GTMHQ

Workflows

Email Infrastructure for Cold Outreach: SPF, DKIM, DMARC and Multi-Domain Setup

7 min read
Email Infrastructure for Cold Outreach: SPF, DKIM, DMARC and Multi-Domain Setup

Everything in your outbound system — your list quality, your signal detection, your AI personalization — is irrelevant if your emails land in spam. Email deliverability is the infrastructure layer that makes everything else work. Get it right and you have a durable, scalable outbound channel. Get it wrong and you can permanently damage domains that took years to build.

This is the complete infrastructure setup that supports campaigns sending 200–500 emails per domain per day with bounce rates under 5% and complaint rates under 0.1%.

Why Multi-Domain Architecture Is Non-Negotiable

Most companies make the same mistake: they use their primary domain (company.com) for cold outreach. This is like using your main credit score for a speculative investment — when it goes wrong, it damages something that took years to build.

Multi-domain architecture separates cold outreach volume from your primary domain. Benefits:

  • Primary domain stays clean for transactional emails (receipts, contracts, customer comms) that require maximum deliverability
  • Sending volume spreads across domains so no single domain hits spam thresholds
  • Damage is contained if a domain gets flagged — you rotate, not rebuild
  • Scale is easier — add domains to increase volume rather than pushing one domain past safe limits

Minimum setup: 3–5 sending domains. Use subdomains (mail.yourcompany.com, outreach.yourcompany.com) or separate root domains. Both work — separate root domains provide slightly more isolation.

The Three Authentication Protocols (All Required)

SPF (Sender Policy Framework)

SPF tells receiving mail servers which servers are authorized to send email on behalf of your domain. Without it, receiving servers have no way to verify your email isn’t being spoofed.

Implementation: Add a TXT record to your domain’s DNS:

v=spf1 include:your-esp.com ~all

Replace your-esp.com with your email service provider’s SPF record. The ~all (softfail) is recommended over -all (hardfail) to avoid blocking legitimate email during setup.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email sent from your domain. Receiving servers verify this signature against a public key published in your DNS. A valid DKIM signature proves the email genuinely came from your domain and wasn’t modified in transit.

Implementation: Your email service provider will generate a DKIM key pair. You publish the public key as a TXT record in DNS. Use 2048-bit keys (not 1024-bit) for modern security standards.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC tells receiving servers what to do when SPF or DKIM checks fail — and generates reports on email authentication across your domain. It’s the policy layer that ties SPF and DKIM together.

Start with a monitoring-only policy while you verify your authentication is working:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Once you’ve confirmed authentication is working (typically 2–4 weeks), move to:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

And eventually to p=reject for maximum protection. This progression prevents you from blocking legitimate email during the transition.

Domain Warmup: The 4–6 Week Protocol

A new domain has zero sending reputation. ISPs and corporate spam filters are deeply skeptical of new senders — rightfully so, since most spam comes from freshly registered domains. Warmup gradually builds reputation by demonstrating consistent, low-volume sending with high engagement.

Warmup schedule:

  • Week 1: 10–20 emails per day. Use a warmup service (Instantly, Lemwarm, or similar) to generate opens and replies.
  • Week 2: 30–50 emails per day. Mix warmup traffic with a small number of real cold emails.
  • Week 3: 75–100 emails per day. Monitor bounce and complaint rates closely.
  • Week 4: 150–200 emails per day. Continue monitoring.
  • Weeks 5–6: Gradually ramp to 300–500 per day based on deliverability signals.

Maximum safe volume after full warmup: 200–500 emails per domain per day. This varies by domain age, ESP, and recipient engagement rates. Stay conservative — a damaged domain is worse than a slow ramp.

Sending Domain Best Practices

  • Use subdomains for cold outreach: mail.company.com, outbound.company.com, sales.company.com
  • Keep primary domain for transactional: company.com handles receipts, contracts, support
  • One ‘From’ name per domain: Authentic human names (John Smith), not company names or generic roles
  • Set up custom tracking domain: Branded tracking links instead of ESP-generic tracking domains
  • Set reverse DNS (PTR records): Your sending IP’s PTR record should match your sending domain

Content Guidelines for Deliverability

Authentication and warmup protect your domain reputation. Content affects inbox placement once your email is accepted. Key rules:

  • No links in the first cold email: Links — especially tracked links — reduce deliverability on first contact. Include links in follow-ups after engagement.
  • No images: High text-to-image ratios trigger spam filters. Plain text emails outperform HTML in cold outreach.
  • Avoid spam trigger words: “Free,” “guarantee,” “act now,” “limited time,” “unsubscribe now” in the subject line all hurt deliverability.
  • Keep emails short: 50–150 words. Long emails get skimmed and deleted, which hurts engagement signals.
  • Proper unsubscribe mechanism: Required for CAN-SPAM and GDPR compliance. A one-click unsubscribe also prevents spam complaints.

Ongoing Monitoring: Daily, Weekly, Monthly

Daily monitoring (automated):

  • Bounce rate — target: under 5%. Above 5% means your list quality is degrading or you’re hitting spam traps.
  • Complaint rate — target: under 0.1%. Above 0.3% triggers spam filter action from major ISPs.
  • Deliverability rate — target: over 95%.

Weekly:

  • Inbox placement testing (tools like GlockApps or Mail Tester) to check where your emails are landing across major ISPs
  • Reply rate as a leading indicator — if it drops suddenly, investigate deliverability before messaging

Monthly:

  • Sender reputation audit via Google Postmaster Tools and SenderScore
  • DMARC report analysis — look for unauthorized senders using your domain
  • Domain blacklist check (MXToolbox)

Red Flags: When to Stop and Investigate

  • Bounce rate exceeds 5% — pause sending immediately, audit your list
  • Complaint rate exceeds 0.1% — review messaging and list quality
  • Open rate drops more than 15% week-over-week — possible deliverability issue
  • Inbox placement drops below 80% — your emails are going to spam
  • Sudden increase in “Spam” or “Junk” complaints in DMARC reports

How Infrastructure Connects to the Full Outbound System

Infrastructure is Step 2 (“Stand Up Infra”) in the four-step methodology that powers effective B2B outbound. It follows list building — because high-accuracy list building directly reduces bounce rates and complaint rates, protecting your infrastructure. And it precedes the outreach execution layer — the signal-led outbound system that delivers 5–15% reply rates.

Get the infrastructure right first. Everything else is built on it.

Conclusion

Email deliverability isn’t glamorous, but it’s the foundation that every other part of your outbound system depends on. Multi-domain architecture, full authentication (SPF + DKIM + DMARC), a disciplined 4–6 week warmup, and continuous monitoring are not optional extras — they’re prerequisites. Do them right once and you have a durable sending infrastructure that can support hundreds of thousands of outreach touches per year. Skip them and you’ll be rebuilding from scratch after your first campaign burns your domain.

Explore more UpSkillGTM frameworks to build the complete outbound system on top of your infrastructure.

Frequently Asked Questions

How many sending domains do I need for cold outreach?

Minimum 3–5 sending domains to start. Each domain can safely send 200–500 emails per day after full warmup (4–6 weeks). For higher volume, add more domains — 10 fully warmed domains can safely support 2,000–5,000 sends per day.

What is the domain warmup period and why does it matter?

Domain warmup is the 4–6 week process of gradually increasing sending volume from a new domain to build sender reputation with ISPs. New domains have no reputation, so ISPs are suspicious. Starting with low volume and high engagement (opens, replies) signals that you’re a legitimate sender, which builds the reputation needed to achieve consistent inbox placement at scale.

Do I need all three of SPF, DKIM, and DMARC?

Yes. SPF, DKIM, and DMARC work together as a three-layer authentication system. SPF authorizes your sending servers. DKIM signs your emails cryptographically. DMARC sets the policy for what happens when authentication fails and generates reporting. Missing any one of the three leaves gaps that spam filters and receiving mail servers will penalize.

What bounce rate is acceptable for cold outreach?

Keep bounce rate below 5% to maintain healthy sender reputation. Above 5% signals list quality issues — either your list data is outdated, you’re hitting spam traps, or your email verification process needs improvement. Pause sending and audit your list if you hit 5%.

GTMHQ

GTMHQ is a GTM engineering practitioner focused on practical, production‑ready solutions for revenue teams. They specialize in CRM API integrations, enrichment logic, lead routing, and attribution workflows, and publish hands‑on playbooks and stack guides designed to cut implementation time. Through weekly digests and deep technical posts, they translate engineering complexity into reproducible workflows, tooling recommendations, and example architectures that teams can adopt immediately. GTMHQ’s work is used by thousands of GTM engineers and aims to keep readers ahead of changelogs, reduce ticket backlog, and deliver measurable time savings.

Keep Reading