The single highest-leverage move in cold email is verifying the list. Most cold email failure modes start here.

• Verify within 30 days of sending. Run the list through bulk email verification. Suppress addresses that come back as failed. Be extra cautious with addresses flagged as risky (catch-all, role, disposable).
• Vet your acquisition source. Lists scraped from LinkedIn, scraped from public directories, or purchased from data vendors decay fast and contain spam traps. Verification removes the technically-bad addresses but doesn't remove the legal/reputation risk of mailing addresses that never opted in.
• Handle role accounts deliberately. info@, sales@, support@, contact@ are functional but high-risk. Spam complaint rates from role accounts are 2-5x higher than personal addresses. Either suppress entirely or mail in a separate, lower-volume segment.
• Treat catch-all domains carefully. Catch-all domains accept any address; verification can't confirm whether a specific mailbox exists. New catch-all addresses should not enter cold campaigns until they show some signal of legitimacy from another source (LinkedIn match, etc.).
• Re-verify before any send to addresses not contacted in 60+ days. Decay accumulates. The list that was clean 60 days ago has accumulated dead addresses since.

Google and Yahoo's February 2024 enforcement made authentication mandatory for bulk senders. Microsoft's May 2025 enforcement extended similar requirements to Outlook. In 2026, missing authentication isn't a soft signal; it's a hard rejection at major providers.

• SPF published and passing. Lists every IP authorized to send mail from your domain. Should align with your sending IPs. Test with MXToolbox.
• DKIM signing every outbound message. 2048-bit keys preferred. Verify the signature passes by sending a test to a Gmail address and checking the headers.
• DMARC with at least p=none enforced. p=quarantine or p=reject is recommended for cold email in 2026. p=none is the bare minimum to satisfy bulk-sender requirements.
• PTR (reverse DNS) matching your HELO/EHLO hostname. Many receivers reject mail when forward and reverse DNS don't match.
• Test before every campaign. Authentication breaks silently when DNS changes, when ESP IPs rotate, or when adding new sending services. Send a test to a Gmail account and verify all three pass in the original message headers.

A new domain sending cold email on day one is the fastest way to land in spam. Even an established domain can fall out of warm status if sending pauses for several weeks.

• Use a sending subdomain. Never warm or send cold from your apex domain (the one customers receive support email at). Use mail.example.com, outreach.example.com, or similar. Domain reputation issues stay isolated.
• Complete the 4-week warmup. Don't shortcut. Per-inbox volume should ramp from 5-10/day in week 1 to 50-100/day by week 4. See the email warmup strategy guide for the full schedule.
• Maintain warm status with ongoing engagement. A warmed domain that goes silent for 30+ days falls out of warm. Keep some volume flowing (warmup tools, real one-to-one sends, transactional volume) to maintain reputation.
• Use multiple inboxes, not high volume per inbox. The safe per-inbox cold volume is 30-50 emails per day. If you need more capacity, add inboxes (or domains), don't increase per-inbox volume.

2026 spam filters use NLP and ML to detect cookie-cutter templates even without obvious trigger words. The content patterns that survive:

• Genuine personalization beyond {first_name}. Reference something specific to the recipient (a recent post, a company event, a shared connection, an industry trigger). Generic templates with merge fields look exactly like what they are.
• Plain-text or minimally-formatted HTML. Avoid heavy HTML, embedded images, signature graphics, tracking pixels for cold sends. Plain-text emails consistently outperform branded HTML for cold outreach.
• One link maximum, none preferred for first touch. Multiple links signal mass marketing. First-touch cold emails should ideally have zero links; reply-driven CTAs work better.
• Avoid known spam triggers. "Free," "guarantee," "act now," "limited time," excessive caps, multiple exclamation points. These don't auto-flag in 2026 but contribute to a content score that triggers filtering at thresholds.
• Subject line under 50 characters. Mobile clients truncate longer subjects. Personalized subjects (referencing the recipient or their company) outperform generic by 2-3x.
• No attachments. Attachments in cold email get aggressive filtering. If you need to share a file, link to a hosted version after reply.
• Functional unsubscribe. Even for cold email, a clear unsubscribe link is now expected and reduces spam complaints. Make it visible, not hidden in tiny text.

How you send matters as much as what you send. Erratic sending patterns are a strong spam signal even with otherwise clean infrastructure.

• 30-50 cold emails per inbox per day. The safe limit in 2026. Higher volumes per inbox flag pattern-based filters even when individual messages look legitimate.
• Throttle and randomize timing. Sending 50 emails in 5 minutes is suspicious. Sending the same 50 spread across 6-8 hours with random intervals (every 3-15 minutes) looks human.
• Match send time to recipient timezone. Tuesday-Thursday, 8-11am local time produces highest engagement for B2B. Sending at 3am the recipient's time is technically fine but reduces the engagement signals that build reputation.
• Segment sends by recipient provider. Gmail, Outlook, and Yahoo evaluate reputation independently. If your bounce or complaint rate spikes at one provider, you can throttle just that segment without cutting volume across the whole campaign.
• Predictable daily volumes. Sending 500 Monday, nothing Tuesday-Thursday, 1,000 Friday is suspicious. Set per-day limits and stick to them.