Why does my cold email go to spam?

Most often because your sending domains are not properly authenticated or aligned, so receivers filter you for technical reasons before reputation even comes into play. Cold email rides on a stack: authentication first, then reputation, list quality, and sending behavior. Operators usually focus on warmup and volume while the authentication foundation is broken.

Does email warmup fix deliverability?

No, not on its own. Warmup builds reputation by simulating engaged sending, but it does nothing about authentication. If your SPF, DKIM, DMARC, or alignment is broken, warmup is building a reputation for a domain that fails the identity check on every send, and it still lands in spam. Fix authentication first, then warm up.

Why do my cold email domains keep burning out?

Sometimes it is genuine reputation decline from aggressive sending or poor list quality. But often the domain was never authenticated correctly to begin with, so it was filtered from day one and mistaken for burnout. With a solid authentication foundation and sensible sending, domains last far longer.

Cold Email Deliverability: Why It Keeps Breaking and What Fixes It

If you run cold outbound, deliverability isn't a feature. It's the whole business. When your mail lands, you have a pipeline. When it doesn't, you have a spreadsheet of contacts and a warmup bill. And the worst part is how it fails: not with a clear error, but with reply rates slowly bleeding out while you wonder if it's the copy, the list, the offer, or something you can't see.

It's usually something you can't see. So let's make it visible, in the order that actually matters for outbound.

The short version

Cold email lands or dies on a stack of four things, and they're not equally weighted: authentication is the foundation, then domain and IP reputation, then list quality, then sending behavior. Most operators pour all their attention into warmup and volume settings (the top of that stack) while the foundation underneath is quietly broken. That's backwards. You can't out-warm a domain that's failing authentication. You're just warming up mail that the receiver was always going to filter.

Get the order right and the rest of your tactics start working. Get it wrong and you're on a treadmill of buying and burning domains forever.

Warmup is not authentication

This is the single most expensive misunderstanding in cold email, so let's be blunt about it.

Warmup builds reputation. It teaches mailbox providers that your domain sends mail real people open and reply to, by simulating exactly that. Useful, real, worth doing. But warmup does nothing about authentication. It does not fix a broken SPF, it does not add a missing DKIM key, and it does not align your sending tool to your domain. If your authentication is broken, warmup is you carefully building a reputation for a domain that fails the identity check on every send. The provider filters it regardless of how warm it is.

The order that matters

Authentication first, then warmup. A warmed domain on broken auth still lands in spam. A correctly authenticated domain that's been warmed sensibly is the combination that works. If you're paying for warmup and still in spam, the foundation is almost certainly the thing nobody checked.

What cold email actually rides on

For outbound specifically, the authentication picture has a few wrinkles a normal business doesn't deal with. You're running separate sending domains (you should never run cold outbound on your main company domain), often several of them, each with its own inboxes. Every one of those domains needs the full foundation:

A correct SPF record for the tool you send through, on each domain, within the ten-lookup limit and with only one SPF record per domain.
DKIM signing as that domain, not as your sequencer's shared domain. This is the one people miss.
A DMARC record on every sending domain, so the providers see you taking responsibility and so you get reports showing what's actually happening.
Alignment, so the SPF and DKIM that pass are passing for your sending domain, the one in the From address, not the tool's.

Multiply that by however many domains you run, and you start to see why this gets away from people. It's not hard per domain. It's that there are a lot of domains, each with a few records, and one wrong field on one of them silently sinks that domain's deliverability while the others look fine.

The trap that quietly kills outbound

Here's the specific failure that catches more cold-email setups than any other. You connect your inboxes to a sending platform, the platform sends, and SPF and DKIM both pass. Looks healthy. Except they pass for the platform's domain, not yours. Nothing aligns to the From address your prospect sees, so DMARC fails, and the receiver treats you as unauthenticated.

auth-check · outbound1.com via your sequencer

spfpassfor the tool

dkimpasssigned as the tool

alignmentfailnot your sending domain

dmarcfail

Everything in your tool's dashboard says green. The prospect's provider says spam. The fix is to set up your platform's custom or authenticated sending domain for each of your outbound domains, so DKIM signs as outbound1.com instead of as the tool. It's a known, repeatable fix. It's just one that nobody does until they understand alignment, which is exactly why so many warmed, "properly set up" domains still don't land.

Not sure which of your sending domains are actually authenticated? Run each one through our free authentication check. It reads the live records in seconds and tells you, per domain, what's set up and what's quietly failing.

Why 2024 hit outbound the hardest

In February 2024, Google and Yahoo turned authentication from a nice-to-have into a requirement for anyone sending at volume. If you push roughly 5,000 messages a day or more to Gmail, you now must authenticate with SPF, DKIM, and DMARC, offer one-click unsubscribe, and keep your spam complaint rate low (under 0.3%, and you really want to be well under that). Microsoft has since rolled out similar requirements for high-volume Outlook senders.

Cold outbound is, almost by definition, high-volume sending to people who didn't ask for it. That's precisely the profile these rules were written to catch. Operators who'd been getting away with sloppy authentication for years hit a wall, all at once, and a lot of them responded by buying more domains to spread the volume, which helps with the rate thresholds but does nothing if every new domain is just as unauthenticated as the last. You can't volume your way around a broken foundation. You can only multiply the problem.

Why you keep burning domains

The "domains just burn out" story is half true and half myth. Domains do degrade with hard, aggressive sending. But a lot of what gets blamed on a domain "aging out" is actually one of three things you can fix:

The domain was never authenticated properly to begin with, so it was filtered from day one and you mistook a foundation problem for a reputation decline.
You sent too hard, too fast, spiking complaints and bounces, which torches reputation no matter how good the auth is.
Your list quality was poor, so you hit spam traps and dead addresses that signal "this is a spammer" to every provider at once.

Authentication won't fix aggressive sending or a bad list. But when the foundation is solid, your domains last longer, your reputation builds instead of collapsing, and you stop replacing them every few weeks like a consumable. Fixing the foundation is the difference between domains as an asset you maintain and domains as a tax you keep paying.

What you control, and what you don't

Honesty matters here more than in most marketing, because the cold-email world is full of people promising a guaranteed inbox. So, plainly:

You control your authentication, completely. It's mechanical, it's fixable, and it either passes or it doesn't. You strongly influence your sending behavior and list quality, which is on you and your process. You only partially influence reputation, because that's built over time by how recipients react to your mail. Nobody, anywhere, controls the inbox outright. Anyone telling you they guarantee placement is selling you the one thing that can't be guaranteed.

What a deliverability service can honestly do is own the foundation: get every domain authenticated and aligned, get you to DMARC enforcement safely, and tell you straight which of your remaining problems are technical (fixable) and which are behavioral (yours to change). That's the part that makes everything else you do actually count.

If you'd rather not babysit DNS across ten domains

We'll get the foundation right on every sending domain.

Whatever you send on, and wherever your DNS lives (your sequencer's setup, Cloudflare, Namecheap, Google Workspace, Microsoft 365, or a stack a contractor left half-finished), we'll get into it and tell you exactly which domains are authenticated, which are quietly failing, and what each one needs. The free audit gives you that picture in plain English, across all your domains, before you spend anything.

If you want it handled, we authenticate and align every domain, get you to enforcement without breaking your live campaigns, and set up monitoring so you see a problem before a domain burns instead of after.

Get your free deliverability audit →

No commitment. We'll show you exactly what's broken before you pay anything.

The honest bottom line: warmup, copy, and list-building all matter, but they're built on top of authentication, and most outbound operators have a crack in that foundation they've never seen. Fix it first, and everything you're already doing starts converting better. Skip it, and you'll keep buying domains to replace the ones you keep breaking.

Cold email deliverability: why it keeps breaking