Deliverability · Cold outreach
Cold Email Infrastructure Setup: Building a Sending Stack That Lands
Cold email infrastructure is the sending stack that gets outreach to the inbox: secondary sending domains kept separate from your primary domain, full SPF, DKIM, and DMARC authentication, a set of mailboxes with low daily limits, a warmup process, and ongoing monitoring. The cardinal rule is never to send cold email from your primary domain, because a burned reputation there poisons your invoices, client mail, and everything else. In 2026 the safe ceiling is roughly 10 to 20 cold emails per mailbox per day, spread across many mailboxes and domains rather than concentrated, with every new mailbox warmed for two to four weeks before real sending begins.
Key takeaways
- Never use your primary domain. Cold outreach goes on separate, consumable secondary domains so a burn can’t poison your real mail.
- Authenticate everything. Every sending domain needs SPF, DKIM, DMARC, a PTR record, and a tracking domain before a single send.
- Keep volume low and spread. Around 10–20 cold emails per mailbox per day; add mailboxes and domains rather than raising per-inbox volume.
- Warmup is non-negotiable. Unwarmed mailboxes place around 61% in the inbox versus 94% warmed — skipping it is the top failure cause.
- Verify the list. One dirty list can blacklist domains you spent weeks warming; bounces above 2% trigger enforcement.
Most cold email teams spend weeks on copy and twenty minutes on infrastructure, then wonder why their replies dried up. They have it backwards. In 2026, whether your message reaches the inbox is decided long before anyone reads it — by your domains, your authentication, your sending limits, and your warmup. The best email ever written still lands in spam behind broken infrastructure. This guide is the technical foundation: how to build a cold sending stack that lands, scales, and protects the rest of your email. For the legal side, pair it with our cold email laws guide.
What is cold email infrastructure, and why does it matter?
Cold email infrastructure is everything that happens before you hit send — the technical stack that decides whether your outreach reaches the inbox or vanishes into spam. It has five layers that work together: secondary sending domains, DNS authentication, mailboxes, warmup, and a sending tool paired with monitoring. Miss any one and deliverability suffers downstream; get them all right and you have a foundation that scales to thousands of emails a day without burning domains.
It matters because the margin for error is thin. Industry benchmarks put global inbox placement at roughly 83 to 84 percent, meaning about one in six legitimate emails never reaches the inbox at all — and cold email, sent to people with no prior relationship, sits at the riskier end of that distribution. The teams that win treat infrastructure as the primary lever and copy as the secondary one, because no subject line rescues a misconfigured domain that mailbox providers have already decided to distrust.
Why you must never cold-email from your primary domain
This is the single most important rule, and it is absolute: never send cold email from your primary company domain. Cold outreach inevitably draws some spam complaints and bounces, and if those land on your primary domain, they damage the deliverability of everything you send from it — invoices, client replies, transactional mail, internal communication. Recovery from a burned primary domain takes weeks to months, and sometimes the reputation never fully returns.
The failure mode is not hypothetical. A common story runs like this: a team runs cold outreach from the company domain for three weeks, and by the fourth, the CEO’s emails to customers are landing in spam and finance can no longer send invoices reliably — the whole organisation’s sending reputation torched by one outbound campaign. The fix is structural: cold email goes on separate secondary domains that act as a protective buffer. Treat those secondary domains as consumable assets, designed to absorb risk and be rotated out, while your brand domain stays clean.
How many domains and mailboxes do you need?
The architecture follows from one principle: spread volume widely rather than concentrating it. A single domain can safely carry roughly 100 to 150 cold emails a day when that volume is distributed across a few mailboxes — and the right move for scale is to add more domains, never to push more through each one. In practice that means two to three mailboxes per domain, so reaching real volume means many domains: hitting ten thousand sends a day implies hundreds of mailboxes across two to three hundred domains.
Provider choice is structural, not cosmetic. Google Workspace mailboxes build stronger trust signals and reach roughly 95 percent deliverability to Gmail, while Microsoft 365 performs better into Outlook inboxes that sit closer to 75 percent — so serious senders often run both for coverage. Whatever the mix, register your secondary domains, point them at your brand with a redirect, and authenticate every one before sending a single message. And plan to rotate: retire domains every three to six months, or sooner if their metrics slip, because in cold email domains are supplies you consume, not assets you keep forever.
# Every secondary sending domain, fully authenticated before first send @ TXT “v=spf1 include:_spf.yourmta.com -all” # SPF — ONE record sel._domainkey TXT “v=DKIM1; k=rsa; p=MIGf…” # DKIM _dmarc TXT “v=DMARC1; p=quarantine; rua=mailto:dmarc@…” # DMARC @ MX 10 mx.yourmta.com. # MX track CNAME tracking.yourmta.com. # aligned tracking # Plus a PTR / reverse-DNS record on the sending IP (set at the host). # Verify before launch: $ dig +short TXT example-outbound.com # SPF present, one record $ dig +short TXT _dmarc.example-outbound.com # DMARC present
Setting the volume limits that keep you safe
Volume discipline is where most cold programs live or die, and the safe numbers in 2026 are lower than many expect. The sweet spot is roughly 10 to 20 cold emails per mailbox per day on Google Workspace or Microsoft 365; the hard ceiling is 100, but that is a limit, not a target, and accounts pushing past 150 a day show markedly higher spam rates. Custom SMTP mailboxes sit lower still, around 20 to 50 a day, and they generate weaker trust signals than the business providers, so they cannot be treated the same way.
Two further rules protect you. New domains and mailboxes start even lower — 20 to 30 a day — and ramp only as engagement holds. And critically, the per-mailbox limit includes warmup traffic, not just campaign sends, so your real campaign headroom is smaller than the cap suggests. The whole philosophy is that conservative volume across many inboxes beats aggressive volume across few: it keeps each mailbox below the radar while still letting the system as a whole scale. When you need more throughput, the answer is always more mailboxes and domains, never a higher number per inbox.
Authenticating every sending domain
Authentication is non-negotiable, and poor authentication is the hidden reason behind a surprising share of cold email that never arrives. Every sending domain needs three DNS records: an SPF record — exactly one per domain, not two or three — that lists who may send for it, a DKIM record that signs your mail cryptographically, and a DMARC record that tells receivers how to handle failures. Gmail, Yahoo, and Microsoft now require all three from any bulk sender, and cold senders fall squarely in scope.
Two supporting records complete the picture. A PTR record, or reverse DNS, on your sending IP lets receivers confirm the IP maps back to your hostname, which the major providers check. And a custom tracking domain, aligned to your sending domain rather than a shared third-party one, keeps your open and click tracking from dragging down alignment. Our SPF, DKIM, and DMARC guide covers the records in depth; for cold email the rule is simply that no domain sends until all of them pass.
How do you warm up cold email infrastructure?
Warmup is the step teams most often skip and the one that most reliably decides success. A brand-new mailbox has no reputation, so sending real volume from it immediately looks exactly like a spam bot and gets it throttled or blocked within days. The numbers make the case starkly: cold campaigns from unwarmed mailboxes place around 61 percent in the inbox, against roughly 94 percent when properly warmed. There is no shortcut.
The process is a gradual ramp over several weeks. A typical schedule starts the first week at around five emails a day of automated warmup exchanges only, builds to five or ten in week two with a few real messages, begins genuine low-volume cold outreach at ten to twenty in week three, and reaches full per-mailbox volume in week four. Plan three to five weeks from buying a domain to a production-ready mailbox. Crucially, warmup is not a one-time gate but an ongoing process — keep the warmup traffic running indefinitely, even during live campaigns, because it continuously feeds the engagement signals that hold your reputation up.
It is worth understanding what warmup actually does, because it is easy to dismiss as busywork. A warmup network is a pool of real mailboxes that exchange messages with yours and then open them, reply, and move them out of spam — manufacturing exactly the positive engagement that mailbox providers read as a sign of a wanted sender. The quality of that network matters: for B2B outreach, warmup engagement from Google Workspace and Microsoft 365 business inboxes carries far more weight than activity from consumer or raw SMTP accounts, because Gmail and Outlook weigh business-to-business signals more heavily. A warmup tool that simulates the right kind of inbox behaviour is teaching the providers to trust a brand-new sender they would otherwise treat with suspicion.
Dedicated IPs and the sending engine
How you send shapes how much control you have over reputation. Shared IPs pool your sending reputation with every other sender on the same addresses, which means a bad neighbour can drag down your deliverability through no fault of your own; providers offering them lean heavily on rotation to manage the risk. Dedicated IPs isolate your reputation so it is yours alone, with no exposure to noisy neighbours — but they demand consistent volume, on the order of a thousand or more sends a day, to stay warm, so they suit established, higher-volume programs rather than small ones.
The sending engine is the other half of the decision. Cold-email platforms and managed mailbox providers get you started quickly, but for serious volume and full control, running your own mail transfer agent on dedicated IPs is the strongest position: you own the IP reputation, the reverse DNS, and the separation from your other mail streams. Our dedicated IP guide, shared versus dedicated comparison, and multi-IP strategy cover the IP architecture, and owning your sending infrastructure is what gives a cold program the control the major providers increasingly reward.
List quality and ongoing monitoring
No infrastructure survives a bad list, and verification is the most important non-negotiable in the whole stack. Sending to unverified addresses is the fastest way to destroy everything you have built: bounce rates above two percent trigger enforcement from Gmail and Yahoo, and a single campaign to a dirty list can blacklist domains you spent weeks warming. Always verify your prospect list before loading it, and because contact data decays continuously, re-verify regularly rather than trusting a list that sat unused.
Monitoring is the other ongoing discipline, because cold infrastructure is never set-and-forget. Each week, check blacklist status, bounce rate against the two-percent line, spam-complaint rate against the 0.1 to 0.3 percent thresholds, your domain reputation in Google Postmaster Tools, and your SPF and DKIM pass rates. Rotate domains proactively every three to six months, and sooner if bounces climb, complaints rise, or reputation drops for two consecutive weeks. If a domain’s inbox placement falls below ninety percent, pause its cold sending and let warmup rebuild the reputation before resuming.
The mindset that makes this sustainable is treating domains and mailboxes as consumable supplies rather than permanent fixtures. Some are going to burn no matter how carefully you operate, so the goal is not to prevent every loss but to build a system that absorbs it: enough domains in rotation that retiring a weak one barely dents your capacity, and a process for replacing burned mailboxes without scrambling.
Does great infrastructure guarantee the inbox?
No — and understanding why keeps you honest about where infrastructure fits. Mailbox providers evaluate your sending through a unified model that weighs domain reputation, mailbox behaviour, recipient engagement, and sending patterns all together, so a weakness in one area offsets strength in another. Perfect authentication will not save you from poor engagement; a flawless warmup will not rescue irrelevant outreach that recipients ignore or report. Infrastructure is the necessary foundation, not a guarantee.
That reframes what infrastructure is for. It earns you the chance to be read by getting you reliably to the inbox; what happens next depends on targeting the right people with a relevant message, which is the part no DNS record can fix. It is also worth being honest about effort: a small DIY setup of a handful of domains runs a few hundred dollars a month and real ongoing work, and at the scale of hundreds of domains, managed infrastructure usually earns its cost. Build the stack properly, comply with the applicable laws, send to people who might actually want to hear from you — and let the infrastructure do the one job it can.