March 11, 2026·6min read

Why Your Outreach Emails Go to Spam (And Exactly How to Fix It)

Cold emails landing in spam? Fix SPF, DKIM, and DMARC, warm your sending domain, clean your list, and dodge the content signals spam filters punish.

Email DeliverabilityCold EmailTechnical

You wrote a sharp, relevant cold email, sent it to 200 prospects, and got two replies. The copy was not the problem. Most of those emails never reached an inbox. They landed in spam or were dropped at the gateway before any human saw them. Google and Microsoft reject or quarantine messages based on signals you set up days before you hit send. This guide covers the technical and strategic fixes that move cold outreach from spam to primary, in the order that matters.

Start With the Three Records That Decide Everything

Before you touch your copy or sending volume, fix authentication. If SPF, DKIM, and DMARC are missing or broken, nothing else will save you. These three DNS records tell receiving servers you are allowed to send for your domain.

SPF (Sender Policy Framework)

SPF is a TXT record listing the servers permitted to send mail for your domain. Whether you send through Google Workspace, Resend, or your own SMTP, each one must be authorized.

A typical record: `v=spf1 include:_spf.google.com include:_spf.resend.com -all`

The trailing `-all` means "reject anything not listed." Use it, not `~all`, once your record is complete.

SPF allows a maximum of 10 DNS lookups. Too many `include:` statements break the record silently, so flatten it if you exceed the limit.

DKIM (DomainKeys Identified Mail)

DKIM attaches a cryptographic signature to every message, checked against a public key in your DNS. It proves the message was not tampered with in transit.

Your provider generates the key pair. You publish the public half at a selector like `selector1._domainkey.yourdomain.com`.

Verify it works: send a test to Gmail, open "Show original," and confirm DKIM shows PASS.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receivers what to do when a message fails. Google and Yahoo now require it for anyone sending in volume.

Start in monitoring mode: `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com`

The `rua` address collects aggregate reports showing who sends as you and whether legitimate mail passes.

After a week or two of clean reports, tighten to `p=quarantine`, then `p=reject`.

Set up all three. They take an afternoon and are the highest-leverage deliverability fix you have.

Never Send Cold Outreach From Your Primary Domain

This is the mistake that ends email programs. Blast cold email from `yourcompany.com` and one complaint spike can poison the reputation your invoices, password resets, and support replies depend on. The standard practice:

Buy a separate sending domain, usually a close variant like `getyourcompany.com` or `yourcompany.io`.

Redirect the secondary domain to your real site so links resolve and it looks legitimate.

Configure SPF, DKIM, and DMARC on the new domain exactly as above.

Create your sending mailboxes there and warm them before any real campaign.

If the cold domain gets burned, your core business email keeps working.

Warm the Domain Before You Scale

A brand-new domain has no sending history, so providers treat it with suspicion. Sending 500 emails on day one is the fastest way to a blocklist. A practical ramp:

Week 1: 5 to 10 emails per day, ideally to contacts who will open and reply.

Week 2: 15 to 25 per day.

Week 3: 30 to 40 per day.

Week 4 and on: 40 to 50 per day per mailbox, a sane ceiling for cold outreach.

If you need more volume, add mailboxes and rotate sends rather than pushing one past 50. Automated warmup tools help, but real replies matter more. Engagement is the signal providers trust most.

Clean Your List Before You Touch Send

Bounce rate is one of the loudest negative signals providers track, and dead addresses drop your reputation fast. Keep your hard bounce rate under 2 to 3 percent.

Verify every address

Sending to a scraped address that does not exist is a direct hit to your sender score, so confirm every mailbox is real first. Lead source quality matters here. When Annabot surfaces prospects through LinkedIn profile search with country targeting, each contact carries an email confidence score, so you can prioritize high-confidence addresses and route the rest to manual verification instead of mailing them blind.

Prune aggressively

Remove role-based addresses like `info@`, `sales@`, and `support@`. They draw complaints and rarely convert.

Suppress non-engagers and honor unsubscribes immediately. A single complaint weighs far more than a bounce.

Watch the Content Signals That Trip Filters

Once authentication and reputation are solid, content decides the rest. A few things reliably hurt you.

Links and images. One link is fine. Five links, a tracking pixel, and an embedded image in a "personal" cold email read as a marketing blast. Keep it plain and text-like.

Spam-trigger phrasing. "Free," "guarantee," "act now," "limited time," and all-caps subject lines push your score up. Write the way you would to a colleague.

Link shorteners. Bit.ly and similar services are heavily abused, so filters distrust them. Use full URLs on your own domain.

HTML weight. Heavy templated HTML and image-only messages signal bulk mail. Plain text from a personal mailbox performs better.

Subject and signature. Keep the subject specific and under about 50 characters. Include a real signature with a physical address and a working unsubscribe path.

Personalize and Pace Like a Human

Providers model human behavior. Two patterns separate correspondence from bulk sending.

Vary the content. A thousand identical messages are easy to fingerprint and filter. Personalize the opening line, the company reference, and the reason you are reaching out. Outreach grounded in a real signal gives you something true to say. Annabot's recruiter search mode surfaces hiring activity you can reference honestly.

Throttle and time your sends. Drip messages over the working day at a sensible local hour instead of firing the whole batch at 9:00 a.m. A steady trickle looks like a person, not a script.

Well-targeted cold campaigns typically see reply rates in the 1 to 5 percent range. If you are far below that with clean authentication, deliverability is the hidden cause.

Your Next Steps

Deliverability is a stack of fixes, each cheap on its own and decisive in combination. Run an inbox-placement test before any big send and check your domain against major blocklists periodically. If your emails are going to spam, work in this order:

This week: Publish SPF, DKIM, and DMARC. Move cold sending to a separate domain.

Next two weeks: Warm each new mailbox slowly and verify your whole list. Cap sends near 50 per mailbox per day.

Ongoing: Keep emails plain and personal, throttle sending, watch your DMARC reports, and prune non-engagers.

None of this guarantees the inbox, because providers control that. But authenticated mail from a warmed domain, sent to verified contacts in plain personal language, is what gets read instead of buried. Fix the foundation, and the reply rate follows.