Cold Email 2026: Technical Setup for Inbox Delivery

Why Deliverability Is the #1 Cold Email Problem in 2026

Cold email doesn't fail because of bad copy — it fails because it never arrives. Email providers have dramatically improved spam filtering, and Google's 2024 bulk sender requirements set a new floor for authentication. The result: senders without proper technical infrastructure now see 40–60% of outbound email filtered before it reaches the inbox.

The irony is that getting deliverability right creates a significant competitive advantage. Most cold emailers are still sending from their primary domain with no warming, no authentication review, and list quality that tanks their sender reputation. If you build the infrastructure correctly, you're operating in a less crowded inbox while competitors fight over spam folders.

Deliverability is a system — domain setup, sending infrastructure, list quality, sending behaviour, and content all contribute. Fixing one element while ignoring others produces partial results. This guide covers all of them.

Domain Setup: Dedicated Sending Domains, SPF, DKIM, and DMARC

Never send cold email from your primary domain. If your primary domain's sender reputation is damaged by a cold outreach campaign, it affects all your business email — transactional, customer support, sales follow-ups, everything. Register dedicated sending domains (e.g., getlumo.com, trylumo.com, lumo-growth.com) for outbound campaigns.

SPF (Sender Policy Framework) is a DNS record that specifies which mail servers are authorised to send email from your domain. Without it, receiving servers have no way to verify your email isn't spoofed. Configure SPF with your sending provider's IP ranges — most providers give you the exact record to add.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails that receiving servers use to verify the email wasn't altered in transit and genuinely came from your domain. Your email provider generates the DKIM keys; you add the public key as a DNS TXT record. Use 2048-bit DKIM keys for stronger authentication.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM fails — reject, quarantine, or do nothing. Start with a p=none policy (monitoring mode), review the DMARC reports to confirm your legitimate email is authenticating correctly, then move to p=quarantine and eventually p=reject. Google's 2024 requirements mandate DMARC for senders sending more than 5,000 messages per day to Gmail addresses.

Email Warming Strategy

A brand new domain and email address have no sender reputation — and no reputation is treated as suspicious by email providers. Warming is the process of gradually building reputation by sending low volumes of email that get engaged with positively.

Manual warming: start by sending 10–20 emails per day from the new account in week one, increasing by 10–20 per day each week. The recipients should open and reply to these emails — use your team's existing contacts, warm prospects, or colleagues for the initial warming period. Avoid any email that triggers spam reports.

Automated warming tools (Instantly, Lemlist's warming feature, Warmbox) automate this process by sending emails between a network of accounts that automatically open, reply, and mark as important. They can accelerate the warming timeline from 6–8 weeks to 3–4 weeks. Use them in combination with genuine email activity, not as a replacement for it.

After warming, maintain sender reputation by keeping spam complaint rates below 0.1% (Google's threshold) and unsubscribe rates low. Monitor deliverability using tools like GlockApps or Mail-Tester to run periodic inbox placement tests.

List Quality and Validation

Sending to invalid or inactive email addresses damages your sender reputation and wastes outreach budget. Before importing any list into your sending tool, validate it through a service like NeverBounce, ZeroBounce, or Bouncer. Remove all invalid, catch-all, and risky addresses — target a valid/safe rate above 90%.

List quality also means ICP precision. A hyper-targeted list of 500 decision-makers at companies matching your ICP will outperform a generic list of 5,000 contacts both in reply rate and in sender reputation (because engaged recipients don't report your email as spam). Build lists from intent signals — companies hiring for roles that indicate budget, using technology your solution integrates with, or showing growth signals through funding rounds or headcount changes.

Sequence Structure and Copy Principles That Get Replies

A standard cold email sequence is 4–6 touchpoints across 2–3 weeks. The first email is your primary shot — it should be short (under 100 words for the first send), personalised to a specific detail about the prospect or their company, focused on one clear problem statement, and contain a low-friction CTA (a question, not a meeting booking link).

Follow-up emails should add value or change angle, not simply repeat the same pitch. A follow-up that references something new — a relevant case study, an article about their industry, a specific trigger event at their company — performs significantly better than "just checking in."

Subject lines drive open rates; first sentences drive continued reading. Avoid spam trigger words (free, guarantee, urgent, winner). Use lowercase subject lines for a less promotional appearance. Personalise the opening line — mentioning something specific about the recipient or their company immediately differentiates your email from mass outreach.

Compliance: CAN-SPAM, GDPR, and the Rules That Matter

CAN-SPAM (US): Requires accurate sender information, a non-deceptive subject line, a functioning physical address, and an opt-out mechanism that's processed within 10 business days. Cold email to B2B contacts is generally permissible under CAN-SPAM provided you follow these rules. Purchasing email lists is legal under CAN-SPAM; the obligation is on the sender to comply with the mechanical requirements.

GDPR (EU/UK): More restrictive. Sending cold email to EU/UK individuals requires a lawful basis — typically "legitimate interest" for B2B outreach to business email addresses in a professional context. You must include an opt-out mechanism, honour opt-outs promptly, and be prepared to demonstrate legitimate interest if challenged. Never email personal email addresses (gmail, yahoo, etc.) of EU residents without explicit consent.

The practical rule: send to business email addresses at companies that fit your ICP, make opt-out easy, honour it immediately, and don't be creepy about the level of personalisation. Legitimate B2B cold email that respects these norms is compliant in most jurisdictions and effective when the targeting and copy are right.