EmailSneakemailsneak
    Log in
    Deliverability

    Cold Email Deliverability: How to Actually Land in the Inbox in 2026

    Deliverability is the only cold email metric that actually matters. A perfectly written email that lands in spam might as well not exist. Since Google and Yahoo's bulk-sender requirements shipped in February 2024, the bar for getting into the inbox has gotten meaningfully higher — and most cold email setups built before 2024 are now silently broken. This guide walks through the full 2026 deliverability stack, layer by layer.

    S
    Sebastien Night
    Auther, EmailSneak
    Updated April 18, 2026
    Part of
    Cold email guide

    The 2024 reset: what changed

    In February 2024, Google and Yahoo jointly raised the floor on email authentication. The rules apply to any sender pushing 5,000+ emails/day to Gmail or Yahoo addresses, but in practice the filtering thresholds for all senders tightened.

    Three non-negotiable requirements for inbox placement now:

    1. SPF, DKIM, and DMARC alignment. Not just present — aligned. The DMARC `From:` domain has to match the SPF/DKIM-signed domain.

    2. One-click unsubscribe header. RFC 8058 `List-Unsubscribe` header with `List-Unsubscribe-Post` value.

    3. Spam complaint rate under 0.3%. Cross 0.3% sustained and you're filtered to spam across all Gmail/Yahoo recipients.

    If your cold email setup was built before Feb 2024 and hasn't been audited since, it's almost certainly violating at least one of these.

    Layer 1 — Domain hygiene

    Five rules:

    • Never send cold email from your primary domain. If you torch a sender reputation, you torch the secondary domain, not your customer-comms domain.
    • Buy a lookalike sending domain. `get{yourcompany}.com`, `{yourcompany}.io`, `try{yourcompany}.com`. Cost: ~$15/year.
    • Set up domain forwarding so any reply to your sending domain forwards to your real inbox.
    • Add an MX record to the sending domain (even a basic Google Workspace mailbox). Domains with no MX record are treated as suspect.
    • Wait 30+ days after domain registration before sending — fresh domains are flagged.

    Layer 2 — Authentication (SPF, DKIM, DMARC)

    The technical floor. If you skip any of these in 2026, you're invisible.

    SPF publishes which IPs are allowed to send mail from your domain. DKIM cryptographically signs outgoing mail so receivers can verify you actually sent it. DMARC ties the two together and tells receivers what to do with mail that fails (reject, quarantine, or report).

    For Gmail/Workspace senders, all three are configured in the Workspace admin console + your DNS provider. For Microsoft 365, similar in the Defender / Exchange Online admin. Step-by-step in our SPF/DKIM/DMARC setup guide.

    The DMARC trap: most teams set up DMARC in `p=none` (monitor only) and forget. `p=none` does not satisfy Google's bulk-sender requirements. You need at minimum `p=quarantine` with proper alignment.

    Layer 3 — Warmup

    A brand-new sending domain that starts sending 200 emails/day on Day 1 will end Day 1 in spam folders. Sender reputation is built incrementally, over weeks.

    The minimum warmup schedule:

    Week 1: 10 emails/day, sent to a mix of your own inboxes and friendly contacts. Get replies on every email.

    Week 2: 25/day, same mix.

    Week 3: 50/day, start mixing in real outbound (1/3 cold, 2/3 warm).

    Week 4: 75/day, full outbound mix.

    Week 5+: 100/day max per mailbox, scale via additional mailboxes not higher per-mailbox volume.

    Full details and the warmup playbook in our warmup guide.

    Layer 4 — Content rules that survived 2024

    Most "spam trigger word" lists are 2010-era cargo cult. Modern spam filters are ML-based and look at patterns, not keywords. The patterns that genuinely hurt deliverability in 2026:

    • Image-heavy emails with little text. Spam filters treat heavy image-to-text ratios as suspect.
    • Tracking pixels with no other content. Tracked-only emails with no recipient-specific text get flagged.
    • Link-heavy bodies. More than 2 hyperlinks in a 60-word email is a pattern flag.
    • Mismatched From-name and From-domain. "Sarah at Acme" sending from `@get-acme.io` triggers identity-spoofing heuristics.
    • HTML emails when plain text would work. Cold email is conversational — plain text outperforms HTML on both deliverability and reply rate.
    • Attached files. Cold emails with attachments are filtered aggressively. Link to a doc instead.

    Layer 5 — Sending limits and patterns

    Three rules:

    1. Cap each mailbox at ~50 emails/day after warmup. Higher per-mailbox volume triggers spam-filter pattern detection regardless of content. For higher total throughput, use multiple mailboxes.

    2. Stagger send times. 100 emails sent in a 10-minute burst at 9:00am sharp looks like automation. The same 100 spread randomly across 9–11am looks like a human.

    3. Never send the same email body to more than ~10 recipients. Even with merge tags, identical bodies get fingerprinted by spam filters. Real personalization (one unique sentence per recipient) is the difference.

    Layer 6 — Monitoring and recovery

    Three things to monitor weekly:

    **1. Google Postmaster Tools.** Free, official, shows your domain reputation, IP reputation, spam rate, and authentication results from Gmail's perspective. The single most useful tool for cold email diagnostics.

    2. Bounce rate. Anything above 3% means your list isn't being verified properly. Pause and clean before continuing.

    3. Spam complaint rate. Must stay under 0.3% per Google's bulk-sender requirements. EmailSneak surfaces this on every campaign.

    Recovery: if you do tank a sender reputation, the only fix is to stop sending from that domain for 4–8 weeks and rebuild from a fresh one. There is no "fix" you can apply mid-campaign.

    Frequently asked questions

    Do I really need a separate sending domain?
    Yes. Cold email carries inherent reputation risk — even with perfect setup, some campaigns will draw complaints. Sending from your primary customer-comms domain means a single bad week can break your transactional and account emails for everyone. A $15/year secondary domain is a non-negotiable insurance policy.
    How long does warmup take?
    4 weeks is the safe minimum for a new domain. 2 weeks is the absolute floor and only works if you mix in heavy reply-back from friendly contacts. Skipping warmup entirely is the single most common cause of cold email failure we see.
    Are paid warmup tools (Mailwarm, Lemwarm) worth it?
    They help, but their effectiveness has dropped significantly since 2023 — Gmail and Yahoo have gotten better at detecting reciprocal-warmup patterns. Manual warmup with real conversations to real people in your network outperforms paid auto-warmup in our 2025 customer data.
    What's a good sender reputation score?
    On Google Postmaster Tools, you want "High" domain reputation and IP reputation. "Medium" is acceptable; "Low" or "Bad" means you're filtered to spam for most Gmail recipients. Score is updated daily.
    Can I use Gmail (free) for cold email?
    No. Free consumer Gmail prohibits cold email in their TOS, and the deliverability is intentionally limited. Use Google Workspace ($6/user/month) on a separate sending domain, or Microsoft 365.

    Sources & references

    1. Google bulk sender requirements— Google
    2. Yahoo bulk sender requirements— Yahoo
    3. RFC 8058 — One-click unsubscribe— IETF
    4. Google Postmaster Tools— Google
    5. FTC CAN-SPAM compliance guide— US FTC
    6. M3AAWG sender best practices— M3AAWG

    Try EmailSneak free

    Find the right people on the platforms they actually use, then send fewer, better emails. No credit card required.

    Keep reading
    SPF, DKIM, DMARC setup
    Step-by-step domain authentication for Workspace and Microsoft 365.
    Email warmup guide
    How to warm a new sending domain in 4 weeks.
    Cold email guide
    The complete 2026 cold email pillar guide.