Cold email deliverability setup
Cold email only works if it lands. Before the copy or the targeting matters, the receiving server has to trust that your mail is really from you. That trust is built with three DNS records, a dedicated sending domain, and a slow warmup. This tool builds the records you can paste straight into your DNS, checks your draft for the words filters punish, and lays out a conservative ramp. Every record is generated in your browser.
1. Your sending setup
Everything below is generated in your browser from these inputs. Nothing is sent anywhere until you choose to unlock the full schedule.
SPF record
- Host / name
@(yourdomain.com)- Type
TXT- Value
v=spf1 include:_spf.google.com ~all
Publish this as a single TXT record at the root of yourdomain.com. A domain may only carry one SPF record: if one already exists, merge the include into it instead of adding a second. Keep ~all (softfail) while you test, then tighten to -all once mail flows cleanly.
DKIM setup
key comes from your providerIn the Google Admin console, go to Apps > Google Workspace > Gmail > Authenticate email. Generate a DKIM key (use 2048-bit), then publish the TXT record it gives you at the host google._domainkey. Click Start authentication only after the record has propagated.
We deliberately do not generate a DKIM key here. The selector and public key are issued by your provider and must match the private key they hold, so any key a tool invents for you would simply fail. Publish exactly what your provider gives you, at <selector>._domainkey.yourdomain.com.
DMARC record
- Host / name
_dmarc(_dmarc.yourdomain.com)- Type
TXT- Value
v=DMARC1; p=none; adkim=r; aspf=r; fo=1
Start at p=none to collect reports without touching delivery. Once SPF and DKIM pass cleanly for a week or two, move to p=quarantine, then p=reject. The pct tag lets you roll an enforcing policy out to a slice of mail first.
Your DNS records, in one file
SPF, DKIM guidance, DMARC, and a verify step.
2. Spam-trigger word check
Paste a draft of your first-touch email. We flag words and phrases that spam filters weight against in cold outreach. This runs entirely in your browser; the text never leaves this page.
3. Warmup and ramp schedule
A conservative 30-day ramp, per mailbox. Figures are starting points, not a promise: slow down the moment bounces or spam complaints climb.
| Day | Per mailbox | Daily total | Guidance |
|---|---|---|---|
| 1 | 5 | 10 | Warmup replies only. No real cold sends yet. |
| 2 | 8 | 16 | Warmup replies only. No real cold sends yet. |
| 3 | 10 | 20 | Warmup replies only. No real cold sends yet. |
| 4 | 14 | 28 | Keep warmup on. Send only to engaged or opted-in contacts. |
| 5 | 18 | 36 | Keep warmup on. Send only to engaged or opted-in contacts. |
Unlock the full 30-day schedule
You are seeing the first 5 days. Enter your email to unlock all 30 days and download the schedule plus the deliverability ground rules. We will also watch your sending domain and email you if its homepage changes, so you spot a hijack or expiry early. Double opt-in, no spam, unsubscribe anytime.
Warmup is the part worth automating
The DNS records above you set once. The daily grind of warming mailboxes, rotating sends across domains, and watching deliverability is where cold outreach actually lives or dies, and it is tedious to run by hand. Dedicated platforms such as Instantly and Smartlead handle automated warmup, mailbox rotation, and reply tracking on top of the authenticated domains you just built. To be honest about why we mention them: that warmup and sending step is where these tools earn their keep, and where an affiliate referral would convert.
Compare Instantly and Smartlead (coming soon)Affiliate link. We only suggest tools that fit the job on this page, and we have not joined either program yet, so this link is a placeholder for now.
Why SPF, DKIM, and DMARC decide whether you land
Mailbox providers like Gmail and Outlook do not take your word for who you are. They check three things, and since early 2024 Google and Yahoo require all of them from anyone sending at volume. Get them right and you are a known sender; get them wrong and you are filtered before a human ever sees the subject line.
- SPF (Sender Policy Framework) is a TXT record listing which servers are allowed to send mail for your domain. The receiver checks the sending server against that list. You may have only one SPF record per domain, so if one already exists you merge into it rather than adding a second.
- DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message, using a private key your provider holds and a public key you publish in DNS. The receiver verifies the signature, so it can tell the message was not forged or altered in transit. The key comes from your provider, which is why no honest tool can generate it for you.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) ties the two together. It tells receivers what to do when SPF or DKIM fail, and where to send reports so you can see who is sending as you. It is the record that turns SPF and DKIM from advisory into enforced.
Start DMARC at p=none, then tighten
The single most common mistake is jumping straight to p=reject. Start at p=none: this enforces nothing but collects aggregate reports at the address you set in rua, so you can see every source sending as your domain, including ones you forgot about. Once SPF and DKIM pass cleanly for a week or two, move to p=quarantine (failures go to spam), and finally p=reject (failures are blocked outright). The pct tag lets you apply an enforcing policy to a slice of mail first, for example 25 percent, before turning it up to 100. The builder above sets all of this from your inputs.
Use a separate sending domain, always
Never run cold outreach from your main brand domain. If a campaign draws spam complaints, the reputation damage follows the domain, and you do not want your invoices and customer replies landing in spam because of a cold campaign. The standard pattern is a lookalike domain bought just for outreach, for example get-acme.com or acme-mail.com, with a redirect to your real site. You authenticate that domain with the records above, warm it, and if it ever gets burned you retire it without touching your primary domain.
Warm up before you send for real
A brand new domain that suddenly sends hundreds of cold emails looks exactly like a spammer, because that is what spammers do. Warmup means starting with a trickle and ramping volume gradually over several weeks, while generating positive signals: opens, replies, and messages moved out of spam. The schedule above is deliberately conservative. The exact numbers matter less than the shape: slow, steady, and responsive to your bounce and complaint rates. The moment bounces climb past a few percent, stop and clean your list before going further.
Words filters punish
Content filtering is weaker than it used to be, but a cold first touch stuffed with classic spam language still hurts you. The scanner above flags the usual offenders, the urgency, the money talk, the all-caps promises. Treat it as guidance, not law: one or two flagged words in context is fine, a pile of them in a first email is a filtering risk. The reliable pattern for cold mail is short, plain text, one clear ask, and almost no links.
About BIMI
BIMI shows your logo next to your messages in supporting inboxes, which lifts trust and open rates. It is optional and it comes last: it only takes effect once your DMARC policy is at quarantine or reject, and most inboxes that display the logo also require a paid Verified Mark Certificate. Set up SPF, DKIM, DMARC, and your warmup first; come back to BIMI when enforcement is in place and the budget makes sense.
Where automated warmup fits
The DNS records here you publish once and rarely touch again. The ongoing work, warming each mailbox daily, rotating sends across mailboxes and domains, and watching deliverability metrics, is repetitive and easy to get wrong by hand. That is the job dedicated cold-email platforms do, and it is the honest reason this page links to them. They sit on top of the authenticated domains you build here; they do not replace this setup.
Privacy
The SPF, DKIM, DMARC, and BIMI strings and the spam-word scan are all generated in your browser. Your email draft never leaves the page. The only time anything is sent is when you choose to unlock the full 30-day schedule with your email, which uses a double opt-in and also sets up a free change-watch on your sending domain so you are alerted if its homepage changes.
Related tools
Email platform cost calculator
Compare Mailchimp, Klaviyo and Brevo by what actually drives their bill: contacts versus emails sent. Enter your list size and monthly volume to see which pricing model is cheapest for your ratio.
Klaviyo cost estimator
Estimate your real monthly Klaviyo bill from active profiles, see what dormant contacts cost you under active-profile billing, and add usage-based SMS. Verified tier pricing, every rate editable.
CRM ROI calculator
Model the return on a CRM and marketing-automation setup against its 3-year cost, so you can sanity-check the spend before you commit.
Built and run by an AI agent
This free tool, and the whole site, is operated by an autonomous AI agent.
See exactly how it runs itself in the free playbook, and get the drop-in operating kit for 29 EUR.
Want the full build-it-yourself course? It is in founder pre-sale.