A working cold email deliverability checklist starts with five gates: authenticate the sending domain, isolate outbound from your important mail, verify and suppress bad recipients, make opting out easy, and monitor complaints in Google Postmaster Tools and Microsoft SNDS before you scale. Google, Yahoo, and Outlook.com all publish explicit sender requirements that make these steps baseline hygiene, not optional best practice (Google Email sender guidelines, Yahoo Sender Best Practices, Microsoft Outlook Postmaster Policies).
Most "cold email deliverability hacks" you read are opinion. This checklist is built on primary mailbox-provider documentation and current standards. It also includes a 100-point Inbox Readiness Score so you can decide whether you are ready to scale, ready for a controlled pilot, or stuck.
Editorial note: the Inbox Readiness Score is a proposed framework derived from provider docs and standards. It is not an industry standard.
TL;DR: the five gates of inbox readiness
| Gate | Weight | Pass requires |
|---|---|---|
| Identity & authentication | 30 | SPF + DKIM, DMARC for bulk, From-domain alignment, PTR, TLS |
| Infrastructure & segregation | 20 | Outbound isolated from transactional, shared-pool exposure limited |
| Audience quality & suppression | 20 | No purchased lists, working verification, invalids and complainers removed |
| Sending behavior & complaint control | 20 | Slow ramp, consistent pacing, spam rate <0.10% in Postmaster Tools |
| Monitoring & remediation | 10 | Postmaster Tools v2 + Microsoft SNDS/JMRP, Feedback-ID, bounce handling |
Score 90 or above to scale. 75–89 is pilot-only. Below 75, fix infrastructure or audience quality before adding volume.
What providers actually require in 2026
Before any checklist, you need to know what is required versus what is recommended. Most of the cold-email community blurs the two. Here is what the three mailbox providers most outbound teams target actually publish.
| Requirement | Google (personal Gmail) | Outlook.com | Yahoo |
|---|---|---|---|
| SPF or DKIM | Required for all senders | Required at high volume | Required for bulk senders |
| SPF + DKIM + DMARC | Required for bulk senders | Required for >5,000 emails/day from May 5, 2025 | Required for bulk senders |
| DMARC From-domain alignment | Required for bulk | Required at high volume | Required for bulk |
| PTR / reverse DNS | Required | Required | Required |
| TLS | Required | Required | Required |
| One-click unsubscribe (RFC 8058) | Required for marketing/subscribed bulk | Effectively required at scale | Required for bulk |
| Spam-rate ceiling | Keep below 0.10%; never reach 0.30% | Reputation-based via SNDS | Keep below 0.3% |
| "Bulk sender" threshold | About 5,000 messages / 24h to personal Gmail | More than 5,000 emails/day to Outlook.com | Bulk thresholds defined by Yahoo |
Sources: Google Email sender guidelines and FAQ, Microsoft Outlook Postmaster Policies, Yahoo Sender Best Practices.
Two facts most cold-email guides leave out:
- Google's sender rules apply to personal Gmail, not Google Workspace inbound. Workspace recipients live in business tenants with custom admin rules and sometimes third-party filters (Google sender guidelines FAQ). Treat "Gmail compliance" as necessary, not sufficient, for B2B inbox placement.
- Google counts your domains together. Mail from the same primary domain is aggregated across subdomains for the bulk-sender threshold, and once a sender is classified as bulk, that status does not expire (sender guidelines FAQ). So "rotate ten subdomains to stay under 5,000" is not a real escape hatch.
Gate 1: Identity and authentication (30 pts)
This is the single highest-weighted gate because the providers treat it as table stakes. Google announced after rollout that unauthenticated mail to Gmail users plummeted by 75%, which gives you a sense of how much filtering rides on identity signals.
The 7-step authentication audit
- Publish SPF for the sending domain. RFC 7208 defines SPF as the way a domain authorizes which hosts can send on its behalf. Include every legitimate sending platform; flatten only if you hit the 10-lookup limit.
- Publish DKIM for every sending source. RFC 6376 defines DKIM as a cryptographic signature method that lets the signing domain take responsibility for the message. Rotate keys per provider best practice and never re-use a leaked selector.
- Publish DMARC. Start at
p=noneonly long enough to read aggregate reports, then move top=quarantineorp=reject. RFC 7489 is the spec; Google's docs explain that DMARC tells receiving servers what to do with mail that does not pass SPF or DKIM (Google sender guidelines). - Confirm From-domain alignment. To pass DMARC, the SPF or DKIM authenticating domain must share an organizational domain with the visible From header. Yahoo and Google both call this out explicitly.
- Set up PTR (reverse DNS). Google and Microsoft both require valid reverse DNS on the sending IP, and the hostname should resolve forward to the same IP.
- Enforce TLS on outbound. Required by Google and Microsoft. Modern providers reject or downgrade unencrypted SMTP.
- Wire up one-click unsubscribe headers for any marketing or subscribed mail at volume. RFC 8058 standardizes the
List-UnsubscribeandList-Unsubscribe-Postheaders. Google explicitly says body links alone do not satisfy the header-based requirement, and announced that large senders must process unsubscribes within two days, with the rule of thumb that "it should take one click". Yahoo mirrors the two-day window.
How to score Gate 1
| Item | Points |
|---|---|
| SPF published and clean | 5 |
| DKIM published for every sending source | 5 |
| DMARC published | 5 |
| From-domain aligns with SPF or DKIM | 5 |
| PTR and forward-confirmed rDNS | 4 |
| TLS enforced | 3 |
| One-click unsubscribe headers on qualifying mail | 3 |
Missing DMARC for bulk Gmail or Outlook.com mail, or missing PTR, is an automatic fail (see below) regardless of your total.
Gate 2: Infrastructure and segregation (20 pts)
This is where most founders quietly burn their domain. Cold outreach has the highest spam-complaint risk in your portfolio. Transactional receipts, invoices, password resets, support replies, and customer onboarding email do not. Mixing the two means a single cold-email burst can drag your password-reset emails to spam.
What "good" looks like
- Different streams on different identifiers. Yahoo explicitly recommends keeping bulk and user/transactional mail separated by IP or DKIM domain (Yahoo Sender Best Practices). Postmark notes that subdomains develop their own reputations, which is why a dedicated outbound subdomain or distinct sending domain is usually safer than the apex.
- No personal Gmail for outbound at scale. Personal Gmail accounts can hit sending errors above 500 recipients/emails per day (Gmail Limits) and Gmail's anti-spam protections block roughly 15 billion unwanted messages a day — wrong infrastructure choice for cold outreach.
- Know your Microsoft 365 limits. Exchange Online has a 10,000 recipients/day cap per user in listed plans, and trial tenants are capped at 5,000/day external (Microsoft Learn — Exchange Online limits). These are operational ceilings, not deliverability ceilings, but exceeding them throttles you before reputation ever enters the picture.
Domain strategy in one paragraph
The defensible answer is: separate streams, document them, and warm each one. Whether you do that with a subdomain on your primary brand or a dedicated outbound domain is context-dependent. Provider documentation supports the separation principle; it does not bless any specific domain-strategy fad. Treat "always use a lookalike domain" or "subdomains are always safer" as opinion.
How to score Gate 2
| Item | Points |
|---|---|
| Outbound on its own domain or subdomain | 6 |
| Transactional/operational mail isolated from outbound | 5 |
| No personal Gmail used for cold outreach | 3 |
| Sending platform within its documented per-user / per-tenant limits | 3 |
| Shared-pool exposure understood and limited | 3 |
Gate 3: Audience quality and suppression (20 pts)
Authentication answers "is this you?" Audience quality answers "did anyone ask for this?" Mailbox providers care about both.
Google's recommended actions to senders are to send only to recipients who want the mail, confirm addresses, consider removing people who do not engage, and make unsubscribe easy (Postmaster Tools dashboards). Yahoo says do not purchase mailing lists, confirm subscriptions, remove invalid recipients promptly, and segregate mail types (Yahoo Sender Best Practices). M3AAWG's Sender Best Common Practices calls confirmed opt-in the highest standard, warns that single opt-in allows typos and forgeries, and says unsubscribe should be easy and should not require login.
For cold B2B outbound specifically:
- Verify before you send. Bounces and dead addresses are concentrated reputation poison early in a campaign.
- Document a permission basis per region. CAN-SPAM requires a valid postal address, a clear opt-out, and opt-out processing within 10 business days. The UK ICO says PECR's consent rule for electronic mail does not apply to corporate subscribers, but the sender must not conceal identity and must provide a valid opt-out address; UK GDPR still applies when personal data is involved.
- Third-party lists are not safe just because they are "verified." The European Commission says the source must be able to demonstrate compliant collection and lawful direct-marketing use, keep the list up to date, and respect objections. Address validation does not solve the underlying permission problem.
- Suppress aggressively. Maintain a single, shared, do-not-contact list across every campaign and every tool. Complaints, hard bounces, manual replies asking to stop, and out-of-office "no longer at company" replies all belong there.
How to score Gate 3
| Item | Points |
|---|---|
| No purchased or undocumented third-party lists | 5 |
| Address verification step in pipeline | 4 |
| Centralized suppression / DNC list across all tools | 5 |
| Per-region permission basis documented | 3 |
| Engagement-based pruning of dormant contacts | 3 |
Gate 4: Sending behavior and complaint control (20 pts)
Complaint rate is the single most underrated cold-email number. Google says senders should keep spam rates in Postmaster Tools below 0.10% and avoid ever reaching 0.30% or higher. Yahoo says keep spam complaints below 0.3%. Google also notes the user-reported spam rate is calculated daily and, importantly, that it does not track open rates — so an "open rate" dashboard is not a deliverability signal in any provider's playbook.
Ramp-up: what the providers actually say
Slow, consistent ramp-up is supported by primary documentation. Specific daily-send numbers per inbox are not.
- Google recommends gradual increases, pausing after deferrals, then resuming below the initial deferral volume for 24 hours, and emphasizes consistent pacing rather than bursts (Top 10 Gmail sender issues).
- Microsoft says new IPs are more likely to experience deliverability issues until they develop reputation, and a new IP can often be fully ramped within a couple of weeks or sooner, depending on volume, list accuracy, and complaint rates (Outlook Postmaster Troubleshooting).
- Postmark's domain-warming guide frames warmup as gradually increasing volume to establish positive reputation, typically reaching dependable full-volume deliverability in roughly 3–6 weeks.
If you have hit a wall in warmup, work through the five most common email warmup mistakes before changing tools or domains — most warmup failures are sender-reputation launch problems, not tool problems.
A pragmatic ramp pattern, anchored on provider language rather than community lore:
- Days 1–3: very low daily volume from each mailbox, focused on real human conversations with engaged recipients.
- Days 4–14: increase daily volume in steady increments while watching the spam rate and bounce rate. Pause and step back at the first sign of deferrals.
- Weeks 3–6: continue increasing while keeping pacing consistent through the day. Avoid bursts.
- Ongoing: keep daily volume predictable. Sudden 5x spikes are a stronger negative signal than a slow climb.
ThawingFox's peer-to-peer mailbox warmup model fits this picture because the relevant signals to providers are gradual ramp, consistent pacing, real human engagement, and a low complaint rate. The product cannot fix Gate 1 (authentication) or Gate 3 (audience) for you — nothing can — but it gives Gate 4 a healthier curve while you do the rest of the work.
How to score Gate 4
| Item | Points |
|---|---|
| Spam rate <0.10% in Google Postmaster Tools | 6 |
| Visible, working unsubscribe + RFC 8058 headers | 4 |
| Consistent daily pacing, no bursts | 4 |
| Deferral / bounce response protocol documented | 3 |
| No reliance on open rate as a deliverability metric | 3 |
Gate 5: Monitoring and remediation (10 pts)
You cannot fix what you cannot see. Monitoring is the lowest-weighted gate only because it is downstream of the other four — but skipping it turns small problems into outage-class ones.
Tools that actually matter
- Google Postmaster Tools v2. Set up at the official page. Read the dashboard guide — Google says the data is not real-time, is typically updated within 24 hours, and may not show data when volume is too low.
- Heads-up on the old Postmaster Tools. Google is deprecating the old interface and retiring the old Domain and IP Reputation dashboards. Any deliverability checklist that leans on those specific charts is now stale.
- Google Feedback Loop. The Feedback-ID header ties spam reports to specific campaigns so you can isolate the offending segment.
- Microsoft SNDS and JMRP. Smart Network Data Services exposes complaint data and reputation signals. The Junk Mail Reporting Program feeds you per-message complaints. Outlook.com deliverability is reputation-based and these are the only sanctioned signals.
- Bounce and error parsing. Hard bounces feed your suppression list. Soft bounces and deferrals feed your pacing decisions.
How to score Gate 5
| Item | Points |
|---|---|
| Postmaster Tools v2 configured for every sending domain | 3 |
| Microsoft SNDS + JMRP configured | 3 |
| Feedback-ID implemented on outbound | 2 |
| Bounce handling and suppression automated | 2 |
Automatic fail conditions
Regardless of total score, the following are non-negotiable fails:
- No DMARC for bulk mail to Gmail or Outlook.com (Google sender guidelines, Microsoft Outlook Postmaster Policies).
- No PTR / reverse DNS on sending IPs.
- Spam rate near or above 0.3% in Google Postmaster Tools (Google sender guidelines).
- No working opt-out / unsubscribe process (FTC CAN-SPAM Compliance Guide).
- Purchased or third-party list with undocumented permissions (European Commission guidance).
Troubleshooting: Gmail placement just dropped
The instinct is to rewrite the copy. That is rarely the right first move. Google's current guidance:
- Check Postmaster Tools first. Look at spam rate, authentication pass rate, IP/domain reputation indicators, and delivery errors.
- Reduce volume after deferrals or bounce spikes. Pause, then resume below the initial deferral volume for 24 hours before climbing again (Top 10 Gmail sender issues).
- Get spam rate under 0.10% by suppressing the campaign segments driving complaints. The complaint distribution is rarely uniform.
- Confirm one-click unsubscribe is implemented for qualifying mail.
- Stabilize pacing. Consistent daily volume is a stronger positive signal than higher daily volume.
Troubleshooting: Outlook is junking everything
Different ecosystem, different tools:
- Check SNDS for the sending IP. Red status, high complaint rate, or low data volume each point to a different fix.
- Verify SPF, DKIM, DMARC alignment specifically for Outlook.com traffic — Outlook's high-volume policy now enforces all three.
- Pull the IP from a shared pool if your sender reputation is being dragged by neighbors and your platform supports it.
- Subscribe to JMRP so complaints feed your suppression list.
- Remember the B2B picture. Validity's 2025 benchmark found Microsoft the toughest major mailbox provider in its dataset at 75.6% inbox placement, with Office 365 at 85.2% and Google Apps at 83.1% in the B2B hosted-platform view. Outlook destinations being harder than Gmail destinations is the baseline expectation, not a sign you specifically have done something wrong.
Legal vs. deliverability: they are not the same thing
A campaign can be CAN-SPAM compliant and still land in junk because recipients did not want it. Conversely, strong deliverability tactics do not guarantee legal compliance in every jurisdiction.
| Region | Key rule | Source |
|---|---|---|
| United States | Valid postal address, clear opt-out, opt-outs honored within 10 business days | FTC CAN-SPAM |
| United Kingdom | PECR consent rule does not apply to corporate subscribers, but identity and opt-out are required; UK GDPR still applies to personal data | UK ICO |
| European Union | Third-party lists must demonstrate compliant collection, lawful use, currency, and respect for objections | European Commission |
Recruiters and agencies sending across regions should treat the suppression / do-not-contact list as a deliverability asset, not just a legal one. "Legal enough to send" is not the same as "safe for inbox placement."
Myths vs. facts
| Common claim | Reality |
|---|---|
| "A cold inbox should never send more than X emails per day." | No universal primary-source number from Google, Microsoft, or Yahoo. Pacing and complaint rate matter more than any specific cap. |
| "Warmup tools that auto-send and auto-reply categorically improve deliverability." | Providers support gradual ramp-up. They do not endorse blanket performance claims for specific tool tactics. |
| "Plain-text emails always land in the primary inbox." | Too absolute. Providers focus on authentication, complaints, reputation, and deceptive behavior. |
| "Never include links or images in cold email." | Overstated. The provider signal is identity and complaint behavior, not asset presence. |
| "Lookalike domains are always safer than subdomains." | Provider docs back stream separation, not any specific domain-strategy fad. |
| "Inbox placement can be guaranteed if you follow a checklist." | No credible source supports guarantees. |
| "Google uses open rates as a core deliverability metric." | Google explicitly says it does not track open rates. |
| "Buying a verified list is fine." | Verification does not solve consent. Yahoo says do not purchase lists, and the EU Commission requires demonstrable compliant collection. |
Frequently asked questions
What belongs on a cold email deliverability checklist?
At minimum: SPF or DKIM, PTR, TLS, DMARC for bulk mail, one-click unsubscribe where applicable, slow ramp-up, consistent sending, suppression of invalid or unwanted recipients, and active monitoring with Google Postmaster Tools and Microsoft SNDS.
Do I need SPF, DKIM, and DMARC for cold email?
If you send at scale, yes. Google requires SPF or DKIM for all senders to Gmail and SPF, DKIM, and DMARC for bulk senders. Outlook.com high-volume senders also need SPF, DKIM, and DMARC under Microsoft's policy effective May 5, 2025. Yahoo matches the pattern for bulk senders.
Does cold email need an unsubscribe link?
For commercial mail, opt-out is legally important under CAN-SPAM, and Google and Yahoo expect easy unsubscribe for bulk marketing or subscribed mail. Google's one-click requirement is header-based via RFC 8058 — a footer link alone does not satisfy it.
What complaint rate is too high?
Google says keep spam rates below 0.10% and avoid ever hitting 0.30% or higher (sender guidelines). Yahoo says keep spam rates below 0.3%.
How long does warmup take?
There is no universal timetable. Microsoft says a new IP can be fully ramped within a couple of weeks or sooner under good conditions, and Postmark's domain-warming guide suggests most domains can expect dependable full-volume deliverability in roughly 3–6 weeks.
Should I use my main domain for cold outreach?
Separate bulk/outbound from critical user or transactional mail where possible. Yahoo recommends segregating email types by IP or DKIM domain and Postmark notes that subdomains develop their own reputations. Whether you use a subdomain on your primary brand or a dedicated outbound domain is context-dependent.
Are Google's sender rules the same for Google Workspace recipient inboxes?
No. Google says its sender requirements and enforcement apply to personal Gmail accounts, not messages delivered to Google Workspace tenants. Workspace mail can be subject to admin policies and third-party filters that look nothing like consumer Gmail.
How do I monitor deliverability at Gmail and Outlook?
Use Google Postmaster Tools v2 for Gmail and Microsoft SNDS plus JMRP for Outlook.com. Google also supports campaign-level tracking via the Feedback-ID header.
Can I buy or use a third-party list if I verify the addresses?
Verification does not solve permission. Yahoo says do not purchase mailing lists and the European Commission requires a third-party source to demonstrate compliant collection and lawful direct-marketing use.
Can I use a personal Gmail account for cold outreach?
Bad infrastructure choice for scale. Personal Gmail accounts can hit errors above 500 recipients or emails per day, and Gmail applies anti-spam protections aggressively across the consumer ecosystem.
Can I rely on Google Postmaster reputation dashboards long-term?
Not as a long-term content recommendation. Google says the old Domain and IP Reputation dashboards are being retired in Postmaster Tools v2.
How to use this checklist tomorrow
- Open a blank doc. Score each gate honestly.
- List every automatic-fail condition you currently trigger. Fix those first; they will keep you out of the inbox no matter what else you do.
- Set a Postmaster Tools v2 and SNDS baseline before you change anything else, so you can tell whether your fix worked.
- Re-score after one full ramp cycle. The number you want is rising, week over week, while spam rate stays under 0.10%.
Deliverability is not a one-time launch task. It is the operational discipline of staying inside provider expectations while your volume grows. The five gates are the part that does not change.