rejections. Expect to drop another 3-8% at this stage.
Role-account filtering
Remove generic addresses (info@, sales@, support@, no-reply@). These produce high complaint rates and almost never result in meaningful conversations.
Spam-trap and honeypot filtering
Commercial verification providers maintain lists of known traps. A single spam-trap hit can damage domain reputation for weeks. Do not skip this step.
Suppression list reconciliation
Subtract anyone who has unsubscribed, bounced hard, or complained on any prior campaign. This applies across domains if your suppression is properly centralized.

A list that has been through these six steps typically arrives at a projected bounce rate below 2%. Anything above 3% is a red flag that demands further cleaning before the first message sends.

Content discipline that keeps reputation clean

Authentication and infrastructure get you to the inbox filter's door. Content and engagement get you past it. Even a perfectly authenticated, properly warmed domain will start getting filtered if the content pattern looks like spam or if engagement (opens, replies, ignored messages) reads as negative.

  • Short messages outperform long ones. Cold emails under 80 words reliably produce better reply rates than longer alternatives. Brevity also reduces the risk of tripping content-based filters.
  • One clear call to action. Two CTAs dilute response and look templated to filters. One question or one offer per message.
  • Personalization beyond first name. A reference to the company's actual situation, recent news, or public role lifts reply rates and reduces complaint rates. Filters correlate generic openers with spam patterns.
  • No tracking pixels in cold outbound. Open-tracking pixels add a well-known fingerprint that filters increasingly correlate with automated cold tools. For cold, measure engagement through replies, not opens.
  • Plain text beats heavy HTML. Cold email should look like a personal message, not a newsletter. Minimal HTML, no images, no elaborate templates.
  • Reply threads look more natural. Follow-ups that quote the previous message and continue the thread read as more legitimate than standalone follow-ups.

Why tracking pixels deserve a special mention

A well-worn pattern in early 2024: teams turn on tracking pixels to measure open rates, see the pixel is being loaded, and declare the warmup a success. Meanwhile, Gmail's filter is already reading the pixel URL as a cold-email platform fingerprint and pushing the domain toward Promotions — or worse, Spam. For transactional mail, tracking pixels are usually fine. For cold outbound, they cost more than they measure.

Monitoring the signals that matter

A cold program that does not monitor is flying blind. Campaign platforms give you opens and replies; they do not give you the reputation signal that actually determines whether tomorrow's send will land. The monitoring stack below is the minimum responsible baseline for a serious outbound program.

Cold outbound monitoring stack, October 2024
SignalSourceReview cadenceAction threshold
Gmail domain reputationGoogle Postmaster ToolsWeeklyDrop from High to Medium: investigate
Gmail spam rateGoogle Postmaster ToolsDaily during active campaignsAbove 0.1%: pause; above 0.3%: stop
DMARC alignmentAggregate reports (rua)WeeklyPass rate below 98%: audit sending sources
Bounce rate by destinationSending platform or MTA logsPer-campaignAbove 3%: pause and clean list
Complaint rate (FBL)Yahoo/Microsoft FBLs, sending platformWeeklyAny upward trend: review content
Blocklist statusSpamhaus, SORBS, Barracuda checksWeeklyAny listing: investigate immediately
Seed list placementGlockApps or equivalentBefore every major campaignPrimary inbox below 80%: pause

The cadence matters. Daily-review signals need daily review. Weekly signals tolerate a missed day. Monthly signals are trailing indicators that catch patterns once they have already emerged. A monitoring rhythm that conflates them — glance at everything once a week — systematically misses the fast-moving issues.

Postmaster Tools is free Every cold sending domain should be verified in Google Postmaster Tools on day one, even before warmup starts. The data takes a few weeks to populate, but the moment a domain starts sending real volume, Postmaster Tools becomes the single most valuable diagnostic surface. Many programs that burn domains discover the burn in Postmaster Tools days after it happened, not in their campaign dashboards.

Mistakes that cost months to undo

Some cold email mistakes are recoverable within a week. Others are not. The list below is ordered by how expensive each mistake is to repair after the fact.

  1. Sending cold from the main corporate domain. A single burned main domain affects customer communications, billing, and transactional mail. Recovery involves ESP changes, deliverability coaching, and often a domain migration. Cost: two to four months of degraded deliverability.
  2. Starting real campaigns before warmup completes. A domain that sees high cold volume before week four typically shows reputation damage in Postmaster Tools within ten days. Fix: pause, wait three weeks, restart warmup. Cost: six to eight weeks of program delay.
  3. Sharing infrastructure between transactional and cold outbound. A bad cold week takes down password resets. Fix: emergency stream separation, which in an active incident often requires provider intervention. Cost: a weekend of lost sleep, plus weeks of careful rebuilding.
  4. Sending to a dirty list on day one. A 10%+ bounce rate on a fresh domain is a reputation event that lingers. Fix: stop, verify, clean, restart warmup. Cost: three to six weeks.
  5. Ignoring complaint rate until it crosses 0.3%. By the time the threshold is crossed, Gmail filtering has already tightened. Fix: stop the offending sequence, audit content, warm a new segment. Cost: one to three weeks.
  6. Missing DMARC alignment on one of several sending sources. A quiet authentication gap that produces DMARC failures for months. Fix: audit via aggregate reports, rotate keys, republish. Cost: a couple of weeks of reputation softening.
  7. Running warmup without monitoring. The tool keeps running even though placement has dropped. Fix: check placement weekly, adjust cadence. Cost: low if caught quickly, high if not.

Frequently asked questions

Can we send cold email from Google Workspace?

Technically yes, within per-user and per-domain limits. Practically, Google Workspace is a better fit for transactional and mid-volume sending than for bulk cold outreach. Their throttles are low, their suppression tools are limited, and Google has become more aggressive about suspending Workspace accounts whose outbound patterns look like cold outreach.

How many mailboxes do we need per secondary domain?

A common pattern is 3-5 mailboxes per domain. Each mailbox sends 80-100 per day after warmup. With four mailboxes per domain and four active Tier 1 domains, a program can sustain ~1,500-2,000 cold sends per day while keeping per-mailbox load low. Higher volumes usually mean more domains, not more mailboxes per domain.

Is a dedicated IP worth it for cold email?

For programs under ~50,000 cold messages a month, no. The dedicated IP needs its own warmup and will not accumulate enough volume to build a clear reputation pattern. Most cold teams at that scale are better off on a reputable shared pool. Dedicated IPs start paying off at 100k+ per month with consistent sending.

Do we need one DMARC record per domain?

Yes. Each sending domain — including every secondary outbound domain — needs its own DMARC record. The record can be identical in content across domains (same reporting mailbox, same policy), but it has to exist at _dmarc.<domain> for each one.

What about the upcoming Microsoft requirements?

Microsoft announced parity rules for Outlook.com, Hotmail and Live.com effective May 2025. The requirements mirror Gmail and Yahoo. If your program is compliant with Gmail and Yahoo today, Microsoft's enforcement should not require additional work. If not, begin remediation now — May is closer than it sounds.

Can we use one-click unsubscribe for cold email?

Technically, the June 2024 one-click unsubscribe requirement applies to bulk senders to Gmail and Yahoo. Cold outbound to business addresses often sits in a gray zone. The responsible answer is yes — always include a functional unsubscribe mechanism, even for cold outreach. The complaint rate improvement is usually worth more than the marginal loss of contactable prospects.

Closing perspective

Cold email infrastructure has a bad reputation partly because it has earned it. A large percentage of what moves through cold outbound is unsolicited, unpersonalized and unwanted. The filtering ecosystem responds to that reality, and it tends to not distinguish between a program sending thoughtful outreach from a properly built infrastructure and a program spraying scraped addresses from any domain it could register.

The good news is that the infrastructure side of this problem is solvable, and the solution is largely boring: buy the right domains, authenticate them properly, separate cold traffic from transactional, warm each mailbox over six weeks, verify the list, watch the monitoring signals, and keep doing all of it every week thereafter. None of that is exotic. What it requires is the discipline to treat cold outbound as a deliverability practice rather than a lead-generation tactic.

Teams that do this well find that the infrastructure becomes a durable competitive advantage. Their cold placement holds across the 2024 rule shift and the 2025 changes on the horizon. Their reply rates are higher because filters are not silently throttling them. Their sequences perform because they reach the inbox. Meanwhile, competitors who skipped the infrastructure work are spending more time rewriting copy and less time taking real calls.

If the setup feels like more work than you expected, that is usually the correct reaction. Everything above is what it takes to build something that lasts. The alternative — the fast setup that gets a sequence out by Friday — is usually the more expensive path measured in burned domains, lost pipeline and the quiet reputational damage that compounds in the background.