Deliverability · Cold outreach

Cold Email Infrastructure Setup: Building a Sending Stack That Lands

Cold email infrastructure is the sending stack that gets outreach to the inbox: secondary sending domains kept separate from your primary domain, full SPF, DKIM, and DMARC authentication, a set of mailboxes with low daily limits, a warmup process, and ongoing monitoring. The cardinal rule is never to send cold email from your primary domain, because a burned reputation there poisons your invoices, client mail, and everything else. In 2026 the safe ceiling is roughly 10 to 20 cold emails per mailbox per day, spread across many mailboxes and domains rather than concentrated, with every new mailbox warmed for two to four weeks before real sending begins.

Key takeaways

  • Never use your primary domain. Cold outreach goes on separate, consumable secondary domains so a burn can’t poison your real mail.
  • Authenticate everything. Every sending domain needs SPF, DKIM, DMARC, a PTR record, and a tracking domain before a single send.
  • Keep volume low and spread. Around 10–20 cold emails per mailbox per day; add mailboxes and domains rather than raising per-inbox volume.
  • Warmup is non-negotiable. Unwarmed mailboxes place around 61% in the inbox versus 94% warmed — skipping it is the top failure cause.
  • Verify the list. One dirty list can blacklist domains you spent weeks warming; bounces above 2% trigger enforcement.

Most cold email teams spend weeks on copy and twenty minutes on infrastructure, then wonder why their replies dried up. They have it backwards. In 2026, whether your message reaches the inbox is decided long before anyone reads it — by your domains, your authentication, your sending limits, and your warmup. The best email ever written still lands in spam behind broken infrastructure. This guide is the technical foundation: how to build a cold sending stack that lands, scales, and protects the rest of your email. For the legal side, pair it with our cold email laws guide.

What is cold email infrastructure, and why does it matter?

Cold email infrastructure is everything that happens before you hit send — the technical stack that decides whether your outreach reaches the inbox or vanishes into spam. It has five layers that work together: secondary sending domains, DNS authentication, mailboxes, warmup, and a sending tool paired with monitoring. Miss any one and deliverability suffers downstream; get them all right and you have a foundation that scales to thousands of emails a day without burning domains.

It matters because the margin for error is thin. Industry benchmarks put global inbox placement at roughly 83 to 84 percent, meaning about one in six legitimate emails never reaches the inbox at all — and cold email, sent to people with no prior relationship, sits at the riskier end of that distribution. The teams that win treat infrastructure as the primary lever and copy as the secondary one, because no subject line rescues a misconfigured domain that mailbox providers have already decided to distrust.

Why you must never cold-email from your primary domain

This is the single most important rule, and it is absolute: never send cold email from your primary company domain. Cold outreach inevitably draws some spam complaints and bounces, and if those land on your primary domain, they damage the deliverability of everything you send from it — invoices, client replies, transactional mail, internal communication. Recovery from a burned primary domain takes weeks to months, and sometimes the reputation never fully returns.

The failure mode is not hypothetical. A common story runs like this: a team runs cold outreach from the company domain for three weeks, and by the fourth, the CEO’s emails to customers are landing in spam and finance can no longer send invoices reliably — the whole organisation’s sending reputation torched by one outbound campaign. The fix is structural: cold email goes on separate secondary domains that act as a protective buffer. Treat those secondary domains as consumable assets, designed to absorb risk and be rotated out, while your brand domain stays clean.

How many domains and mailboxes do you need?

The architecture follows from one principle: spread volume widely rather than concentrating it. A single domain can safely carry roughly 100 to 150 cold emails a day when that volume is distributed across a few mailboxes — and the right move for scale is to add more domains, never to push more through each one. In practice that means two to three mailboxes per domain, so reaching real volume means many domains: hitting ten thousand sends a day implies hundreds of mailboxes across two to three hundred domains.

Provider choice is structural, not cosmetic. Google Workspace mailboxes build stronger trust signals and reach roughly 95 percent deliverability to Gmail, while Microsoft 365 performs better into Outlook inboxes that sit closer to 75 percent — so serious senders often run both for coverage. Whatever the mix, register your secondary domains, point them at your brand with a redirect, and authenticate every one before sending a single message. And plan to rotate: retire domains every three to six months, or sooner if their metrics slip, because in cold email domains are supplies you consume, not assets you keep forever.

cold-domain-dns
# Every secondary sending domain, fully authenticated before first send
@        TXT   “v=spf1 include:_spf.yourmta.com -all”        # SPF — ONE record
sel._domainkey  TXT   “v=DKIM1; k=rsa; p=MIGf…”            # DKIM
_dmarc   TXT   “v=DMARC1; p=quarantine; rua=mailto:dmarc@…” # DMARC
@        MX    10 mx.yourmta.com.                            # MX
track    CNAME tracking.yourmta.com.                         # aligned tracking
 
# Plus a PTR / reverse-DNS record on the sending IP (set at the host).
# Verify before launch:
$ dig +short TXT example-outbound.com         # SPF present, one record
$ dig +short TXT _dmarc.example-outbound.com  # DMARC present

Setting the volume limits that keep you safe

Volume discipline is where most cold programs live or die, and the safe numbers in 2026 are lower than many expect. The sweet spot is roughly 10 to 20 cold emails per mailbox per day on Google Workspace or Microsoft 365; the hard ceiling is 100, but that is a limit, not a target, and accounts pushing past 150 a day show markedly higher spam rates. Custom SMTP mailboxes sit lower still, around 20 to 50 a day, and they generate weaker trust signals than the business providers, so they cannot be treated the same way.

Two further rules protect you. New domains and mailboxes start even lower — 20 to 30 a day — and ramp only as engagement holds. And critically, the per-mailbox limit includes warmup traffic, not just campaign sends, so your real campaign headroom is smaller than the cap suggests. The whole philosophy is that conservative volume across many inboxes beats aggressive volume across few: it keeps each mailbox below the radar while still letting the system as a whole scale. When you need more throughput, the answer is always more mailboxes and domains, never a higher number per inbox.

Isolate the cold stack from your real mailPrimary domainPROTECTED — never coldSecondary domainsconsumable · rotated 3-6mo2-3 mailboxes eachwarmed · ~10-20/day · authDedicated IPs / your MTA — reputation you alone controlUnified reputation model the providers evaluate:domain reputation + mailbox behaviour + engagement + sending pattern (one weak link sinks the rest)
Separation is the whole design: secondary domains absorb risk, dedicated IPs isolate reputation, and providers still judge it all as one system.

Authenticating every sending domain

Authentication is non-negotiable, and poor authentication is the hidden reason behind a surprising share of cold email that never arrives. Every sending domain needs three DNS records: an SPF record — exactly one per domain, not two or three — that lists who may send for it, a DKIM record that signs your mail cryptographically, and a DMARC record that tells receivers how to handle failures. Gmail, Yahoo, and Microsoft now require all three from any bulk sender, and cold senders fall squarely in scope.

Two supporting records complete the picture. A PTR record, or reverse DNS, on your sending IP lets receivers confirm the IP maps back to your hostname, which the major providers check. And a custom tracking domain, aligned to your sending domain rather than a shared third-party one, keeps your open and click tracking from dragging down alignment. Our SPF, DKIM, and DMARC guide covers the records in depth; for cold email the rule is simply that no domain sends until all of them pass.

How do you warm up cold email infrastructure?

Warmup is the step teams most often skip and the one that most reliably decides success. A brand-new mailbox has no reputation, so sending real volume from it immediately looks exactly like a spam bot and gets it throttled or blocked within days. The numbers make the case starkly: cold campaigns from unwarmed mailboxes place around 61 percent in the inbox, against roughly 94 percent when properly warmed. There is no shortcut.

The process is a gradual ramp over several weeks. A typical schedule starts the first week at around five emails a day of automated warmup exchanges only, builds to five or ten in week two with a few real messages, begins genuine low-volume cold outreach at ten to twenty in week three, and reaches full per-mailbox volume in week four. Plan three to five weeks from buying a domain to a production-ready mailbox. Crucially, warmup is not a one-time gate but an ongoing process — keep the warmup traffic running indefinitely, even during live campaigns, because it continuously feeds the engagement signals that hold your reputation up.

It is worth understanding what warmup actually does, because it is easy to dismiss as busywork. A warmup network is a pool of real mailboxes that exchange messages with yours and then open them, reply, and move them out of spam — manufacturing exactly the positive engagement that mailbox providers read as a sign of a wanted sender. The quality of that network matters: for B2B outreach, warmup engagement from Google Workspace and Microsoft 365 business inboxes carries far more weight than activity from consumer or raw SMTP accounts, because Gmail and Outlook weigh business-to-business signals more heavily. A warmup tool that simulates the right kind of inbox behaviour is teaching the providers to trust a brand-new sender they would otherwise treat with suspicion.

Dedicated IPs and the sending engine

How you send shapes how much control you have over reputation. Shared IPs pool your sending reputation with every other sender on the same addresses, which means a bad neighbour can drag down your deliverability through no fault of your own; providers offering them lean heavily on rotation to manage the risk. Dedicated IPs isolate your reputation so it is yours alone, with no exposure to noisy neighbours — but they demand consistent volume, on the order of a thousand or more sends a day, to stay warm, so they suit established, higher-volume programs rather than small ones.

The sending engine is the other half of the decision. Cold-email platforms and managed mailbox providers get you started quickly, but for serious volume and full control, running your own mail transfer agent on dedicated IPs is the strongest position: you own the IP reputation, the reverse DNS, and the separation from your other mail streams. Our dedicated IP guide, shared versus dedicated comparison, and multi-IP strategy cover the IP architecture, and owning your sending infrastructure is what gives a cold program the control the major providers increasingly reward.

List quality and ongoing monitoring

No infrastructure survives a bad list, and verification is the most important non-negotiable in the whole stack. Sending to unverified addresses is the fastest way to destroy everything you have built: bounce rates above two percent trigger enforcement from Gmail and Yahoo, and a single campaign to a dirty list can blacklist domains you spent weeks warming. Always verify your prospect list before loading it, and because contact data decays continuously, re-verify regularly rather than trusting a list that sat unused.

Monitoring is the other ongoing discipline, because cold infrastructure is never set-and-forget. Each week, check blacklist status, bounce rate against the two-percent line, spam-complaint rate against the 0.1 to 0.3 percent thresholds, your domain reputation in Google Postmaster Tools, and your SPF and DKIM pass rates. Rotate domains proactively every three to six months, and sooner if bounces climb, complaints rise, or reputation drops for two consecutive weeks. If a domain’s inbox placement falls below ninety percent, pause its cold sending and let warmup rebuild the reputation before resuming.

The mindset that makes this sustainable is treating domains and mailboxes as consumable supplies rather than permanent fixtures. Some are going to burn no matter how carefully you operate, so the goal is not to prevent every loss but to build a system that absorbs it: enough domains in rotation that retiring a weak one barely dents your capacity, and a process for replacing burned mailboxes without scrambling.

Does great infrastructure guarantee the inbox?

No — and understanding why keeps you honest about where infrastructure fits. Mailbox providers evaluate your sending through a unified model that weighs domain reputation, mailbox behaviour, recipient engagement, and sending patterns all together, so a weakness in one area offsets strength in another. Perfect authentication will not save you from poor engagement; a flawless warmup will not rescue irrelevant outreach that recipients ignore or report. Infrastructure is the necessary foundation, not a guarantee.

That reframes what infrastructure is for. It earns you the chance to be read by getting you reliably to the inbox; what happens next depends on targeting the right people with a relevant message, which is the part no DNS record can fix. It is also worth being honest about effort: a small DIY setup of a handful of domains runs a few hundred dollars a month and real ongoing work, and at the scale of hundreds of domains, managed infrastructure usually earns its cost. Build the stack properly, comply with the applicable laws, send to people who might actually want to hear from you — and let the infrastructure do the one job it can.

Frequently asked questions

Can I send cold email from my main domain?
You can, but you shouldn’t. Cold outreach draws complaints and bounces, and if they hit your primary domain they damage deliverability for your invoices, client mail, and transactional email — and recovery takes weeks to months. Always use separate secondary domains for cold email so a burned reputation can’t poison your real communication.
How many cold emails per day per mailbox is safe?
In 2026, roughly 10 to 20 per mailbox per day on Google Workspace or Microsoft 365 is the safe range. The hard ceiling is around 100, but accounts exceeding 150 a day show much higher spam rates. New mailboxes should start at 20 to 30 and ramp gradually, and that per-inbox limit includes warmup traffic, not just campaign sends.
How long does cold email warmup take?
Plan two to four weeks of warmup before full sending, and three to five weeks from buying a domain to a production-ready mailbox. Start around five emails a day and ramp gradually. Warmup matters enormously: unwarmed mailboxes place around 61% in the inbox versus 94% warmed, and you should keep warmup running even during live campaigns.
Do I need dedicated IPs for cold email?
Not at first. Shared IPs work for lower volume but pool your reputation with other senders. Dedicated IPs isolate your reputation entirely, which is valuable at scale, but they need consistent volume of around 1,000+ sends a day to stay warm. They suit established, higher-volume programs running their own sending infrastructure rather than small starters.
Why do I need to verify my list?
Because a dirty list destroys infrastructure fast. Sending to invalid addresses pushes your bounce rate up, and bounces above 2% trigger enforcement from Gmail and Yahoo — a single campaign to an unverified list can blacklist domains you spent weeks warming. Always verify before sending, and re-verify regularly since contact data decays over time.