You wrote a great cold email. It never arrived. Not in the inbox, not in spam — just gone, silently filtered before a human ever saw it. In 2026, this is the default outcome for senders who haven't done the technical groundwork. Gmail and Outlook now use machine learning to score every inbound email before delivery. The threshold has never been higher, and most B2B senders don't know they've already failed it.

This guide covers the complete deliverability stack — authentication, domain reputation, sending behavior, and content signals — so your cold emails land where they're supposed to.

Why Cold Emails Land in Spam in 2026

The spam folder isn't just for Nigerian prince emails anymore. Modern inbox providers use engagement-based filtering: they track whether recipients open, reply, move to inbox, or hit "report spam." Your sender reputation is a live score that updates with every campaign.

The shift in 2024–2026 has been significant. Gmail's new bulk sender requirements (enforced since February 2024) require authentication for all senders over 5,000 messages/day. But the engagement threshold matters even for smaller senders — a complaint rate above 0.3% triggers automatic filtering, and a sustained rate above 0.1% starts damaging your domain reputation.

Three factors determine whether you land in the inbox:

Most deliverability problems are authentication failures combined with poor warmup. Fix those first — content matters less than most people think.

The Technical Checklist: SPF, DKIM, and DMARC

These three DNS records are the non-negotiable foundation. Without all three configured correctly, inbox providers treat your email as unauthenticated — high spam risk by default.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. Without it, anyone can send email claiming to be from your domain — which is why providers distrust unauthenticated senders.

What to check: Go to your DNS settings and look for a TXT record starting with v=spf1. A typical record looks like:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

The ~all means "soft fail" (mark as suspect but deliver). -all is a hard fail (reject). For cold email, use ~all until your DMARC policy is established.

Common mistake: Multiple SPF records. You can only have one SPF TXT record per domain. If you have two, both are ignored — a critical failure that's surprisingly common when teams switch email providers without cleaning up old records.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. The receiving server checks the signature against a public key in your DNS. If it matches, the email hasn't been tampered with in transit and genuinely came from your domain.

What to check: Your email provider (Google Workspace, Outlook, SendGrid, etc.) will give you a DKIM TXT record to add to DNS. It looks like:

google._domainkey.yourdomain.com → v=DKIM1; k=rsa; p=[long public key]

Use a tool like MXToolbox or mail-tester.com to verify DKIM is signing your outbound emails correctly. A common issue: DKIM is set up in DNS but not enabled in the sending platform — check both sides.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also gives you reporting — you receive XML reports showing where emails claiming to be from your domain are being sent from.

Start with a monitoring policy, not enforcement:

_dmarc.yourdomain.com → v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

p=none means "monitor but don't take action." Run this for 2–4 weeks, review the reports, then move to p=quarantine (send to spam if auth fails) and eventually p=reject (block delivery).

Gmail's 2024 requirements now make DMARC mandatory for high-volume senders. Even if you're sending fewer than 5,000/day, having DMARC with at least p=none is table stakes for serious senders.

Domain Warmup: The Step Most People Skip

A new domain has zero reputation. Sending 200 cold emails on day one from a fresh domain is the fastest way to get flagged. Inbox providers see a new domain sending volume immediately as a strong spam signal — it matches the pattern of throwaway spam domains.

The warmup process:

The warmup timeline assumes good engagement signals throughout. If you see reply rates dropping below 2% or open rates below 15%, slow down — your reputation is under pressure.

Automated warmup tools (Mailreach, Warmup Inbox, Lemwarm) work by exchanging emails between a network of accounts that automatically open and mark them as important. They're useful but not a substitute for real engagement. Use them in parallel with actual sending, not as a replacement for a careful ramp.

Sending Volume Rules: Why 50 Emails/Day Beats 500

The most common mistake founders make when starting cold email: sending at maximum volume immediately after setup. This is wrong for two reasons.

First, inbox providers flag sudden volume spikes from domains without established reputations. The signal reads as "bulk sender acquired this domain specifically for spam." Second, high volume with poor targeting produces high complaint rates — which damage your domain reputation faster than any technical misconfiguration.

Sustainable sending thresholds by domain age:

If you need to send at scale immediately, use multiple sending domains — each with its own warmup, each sending 50–100 emails/day. A sending infrastructure with 5 warmed domains at 100 emails/day each is significantly safer than one domain at 500 emails/day. For a deeper comparison of how different tools handle this, see our 2026 B2B sales automation tools comparison.

Content Signals: What Triggers Spam Filters

Authentication and domain reputation are the primary filters. Content is secondary — but it still matters, especially for borderline senders.

HTML-heavy emails with no plain-text version: Most email clients request both HTML and plain-text versions of every email. If you send HTML-only, spam filters treat it as suspicious. Always include a plain-text alternative. Well-designed cold emails are predominantly text anyway — heavy HTML with images and elaborate formatting is a newsletter pattern, not a cold outreach pattern.

Link patterns: Too many links (especially tracked redirect links) are a spam signal. For cold email, use at most one or two links per message. Unsubscribe links are mandatory — both for CAN-SPAM compliance and GDPR. Paradoxically, including a clear unsubscribe link improves deliverability by reducing complaint rates: recipients who want out click unsubscribe instead of hitting "report spam."

Spam trigger words: Phrases like "limited time offer," "click here," "free," "guaranteed" in the subject line are training data for spam classifiers. For B2B cold email, subject lines should read like an internal business email — specific, relevant, no marketing language.

Personalization signals: Highly personalised emails perform significantly better on engagement metrics — which in turn improves deliverability. A cold email that references the recipient's company, role, or specific business context is more likely to be opened, less likely to be marked as spam. This is where the deliverability argument for AI SDRs is strongest: consistent personalisation at scale produces better engagement signals than template blasts.

What Happens After a Complaint Rate Spike

Gmail's postmaster tools report your domain's spam rate. Once it crosses 0.3%, Gmail begins routing your emails to spam by default. This isn't a warning — it's an automatic filter that activates immediately.

Recovering from a complaint spike takes 30–60 days of clean sending at reduced volume. There's no fast path. Gmail's systems are designed to weight negative signals heavily and positive signals slowly — a week of high complaint rates can take a month of clean sending to recover from.

The implication: protect your primary sending domain aggressively. If you're testing campaigns or new ICP segments, use a secondary domain. Reserve your main domain for proven, high-performing campaigns. A sending domain with a clean two-year reputation is a business asset — treat it like one.

The Unsubscribe Requirement: CAN-SPAM, GDPR, and Deliverability

CAN-SPAM (US) requires a working unsubscribe mechanism in every commercial email. GDPR (EU) requires that opt-out requests be honoured immediately. Both apply to cold B2B email from European companies — CAN-SPAM if you're emailing US recipients, GDPR for EU recipients.

The deliverability case for unsubscribe links is independent of compliance: recipients who can unsubscribe don't report spam. A 0.1% unsubscribe rate is better than a 0.1% complaint rate — complaints damage your domain, unsubscribes don't. A clear, prominent unsubscribe option reduces your complaint rate structurally.

Processing unsubscribes manually is operationally expensive at scale — and non-compliance with GDPR unsubscribe requests is a regulatory risk, as covered in detail in our RGPD et prospection B2B guide. LYNKO handles unsubscribes automatically: every sequence includes a compliant opt-out link, and removals propagate immediately across all active sequences for that contact.

How AI SDRs Maintain High Inbox Placement

The deliverability challenge for manual cold email senders is fundamentally a discipline problem. Warmup is skipped because it's slow. Volume caps are ignored because the temptation to send more is always there. Personalization deteriorates as campaigns scale because manual personalization doesn't scale.

AI SDRs solve this structurally, not as a feature — as an architecture:

The contrast with DIY deliverability management is significant. Our AI SDR vs. Human SDR cost comparison covers the economic case — but deliverability is part of the hidden cost of manual SDR operations that the spreadsheet comparison usually misses: domain reputation recovery after a campaign mistake costs weeks of pipeline, not just the time to fix the technical issue.

Deliverability Checklist: Before Your Next Campaign

Run through this before sending any cold email campaign:

If you're evaluating AI outreach tools for your B2B pipeline, see our comparison of seven leading platforms — including how each handles authentication, warmup, and opt-out compliance. And if you're building your EU outreach strategy from scratch, why European B2B companies are adopting AI sales agents in 2026 is the right starting point.

Want to see how LYNKO handles deliverability natively — authentication, warmup guidance, automatic opt-outs, consistent sending patterns? Book a demo or start free — the first 20 prospects are on us.