The depressing truth of cold outbound: you can write the best email of your life, and if your sender reputation is wrong, nobody will ever read it. Spam folders are graveyards.
This is a working operator's guide to the four things that actually decide deliverability — written so a non-engineer can wire it up themselves and a senior engineer can audit it.
The four-layer model#
Modern email deliverability is a layered trust system. From the receiving inbox's perspective, each layer answers a question:
- SPF — "Is this server allowed to send email for this domain?"
- DKIM — "Is this email actually from that server, unmodified?"
- DMARC — "What should I do if SPF or DKIM fail?"
- Reputation — "Has this sender historically sent stuff humans want?"
Get all four right and you're in the inbox. Get any one wrong and you're competing with newsletter offers and Nigerian princes.
SPF — the easiest one to get right#
SPF is a DNS TXT record listing which servers are authorised to send email for your domain. Looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Three things matter:
v=spf1— version, always.include:entries — one per sending service. Google Workspace, your transactional provider, your cold-email tool.~allat the end — soft-fail. Use-all(hard-fail) only when you're certain you've listed every sender. Hard-fail with a missed sender = legitimate mail bouncing.
DKIM — the one most people skip#
DKIM cryptographically signs your outgoing email so receivers can verify the message wasn't tampered with in transit. Each sending service gives you a public key (a TXT record) to publish at a specific selector — usually something like selector1._domainkey.yourdomain.com.
The two ways teams get this wrong:
- They don't set it up at all. Major providers will silently mark your email as "unauthenticated" without telling you. Your reputation tanks and you don't know why.
- They set it up once, then rotate keys. When the sending service rotates the signing key (which they do, automatically), your DNS record stops matching. Suddenly all your DKIM checks fail. Set a calendar reminder to verify quarterly.
selector1._domainkey TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAA…"
You don't read DKIM records. You verify them with dig or a tool, and you watch your sending service's dashboard for failures.
DMARC — the policy layer#
DMARC tells receivers what to do when SPF and DKIM disagree with each other. It also gives you reporting, which is the actual reason to set it up.
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100
p=none— start here. Receive reports, don't enforce yet.p=quarantine— once reports look clean, move here. Failed mail goes to spam.p=reject— for the brave. Failed mail bounces.
The rua= address gets daily aggregate reports from receivers. They're ugly XML, but tools like Postmark's free DMARC monitor parse them into a dashboard. You'll discover senders you forgot about. Everyone does.
Warmup — the part nobody likes#
A fresh sending domain has no reputation. Send 200 emails on day one and you're a spammer to the receiving algorithms. The fix is gradual ramp:
| Day | Volume |
|---|---|
| 1 | 5 |
| 2 | 10 |
| 3 | 15 |
| … | … |
| 10 | 50 |
Cap at 50/day/mailbox, indefinitely. Higher volumes from a single mailbox correlate with deliverability degradation across every dataset we've measured. If you need 200/day, run four mailboxes, not one inflated one.
The 10-day ramp is the floor. Some teams take 14 days and end up with cleaner reputation. Hardly anyone we've seen succeed has tried to compress it below 10.
“Domains warmed for 10+ days had a median inbox-placement rate of 91%. Domains rushed to volume in under 7 days: 63%.
”
The audit checklist#
Run this once a quarter. Five minutes.
- SPF record present, under 10 lookups, ends with
~allor-all - DKIM signing verified at every sending service (check the service's dashboard)
- DMARC at minimum
p=nonewith arua=reporting address - DMARC reports being read (set the inbox to forward to a tool, not a person)
- No mailbox sending over 50/day
- Warmup ramp logged and visible — knowing day 1 is more important than knowing day 30
If any line fails, fix that one before tweaking copy. Copy can't beat the spam folder.
Setting all of this up by hand takes about half a day per domain, plus ongoing monitoring. OREE handles every line on this checklist automatically — domain provision, SPF/DKIM/DMARC, warmup, ongoing monitoring. You ship outreach, we keep the pipes clean.
Written by
Kingsley Nnamonah
Head of Product
Builds the OREE product. Spent the last decade shipping AI tooling for revenue teams. Writes about the engineering and product decisions behind the co-pilot.
