Cold-email deliverability is broken - here’s the real problem

Cold email remains one of the most cost-effective ways to generate pipeline, but many campaigns fail before they reach a human inbox. If your bounce rates are high, open rates are low, or outreach lands in the spam folder, the cause is often technical: missing or misconfigured email authentication (SPF, DKIM, DMARC) combined with sending practices that trigger provider filters.

Benchmarks you can use as a reality check: good cold outreach programs typically see opens in the mid-teens to mid-twenties percentage, reply rates in the low single digits, and bounce rates under 2-3%. If your metrics are substantially worse, start with authentication and list hygiene. Deliverability surveys and deliverability platform reports repeatedly show authentication issues and poor sender reputation are primary causes of spam placement and blocking.

A concise primer: how SPF, DKIM and DMARC work - and how they interact

SPF (Sender Policy Framework)

What it does: SPF is a DNS TXT record that lists which mail servers are authorized to send on behalf of your domain. Mail receivers check the sending IP against the SPF record to accept or flag mail.

Common effect: No SPF or multiple SPF records often cause soft- or hard-fails, increasing bounces and spam placement.

DKIM (DomainKeys Identified Mail)

What it does: DKIM signs outgoing messages with a private key; the public key is published in DNS. Receivers verify the signature to confirm the message wasn’t altered and that it originated from an authorized source.

Common effect: Missing or misaligned DKIM signatures reduce trust and increase the likelihood of spam classification.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: DMARC tells receivers how to react when SPF and DKIM checks fail (none/quarantine/reject) and requests aggregate/forensic reports so you can monitor authentication issues.

How they interact: DMARC depends on SPF and DKIM passing with alignment. A DMARC policy with no underlying SPF/DKIM that aligns will cause email to fail DMARC and be treated according to the policy (quarantine/reject).

Diagnostic checklist: tools, metrics and tests

Before changing DNS, run these checks to identify the root cause. Perform them on representative failing messages and on the sending domain itself.

1. Collect metrics
   • Bounce rate: percentage of sent messages that bounce.
   • Spam placement rate: percent delivered to spam folders (measured with seed lists or provider reports).
   • Open and click rates: help isolate content vs. infrastructure issues.
2. Inspect a failed message's headers

   Look for these header fields in Gmail/Outlook: Authentication-Results, Received-SPF, and DKIM-Signature. They show pass/fail and reasons.

3. DNS and record checks

   Commands to run from a terminal:

   dig +short TXT example.com
   dig +short TXT selector._domainkey.example.com
   dig +short TXT _dmarc.example.com

   Or use nslookup:

   nslookup -type=TXT example.com
   nslookup -type=TXT selector._domainkey.example.com
   nslookup -type=TXT _dmarc.example.com

4. Use delivery and analytics tools
   • Mail-Tester (send a sample to a provided address)
   • MXToolbox for DNS/SPF/DKIM/blacklist checks
   • Google Postmaster Tools and Microsoft SNDS for large-volume senders
   • DMARC aggregate report parsers to read rua data
5. Verify reputation and IP health

   Check if your sending IP/domain is on public blacklists and review recent sending patterns for spikes that trigger automated throttling or blocking.

Step-by-step remediation tutorial (concrete DNS examples & verification)

Follow this order: SPF → DKIM → DMARC → monitoring. Apply changes incrementally and test after each step.

1. Fix SPF (single, correct TXT record)

Common mistake: publishing multiple SPF TXT records or leaving out third-party senders (CRM, ESP). You must maintain one SPF TXT record per domain.

Example SPF records:

example.com.  IN TXT  "v=spf1 ip4:203.0.113.45 include:spf.mailprovider.com -all"

Notes:

• Use -all for strict enforcement after testing; ~all is softer for initial rollout.
• Include all sending services and direct IPs used by your ESPs or mail servers.

Verify:

dig +short TXT example.com
# or use online SPF validators (MXToolbox)

2. Publish DKIM keys for each sending service

Steps:

1. Generate a DKIM keypair for your sending domain (usually via your ESP or your MTA).
2. Publish the public key as a TXT record at <selector>._domainkey.example.com.

Example DKIM TXT entry (shortened):

selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh...AB"

Common mistakes:

• Publishing the key under the wrong selector.
• Not using the same selector configured in the ESP/MTA.
• Key string truncated by the DNS provider; ensure long TXT values are supported or split into quoted chunks.

Verify:

dig +short TXT selector1._domainkey.example.com

3. Add DMARC for visibility, then tighten

Start in monitoring mode, then move to enforcement once data is clean.

Example DMARC record (monitoring):

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-rua@yourdomain.com; ruf=mailto:dmarc-ruf@yourdomain.com; pct=100"

When ready to enforce:

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-rua@yourdomain.com; pct=100"

Or for strict enforcement:

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-rua@yourdomain.com; pct=100"

Notes:

• Start with p=none to collect reports and diagnose alignment issues.
• Use aggregate reports (RUA) to learn which sources are failing SPF/DKIM alignment.

Verify:

dig +short TXT _dmarc.example.com

4. Check message headers to confirm end-to-end

Send a test message and inspect headers for:

• Received-SPF: should show pass
• DKIM-Signature: present and verified
• Authentication-Results: shows spf=pass dkim=pass dmarc=pass/none/quarantine/reject

Example header fragment:

Authentication-Results: mx.google.com; spf=pass (google.com: domain of sender@example.com designates 203.0.113.45 as permitted sender) smtp.mailfrom=example.com; dkim=pass header.i=@example.com; dmarc=pass (p=REJECT) header.from=example.com

If DKIM or SPF fail in headers, review selectors, DNS propagation, and whether the ESP rewrites headers or sends on behalf of your domain.

5. Common quick fixes

• Consolidate multiple SPF records into one using include for third parties.
• Ensure DKIM selector names match your ESP settings and that the full public key is published.
• Use a monitoring DMARC before moving to quarantine/reject.
• Clean your lists to remove role addresses and invalid domains; reduce bounce rate first.

Best practices, KPIs to monitor, and short case examples

Best practices (actionable)

• Authenticate everything: publish one SPF TXT, valid DKIM keys for every sender, and a DMARC policy set to none while you monitor.
• Use subdomains for high-volume cold sending (e.g., outreach.example.com) and authenticate them separately to protect brand domain reputation.
• Warm IPs and domains slowly: ramp volume over weeks and keep daily sending volumes stable.
• Maintain strict list hygiene: remove bounces and inactive addresses promptly (bounces >2-3% are a red flag).
• Monitor reputation feeds and seed lists to verify inbox placement across major providers.

KPIs to track (measurable)

• Bounce rate - target: <2-3%. Above 5% requires immediate list cleanup.
• Spam placement rate - target: as low as possible; anything >5-10% indicates deliverability problems.
• Open rate - benchmark for cold email: 15-25% (varies by industry and list quality).
• Reply rate - benchmark: 1-5% for cold outreach.
• DMARC report error counts - track unique sending sources failing SPF/DKIM alignment.

Brief case examples (anonymized)

Example A: A B2B SaaS startup discovered two published SPF TXT records and no DKIM. They consolidated SPF, published DKIM for their ESP, and set DMARC to p=none for 30 days. Outcome: inbox placement improved noticeably within two weeks and bounce rate dropped from ~6% to ~2% after list cleanup.

Example B: A small marketing firm sent from a corporate domain but used a third-party outreach platform that rewrote headers. After configuring DKIM for the platform's selector and adding the platform to SPF, their DMARC alignment rate climbed and spam-folder placement decreased based on seed-list checks.

Actionable takeaway checklist, next steps and resources

Use this checklist to fix and monitor your cold-email deliverability. Each item is verifiable using the commands and tools listed earlier.

1. Run DNS checks: dig +short TXT example.com, selector and _dmarc records.
2. Consolidate SPF into a single TXT and include all sending services.
3. Publish DKIM public keys for each sender and confirm selector alignment.
4. Publish a DMARC record in p=none mode and ingest RUA reports for 30 days.
5. Clean your lists: remove bounces & role accounts; keep bounce & complaint rates low.
6. Ramp sending slowly and monitor Google Postmaster Tools / Microsoft SNDS / ESP analytics.
7. Re-evaluate DMARC policy: move from none → quarantine → reject only after alignment and clean sending sources are verified.

Tools & resources

• dmarc.org - DMARC specification and guidance
• SPF Project - SPF protocol info
• DKIM.org - DKIM overview and resources
• MXToolbox - DNS/SPF/DKIM/blacklist checks
• Google Postmaster Tools - reputation and deliverability data for Gmail
• Mail-Tester and seed-list services - use to check inbox placement and content checks

Next steps: Audit one sending domain today: run the diagnostic checklist, fix SPF and DKIM, publish DMARC in monitoring, then monitor RUA reports and sender reputation for 30 days before tightening policy.