Cold Email 2026/03 · Infrastructure
Module 03 · Deliverability

Domains, inboxes, SPF / DKIM / DMARC.

Inbox providers decide whether you land in the inbox or in spam before they read a word of your email. That decision is based on technical trust signals you control. This is the single highest-leverage stage of the whole pipeline.

The one idea

Trust before content

When you send an email, the receiving server does about fifteen technical checks before it even opens the message body. Does the sending domain authorize this server to send for it? Is the message signed cryptographically? What's the domain's reputation? If you fail those checks, your perfect copy goes to spam and you'll never know why.
Setup · Step 1

Buy lookalike sending domains — never use your primary

If you send cold from yourcompany.com, one mistake and your real business email starts going to spam. Always send from lookalikes: get-yourcompany.com, tryyourcompany.com, yourcompany-mail.com. A burned domain becomes disposable.

How many? From your funnel math. ~150 sends/day at 30 per inbox = 5 inboxes, at 2–3 inboxes per domain = 2–3 domains. Always round up.
Porkbun ($10/yr) Cloudflare Registrar Namecheap
Setup · Step 2

Create inboxes — or buy them pre-warmed

OptionCost / mo / inboxProsCons
Google Workspace$6–18Highest deliverability ceilingSlow manual setup, manual auth records
Microsoft 365$6Good for Outlook-heavy B2BStricter spam thresholds in 2026
Managed providers$2–4Pre-authenticated, bulk discountShared infrastructure; varies by provider
2026 update Managed inbox providers (Mailforge, Mailreef, Maildoso, Inboxes.com) ship inboxes with SPF / DKIM / DMARC already configured. A setup that took 4 hours per domain now takes 10 minutes. Use them for new fleets unless you have a specific reason to handle Workspace yourself.
Google Workspace Microsoft 365 Mailforge Maildoso MailReef
Setup · Step 3

The three authentication records, explained simply

SPF is a list of mail servers allowed to send "from" your domain. DKIM is a cryptographic signature that proves the email wasn't tampered with in transit. DMARC tells receiving servers what to do when SPF or DKIM fails — and where to send reports. All three are TXT records in your domain's DNS.
The three records (per sending domain) 
SPF    TXT  @         "v=spf1 include:_spf.google.com ~all"
DKIM   TXT  google._domainkey   (paste the key your provider gives you)
DMARC  TXT  _dmarc    "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"
  • Start DMARC at p=none. That means "don't reject anything, just report it." Watch the reports for 2 weeks.
  • Then move to p=quarantine. Mails that fail go to spam. Most legitimate senders sit here.
  • Only move to p=reject when you're confident. Mails that fail get bounced outright.
2026 update Since Gmail and Yahoo's February 2024 bulk sender rules, DMARC is now required, not optional, for anyone sending more than 5,000 emails / day to those domains. A missing DMARC record means automatic spam folder.
Verify

Test your records before sending a single email

A free DNS checker tells you in 30 seconds whether your records are correctly set up. Run every domain through one before connecting it to your sender.

MXToolbox Dmarcian Mail-tester (run after a real send) Google Postmaster
Mail-tester workflow Visit mail-tester.com, grab the unique email address it shows you, send one email to it from your new inbox (real subject and body), then refresh the page. You get a score out of 10 plus a checklist of what's missing. Anything under 9/10 — fix before scaling.
Do this now

Stand up one fully-authenticated sending domain

  1. Buy one lookalike domain on Porkbun (~$10/yr).
  2. Create one Google Workspace inbox on it (or order via Mailforge for a pre-built fleet).
  3. Add the three TXT records above. DMARC starts at p=none.
  4. Wait 1–2 hours for DNS propagation.
  5. Run the domain through MXToolbox. All three records should resolve.
  6. Send one email to mail-tester.com from the new inbox. Score 9+/10.
  7. Repeat for every domain in your fleet.
Don't do this

The infrastructure mistakes that burn campaigns

Send cold from your primary domain. One bad campaign and your real business email starts landing in customers' spam folders. Permanent damage.
Skip DMARC. Post-2024 Gmail rules, you don't get to skip this anymore.
Jump straight to p=reject. Without watching reports first, you'll bounce legitimate replies and not know why.
Reuse a burned domain. Reputation lives at the domain level. A scorched domain is disposable — toss it, buy a new $10 one.
What this rules out

If MXToolbox is green and mail-tester scores 9+, infrastructure is not your problem

If you're still landing in spam after this, the cause is downstream: warmup didn't run long enough, daily caps are too high, or your copy is triggering content filters. See Module 04.