Deliverability20 min read·April 2026

How to Build Email Infrastructure That Lands in the Primary Inbox

Domain setup, warmup, monitoring, and scaling -- the full infrastructure stack for cold email that gets delivered.

TL;DR

  • Never send cold email from your primary brand domain. Use alternate domains.
  • Every domain needs SPF, DKIM, and DMARC configured before you send a single email.
  • 3 mailboxes per domain, warmed for 2-3 weeks. Warmup score must hit 90+ before any campaign.
  • Use Dynadot for domain registration, ZapMail for DNS and mailbox provisioning.
  • Monitor daily: bounce rate, spam complaints, inbox placement, and blacklist status.

Email deliverability is not a copywriting problem. You can write the best cold email in the world and it will never get read if it lands in spam. Deliverability is an infrastructure problem -- and it requires the same rigor as any other technical system you build.

This guide covers the full infrastructure stack: domain strategy, DNS setup, mailbox provisioning, warmup, platform selection, and ongoing monitoring. These are the exact systems we use across client campaigns generating hundreds of meetings per month.

Why You Must Never Send Cold Email From Your Primary Domain

Your primary domain (company.com) carries your entire brand reputation. One damaged sending domain can tank your transactional email, your marketing automation, and your team's internal email deliverability. Never risk it.

  • Bounce rates above 2% trigger spam filters across all major providers
  • Spam complaints accumulate on the domain -- not just the mailbox
  • A blacklisted domain cannot be recovered quickly -- you lose the asset
  • Your primary domain's reputation affects deliverability for your whole company
  • Cold email is a volume game -- alternate domains absorb the risk

Instead, purchase alternate domains that are close variations of your brand and use those exclusively for cold outreach.

How Do You Structure Alternate Domains?

Good alternate domains look like they belong to your brand. They should be recognizable as yours but not identical to your primary domain.

  • Prefixes: get-company.com, try-company.com, meet-company.com
  • Suffixes: company-hq.com, company-team.com, company-io.com
  • Descriptive: companyrevenue.com, companyoutbound.com
  • TLD variation: company.co, company.io (only if available and credible for your industry)
  • Avoid: hyphens that look spammy, misspellings, unrelated words
3
mailboxes per domain

Standard ratio for cold email infrastructure. More than 3 per domain increases risk; fewer reduces daily capacity.

What DNS Records Does Every Domain Need?

Three DNS records are non-negotiable before you send a single email. Missing any of them will get you filtered or blocked immediately.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. Without it, your emails look like they could be spoofed.

SPF record example

v=spf1 include:_spf.google.com include:sendgrid.net ~all -- authorizes Google Workspace and SendGrid to send on your behalf. The ~all means unauthorized senders get a soft fail (not hard reject). Use -all only when you are certain all senders are listed.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email. The receiving server checks the signature against a public key in your DNS. It proves the email was not tampered with in transit.

  • Generate DKIM keys in your mailbox provider (Google Workspace: Admin > Apps > Gmail > Authenticate email)
  • Add the public key as a TXT record in your DNS
  • Enable DKIM signing on your domain
  • Wait 24-48 hours for propagation before testing
  • Use 2048-bit keys -- 1024-bit is increasingly rejected by modern providers

DMARC (Domain-based Message Authentication)

DMARC tells receiving servers what to do when emails fail SPF or DKIM checks. It also sends you reports on emails sent using your domain.

DMARC record for cold email domains

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com -- Start with p=none (monitor only). Do not jump to p=quarantine or p=reject until you have confirmed all legitimate senders are passing DKIM and SPF. Moving too fast on DMARC blocks your own emails.

Which Tools Handle Domain and Mailbox Provisioning?

The provisioning layer is where domains get purchased, DNS gets configured, and mailboxes get created. Doing this manually at scale is operationally impossible. These are the tools we use.

ToolRoleWhy we use it
DynadotDomain registrarAPI-based domain purchase and DNS management. Supports bulk registration and automated provisioning via v3 API.
ZapMailDNS + mailbox setupConfigures SPF, DKIM, DMARC automatically. Creates mailboxes and manages sender profiles. Integrates directly with Google Workspace and Outlook.
InboxKitInbox testing + monitoringTests where your emails actually land across major providers (Gmail, Outlook, Yahoo). Identifies deliverability issues before they affect campaigns.
Google WorkspaceMailbox providerHigher inbox placement rates for B2B recipients. Required for targeting Google-hosted domains.
Microsoft 365Mailbox providerBetter placement when targeting Outlook/Microsoft-hosted domains. Warmup settings differ from Google.

How Does the Provisioning Flow Work End-to-End?

  1. 1Generate alternate domain names for your brand (aim for 3-5 variations)
  2. 2Purchase selected domains via Dynadot API or web interface
  3. 3Connect domains to ZapMail -- point nameservers to ZapMail
  4. 4ZapMail auto-configures SPF, DKIM, DMARC, and MX records
  5. 5Create 3 mailboxes per domain in Google Workspace or Microsoft 365
  6. 6Import mailboxes to your sending platform (EmailBison, Instantly, Lemlist, or SmartLead)
  7. 7Enable warmup on all new mailboxes immediately
  8. 8Wait 2-3 weeks -- do not touch campaigns until warmup score reaches 90+
2-3 weeks
minimum warmup window

From domain provisioning to campaign-ready. Rushing this step is the single most common deliverability mistake. A domain that skips warmup typically burns within 2 weeks of sending.

How Does Email Warmup Work?

Warmup is the process of establishing a sending reputation for new mailboxes. You start sending small volumes of email between real mailboxes -- with high engagement signals -- and gradually increase over time.

Mail servers see a new mailbox suddenly sending 100 emails per day as suspicious. The same mailbox that has been sending 2 emails per day for three weeks and receiving replies is trusted.

SettingValueWhy
Initial send volume2 emails/dayConservative start avoids immediate flag
Max warmup volume15 emails/day per mailboxStandard cap during warmup phase
Auto-reply rateEnabledSimulated replies increase engagement score
Warmup duration2-3 weeksScore needs to reach 90+ before live sends
Score threshold for campaigns90+ (100 preferred)Below 90 risks spam placement
Google vs Outlook settingsDifferentOutlook warmup requires slower ramp -- adjust settings per provider

Which Sending Platform Should You Use?

The sending platform is where your campaigns live, your sequences run, and your warmup gets managed. Each platform has different strengths.

PlatformBest forKey strength
EmailBisonHigh-volume multi-workspace operationsIsolated workspaces per client, aggressive pricing at scale ($599/mo for 500K emails + unlimited workspaces), native warmup, EmailGuard integration for inbox testing
InstantlyEase of use, fast campaign setupClean UI, strong warmup system, good deliverability analytics, straightforward account management
LemlistMultichannel (email + LinkedIn)Best-in-class LinkedIn sequencing alongside email, strong personalization features, image and video support
SmartLeadAnalytics-heavy teamsDeep analytics and A/B testing, good for data-driven optimization -- note: infrastructure-heavy setup

For most campaigns, EmailBison or Instantly are the default choices. Lemlist is the right call when LinkedIn sequencing is part of the motion. SmartLead works for teams that run heavy analytics-driven optimization.

How Do You Scale From 10 to 100+ Mailboxes?

Scaling email infrastructure is not just buying more domains. Each addition to the sending pool needs the same provisioning and warmup process. Shortcuts at scale create compounding problems.

  1. 1Define your target daily send volume first -- this determines how many mailboxes you need
  2. 2Budget 15 emails/day per mailbox at full warmup (EmailBison standard)
  3. 3Calculate: 1,000 emails/day requires approximately 70 warmed mailboxes
  4. 4Stagger domain purchases -- do not buy 20 domains from the same registrar on the same day
  5. 5Stagger warmup -- start new batches 1 week apart so not all domains expire or degrade simultaneously
  6. 6Keep a reserve pool (20-30%) of domains in warmup at all times -- active domains will degrade over time
  7. 7Use separate workspaces or accounts per client or campaign -- never mix sender pools
450/day
emails from 30 fully warmed mailboxes

At 15 emails/day capacity per mailbox across 10 domains with 3 mailboxes each. This is the practical throughput of a standard infrastructure build.

What Should You Monitor Every Day?

Deliverability degrades silently. A domain can move from healthy to blacklisted in 48 hours without any obvious trigger. Daily monitoring catches problems before they become campaigns.

MetricCheck howAlert threshold
Warmup score per mailboxEmailBison / Instantly dashboard< 90 -- pull from campaign rotation
Bounce rate per domainSending platform analytics> 2% -- pause and investigate
Spam complaint rateGoogle Postmaster Tools / Microsoft SNDS> 0.1% -- immediate investigation
Blacklist statusMXToolbox or automated checkAny listing -- pull domain immediately
Inbox placementInboxKit or EmailGuard< 80% inbox -- flag as degraded
DMARC pass rateDMARC aggregate reports< 95% -- DNS configuration issue
Warmup enabled statusSending platformAny disabled mailbox -- re-enable and investigate

What Do You Do When a Domain Degrades?

Domain degradation is not a failure -- it is expected. Domains used for cold email have a lifecycle. The system you build should handle degradation automatically.

  • Remove degraded mailboxes from campaign rotation immediately
  • Re-enter them into warmup flow
  • Run an inbox placement test (InboxKit or EmailGuard) to measure actual inbox rate
  • If placement test shows less than 80% inbox -- pause the domain entirely
  • Check MXToolbox for blacklist listings
  • If blacklisted: submit removal request and move campaigns to healthy domains
  • After warmup cycle completes -- test again before re-activating
  • If domain cannot recover: retire it and provision a replacement

Domain lifecycle states

  • Provisioning -- domain purchased, DNS being configured
  • Warming -- mailboxes in warmup, not sending campaigns
  • Active -- warmup score 90+, attached to live campaigns
  • Degraded -- below threshold, removed from rotation, re-entering warmup
  • Excluded -- requires manual review before returning to pool
  • Retired -- burned domain, permanently removed from use

How Do You Test Inbox Placement Before Going Live?

Never assume a warmed domain is landing in the inbox. Test it explicitly with seed-based inbox placement tools before attaching it to any campaign.

  • InboxKit: sends test emails from your domain to seed addresses across Gmail, Outlook, Yahoo, and Apple Mail -- shows inbox vs spam vs promotions split
  • EmailGuard: integrates directly with EmailBison, runs scheduled placement tests per domain, stores historical results
  • GlockApps: another option for cross-provider inbox placement testing with detailed diagnostics
  • Google Postmaster Tools: monitors reputation of your sending domain with Gmail specifically -- free, requires verification
  • Microsoft SNDS (Smart Network Data Services): equivalent to Postmaster Tools for Outlook/Hotmail

Run placement tests weekly during warmup. Daily once domains are in active sending rotation. A placement test that shows less than 80% inbox is a problem to fix before it affects real prospects.

What Are the Most Common Deliverability Mistakes?

  • Sending from the primary brand domain -- one bounce spike damages everything
  • Skipping warmup -- a cold domain sending 100 emails on day one will be flagged within hours
  • Missing DMARC -- without it, spoofed emails using your domain are undetectable and damage your reputation
  • Pushing unverified emails -- even a 3% bounce rate from unverified contacts can trigger filters
  • Not monitoring blacklists -- domains can be listed silently without any campaign-level signal
  • Using one domain for multiple clients or campaigns -- cross-contamination means one bad campaign burns shared infrastructure
  • Aggressive sending ramp -- jumping from 50 to 500 emails per day without gradual increase triggers filters
  • Ignoring Google Postmaster Tools -- it tells you exactly how Gmail sees your domain reputation

Related playbooks

Cold Email

How to Write Cold Emails That Get Replies

12 min read

Agentic GTM

How to Build an Agentic GTM System

22 min read

Clay

How to Use Clay for B2B Prospecting

18 min read

See how we implement this →View client results →

Want this built for your team?

We implement these systems end-to-end. First sends within 14 days.