Updated May 2026. Original publish February 2026.
Your emails aren't being ignored. They're being rejected before anyone sees them.
Since late 2025, Google, Yahoo, and Microsoft have shifted from filtering non-compliant emails to rejecting them at the server level. No spam folder. No promotions tab. A hard 5xx bounce, and your message simply doesn't arrive. Public industry estimates from email infrastructure vendors put the share of cold B2B emails that never reach the inbox at roughly 30-50% in 2025-2026 across non-compliant senders (see Mailgun's State of Sending and EmailToolTester's annual deliverability study for current numbers).
Gmail added another layer in early 2026: AI-powered content scoring that flags mail-merged templates, formulaic openers, and AI-generated text. Even if your authentication is perfect, emails that read like mass outreach get buried.
The result: sales teams running the same outbound playbook from 2024 are seeing reply rates crater, not because their messaging got worse, but because their emails never reach the inbox.
This article covers the deliverability side of the problem: what to fix at the protocol, domain, and content layer so your messages actually arrive. If you want the broader thesis on why the open-rate metric itself stopped working as a measurement signal, see Cold Email Open Rates Are Dead. The two articles complement each other: this one is about getting through the door, that one is about what to measure once you're inside.
Short on time?
Skip to the three layers of deliverability you need to fix. Or jump to the tools comparison and FAQ at the bottom.
The enforcement timeline that broke most outbound setups
This wasn't gradual. Each milestone made the rules harder:
February 2024: Google and Yahoo announced bulk sender requirements. SPF, DKIM, and DMARC mandatory for anyone sending 5,000+ emails per day. One-click unsubscribe required. Maximum 0.3% spam complaint rate. Google's published rules are at Email sender guidelines (support.google.com); Yahoo's are at Yahoo Sender Hub.
June 2024: Google began soft enforcement. Non-compliant messages got temporary errors (4xx codes), warnings, but still delivered.
May 2025: Microsoft joined enforcement. Outlook, Live, and Hotmail now require SPF, DKIM, and DMARC for high-volume senders. Non-compliant messages get rejected with 550 5.7.15. Microsoft's guidance and reputation dashboard live at Microsoft Smart Network Data Services (SNDS).
November 2025: Google moved to hard rejection. No more grace period. Permanent 5xx bounces for non-compliant senders.
Early 2026: Gmail rolled out AI-powered filtering using Gemini. It analyzes sentence structure, email formatting, and whether your message looks like a template sent to hundreds of people with a name swapped in. Microsoft followed with similar logic in Outlook later in Q1.
The 5,000/day number isn't a safe harbor
The 5,000/day threshold triggers the strictest bulk-sender enforcement, but Google and Microsoft apply similar filtering logic to all senders. An SMB sales team sending 200 emails a day still gets flagged for bad authentication, high complaint rates, or template patterns. These practices matter at any volume.
Even with SPF, DKIM, and DMARC all passing, roughly 30% of compliant cold B2B emails still land in spam (EmailToolTester 2026 deliverability report). Authentication gets you past the front door. Where you end up inside (Primary, Promotions, Spam) depends on engagement history, content quality, and domain reputation.
The three layers of deliverability in 2026
Layer 1: Authentication
If you haven't set these up, nothing else matters. The underlying specs are public IETF standards, not vendor-specific:
SPF (RFC 7208) tells inbox providers which mail servers are authorized to send on your behalf. Publish a TXT record listing your sending services. Stay under 10 DNS lookups, a hard limit that's easy to hit if you use multiple ESPs.
DKIM (RFC 6376) adds a cryptographic signature proving the message wasn't altered in transit. Enable this through your email provider. Most handle the DNS record for you.
DMARC (RFC 7489) ties SPF and DKIM together and tells providers what to do with messages that fail. Start with p=none for monitoring, then move to p=quarantine after two weeks of clean sending. This used to be optional. Since 2025, it's mandatory for any meaningful volume.
ARC (RFC 8617) is the lesser-known cousin: it preserves authentication results across intermediate hops like mailing lists and forwarders, so a message that's been legitimately relayed still passes downstream checks. Most modern ESPs handle ARC automatically, but if you operate a mailing-list relay or run your own MTA, it's worth verifying.
One-click unsubscribe (RFC 8058) is the requirement most teams still miss. Your emails need both a List-Unsubscribe header and a List-Unsubscribe-Post: List-Unsubscribe=One-Click header that lets someone unsubscribe with one click. No confirmation page, no login. A footer link alone doesn't count toward Gmail or Yahoo's compliance check.
BIMI is worth setting up once your DMARC reaches p=quarantine. It displays your brand logo next to your emails in supporting inboxes (Gmail, Apple Mail, Yahoo), which improves recognition and reduces the chance recipients mark you as spam. Not required, but a visible trust signal.
For the operational best practices behind these specs (rotation hygiene, segmentation, complaint handling), the M3AAWG Sender Best Common Practices document is the closest thing to an industry-consensus reference.
Layer 2: Domain infrastructure
Never send cold outbound from your primary domain. If a sending domain gets flagged, you don't want it dragging down your main company email.
The approach that works in 2026 is a three-tier domain system: active domains handling production sends, resting domains recovering from duty, and warming domains being prepared for deployment. You want 3-5 active domains rotating daily, each handling a portion of total volume.
Key numbers: 40-50 emails per mailbox per day is the safe ceiling. Run 4-6 inboxes per domain. Warm new domains for a minimum of 30 days before production sends. Rotate domains every 4-6 months. Inbox placement drops roughly 15% by month six.
Spread your domains across email providers. Don't put everything on Google Workspace. If Google changes filtering rules, every domain on that platform gets hit simultaneously. Split across Google Workspace, Microsoft 365, and at least one alternative.
On tools: Platforms like Woodpecker, Lemlist, and Apollo handle SPF/DKIM configuration, sending limits, and warmup scheduling natively. Before committing to a tool, check that it handles List-Unsubscribe headers (RFC 8058) automatically. Not all do. Some older ESPs still require manual header configuration.
Warmup for smaller teams
The week-by-week warmup schedules you see online peak at 200-300 emails/day, which is relevant for high-volume outbound orgs. A 5-person sales team may plateau at 50-75 per day total, and that's fine. Scale to match your team's actual sending needs, not someone else's benchmark.
Layer 3: Content that passes AI detection
This is where things got harder in 2026. Gmail's AI compares your email against others it's seen recently. It checks whether subject lines follow a pattern, whether the HTML layout is identical except for a name swap, and whether the same link structures appear across hundreds of messages.
Even your template's fingerprint degrades over time. If enough recipients ignore or delete emails matching a pattern, Gmail flags that pattern in real time.
What works now:
Write emails under 80 words. Use plain text, not HTML templates. One link maximum. Reference something specific and verifiable, a job posting, a funding round, a LinkedIn post. Rotate 5-10 genuine variants per sequence step (not just merge fields) and swap templates every 5-7 days.
What kills you:
Same template sent to 100+ recipients with only {{first_name}} changed. Identical HTML structure across messages. Sending the same template for more than a week. Formulaic openers like "I noticed your company..." that every SDR tool generates. AI-generated text with its characteristic hedging patterns. And tracking pixels: Gmail now shows a visible warning when it detects them, with a one-click spam report button right there.
Sequence structure (brief guidance)
The guide focuses on individual emails, but most cold outbound lives inside multi-step sequences. The numbers that work in 2026: 4-5 emails over 2-3 weeks, with spacing of roughly 3/4/5/6 days between touches. Stop the sequence on any reply, positive or negative. After touch 5 with no engagement, move the contact to long-term nurture or discard. Running more than 5 touches with no response damages your sender reputation more than it helps your pipeline.
What sender metrics replace open rate in 2026
Open tracking actively hurts deliverability in 2026. Gmail shows recipients a banner when it detects tracking pixels ("Images in this message are hidden") with a one-click spam report button. Yahoo and Microsoft followed with similar UI. Using open tracking on cold outbound now both poisons your sender reputation and gives recipients a single-click path to flag you. Disable it for all cold outbound immediately.
The broader case against the open-rate metric as a signal (Apple MPP firing opens before humans see them, security scanners pre-fetching links, AI inbox agents loading everything) is covered in Cold Email Open Rates Are Dead. That post is about why the metric stopped meaning anything. This post is about which metrics actually feed back into your sender reputation now that opens are out.
The sender-side metrics that matter in 2026:
- Reply rate > 3% is the strongest deliverability signal. A reply tells the provider the recipient wanted to hear from you.
- Bounce rate < 2% means hard bounces are being suppressed instantly. Anything above 2% means your list needs work.
- Spam complaint rate < 0.1% is the safe zone. The provider threshold is 0.3%, but by the time you hit that, the damage is done.
- Inbox placement > 90% is the real test. Use seed testing (GlockApps, MailGenius) to verify you're hitting Primary, not just "delivered."
- Positive reply rate > 1% isolates the genuinely interested replies from the "remove me" responses.
What to track instead of opens at the engagement layer: link clicks (with a custom tracking domain), site visits (UTM parameters, not pixel tracking), and engagement with shared documents. You can also track email attachment opens with the right approach, though trackable links are far more reliable. Because Apple MPP and corporate scanners broke opens as a qualification signal, content-engagement data does the work opens used to. See How engagement-as-MQL replaces opens for marketing ops for the methodology.
If you can't track opens, track what happens after the click
When you send a proposal as a PDF attachment, you get zero visibility. The email leaves your outbox and disappears into a void. When you share that same proposal as a trackable link, you see who opened it, how long they spent on each page, which sections they re-read, and whether they forwarded it to a colleague. "She spent 4 minutes on the pricing page and came back to it twice" tells you more about deal momentum than any open rate ever did. This is what we built HummingDeck for: document analytics that replace unreliable open rates with per-page engagement data. The email read receipt problem has the same root cause: track engagement after the inbox, not inside it.
What HummingDeck data shows about inbox-side noise
Even with everything above set up correctly, the raw view counts you see in any email-tracking tool include a substantial layer of non-human activity. This isn't theoretical. We can see it directly in HummingDeck's tracked-link data because our bot-filtering pipeline classifies traffic into buckets at view time.
Across HummingDeck-tracked share links sent through cold email and outbound sequences, the breakdown of view events that arrive in the first 24 hours after a send falls roughly into:
- Security scanners and link prefetchers (Microsoft Safe Links, Proofpoint, Mimecast, Barracuda, Cloudflare Email Security): the dominant share of pre-human traffic. These hit the link within seconds of delivery, with characteristic user-agent strings and zero in-asset dwell time.
- Apple Mail Privacy Protection prefetches: fire on Apple Mail clients with image-loading. They register an open immediately but never produce engagement on the asset.
- AI inbox agents and triage assistants: emerging in 2025-2026 as more users delegate inbox review to LLM agents. These load the link, sometimes extract content, and pass back a summary. The user may never see the email.
- Genuine human first-look traffic: the share that actually represents the recipient reading.
The exact proportions vary by sender domain, recipient ESP mix, and time of day, but the directional point holds: a meaningful chunk of what looks like engagement in a raw tracking dashboard is automated traffic. Sender-side metrics like spam complaint rate and reply rate are robust to this. Engagement-side metrics on the recipient end are not, unless your tracking layer filters bots before the number lands.
If you want the deep dive on the filtering mechanics (three-layer bot detection across user-agent, IP geolocation, and client gesture) we've written the engineering side separately.
Data note: HummingDeck reports the aggregate filtered/unfiltered breakdown to customers on a per-link basis. The numbers above describe direction and rough proportions, not a precise industry-wide claim. Your own filtering tool, if it has one, will give you the specific split for your sends.
What to do when you're already in spam
The guide so far assumes you're setting up fresh. Many readers arrive here because their emails are already going to spam. Here's the recovery playbook:
1. Identify the damage. Check Google Postmaster Tools and Microsoft SNDS. Look at your domain reputation, spam rate, and authentication pass rates. Check MXToolbox for blacklist hits. Know exactly how bad it is before you start fixing.
2. Stop sending from the damaged domain. Continuing to send on a domain with "Bad" reputation makes everything worse. Pause all outbound immediately.
3. Delist from blacklists. If you're on Spamhaus, Barracuda, or other major RBLs, submit delisting requests. Spamhaus usually processes within 24 hours if the underlying issue is resolved. Barracuda can take longer.
4. Fix the root cause. Bad list? High bounce rate? Template that got flagged? Identify why you landed in spam and fix it before sending again. Otherwise you'll burn the next domain too.
5. Warm a fresh domain while the old one recovers. Don't wait for the damaged domain to heal. Start warming a replacement immediately. Follow the standard 30-day warmup: 5-10 emails/day in week 1 to engaged contacts, scaling gradually. The old domain may recover in 2-6 weeks if you stop sending and the underlying issues are resolved, but don't count on it.
6. Re-verify your entire list. Email addresses decay at roughly 25% per year. If you haven't verified your list recently, do it now, before sending from the new domain. One bad campaign on a fresh domain puts you right back where you started.
The monitoring stack you need
Set up monitoring before you start sending, not after something breaks:
Google Postmaster Tools for domain and IP reputation, spam rate, authentication pass rates. Check daily during warmup, weekly after. If reputation shows "Bad," halt outbound immediately.
Microsoft SNDS for Outlook-specific trap hits, complaint rates, and IP reputation. Essential since Microsoft's May 2025 enforcement.
GlockApps for inbox placement testing with seed lists. Shows inbox vs. spam vs. missing per provider. Run before every new campaign.
MXToolbox for blacklist monitoring, DNS validation, SMTP diagnostics. Set up automated alerts for all sending domains.
Stop-send thresholds (agree on these with your team before launching):
- Bounce rate exceeds 2% on any campaign: pause and verify list.
- Spam complaints above 0.1%: investigate content and targeting.
- Spam complaints above 0.3%: stop all sending from that domain.
- Google Postmaster shows "Bad" reputation: halt and begin recovery.
- Inbox placement drops below 80% on seed tests: pause until root cause found.
- Blacklisted on Spamhaus or Barracuda: delist before resuming.
Warmup and deliverability tools compared
If you're picking a deliverability stack from scratch, here's how the common 2026 options stack up. Each does a different job, so most outbound teams end up running two or three of these in parallel.
| Tool | Category | What it does | Free tier | Paid from | Best for |
|---|---|---|---|---|---|
| Postmark | Transactional ESP | Sending infrastructure with strong reputation defaults | No (free trial) | $15/mo | Transactional sends where deliverability is mission-critical |
| Mailwizz | Self-hosted EMA | Run your own sending app on your own servers | One-time license $69+ | License-based | Teams wanting full control of infra and IP reputation |
| Lemwarm (Lemlist) | Inbox warmup | Network-based warmup sending and receiving between accounts | No | From ~$29/mo | Sales teams already in Lemlist; integrated warmup |
| Warmup Inbox | Inbox warmup | Standalone warmup network for any ESP | 7-day trial | From ~$15/mo per inbox | Teams running custom ESPs that lack built-in warmup |
| Instantly Warmup | Inbox warmup | Warmup integrated with cold-outreach sequencer | No (trial) | From ~$37/mo | Cold-outbound teams using Instantly for sequencing |
| Mailgun State of Email | Benchmark research | Annual industry deliverability data | Free read | Free | Benchmarking your numbers against industry baselines |
| GlockApps | Inbox placement testing | Seed-list testing across major ESPs | Limited free | From ~$59/mo | Pre-launch placement checks before campaign sends |
The warmup tools (Lemwarm, Warmup Inbox, Instantly's built-in) all do roughly the same thing: simulate engagement to teach inbox providers that your domain is sending wanted mail. They're not magic. Warmup buys you the right to send. Content and list hygiene determine whether you stay in the inbox once you start.
The transactional ESPs (Postmark, also Resend, SendGrid, Mailgun) are a different category. They're optimized for one-to-one transactional mail (order confirmations, password resets, receipts), not cold outbound. Don't try to route cold outbound through them. They will shut you down.
FAQ
How do I check my email deliverability?
Three places, in order of priority. First, Google Postmaster Tools for your domain reputation, spam rate, and authentication pass rates against Gmail (Gmail accounts for roughly 30% of business inboxes, so this is the single most important dashboard). Second, Microsoft SNDS for the equivalent against Outlook/Hotmail. Third, an inbox-placement testing tool like GlockApps that seeds your campaign across real test accounts at major providers and tells you whether you landed in Primary, Promotions, or Spam.
If you want a faster directional check, MXToolbox gives you blacklist status and DNS validation for free in under a minute.
Is open tracking dead?
For cold outbound, yes. Open tracking now actively hurts your deliverability in 2026: Gmail, Yahoo, and Microsoft all display anti-tracking banners with one-click spam-report buttons when they detect tracking pixels. The signal it produced (open rate) was already broken by Apple Mail Privacy Protection, corporate security scanners, and AI inbox agents loading every pixel before a human sees the message. The broader argument is in Cold Email Open Rates Are Dead. For transactional and opt-in marketing where the recipient consented, pixel-based open tracking is less damaging but still unreliable. Either way, the metric to track now is engagement on what you sent, not whether the inbox loaded an image.
How long does domain warmup take?
A minimum of 30 days for a new domain before production sends, regardless of which warmup tool you use. The standard schedule: 5-10 emails/day in week 1 to highly engaged contacts (your own team, friendlies, existing customers), then roughly double each week until you hit your target daily volume around day 30. Smaller teams can plateau earlier (50-75/day) and don't need to keep ramping. Skipping warmup or compressing it to under two weeks reliably lands you in spam regardless of authentication setup.
Does AI-generated email get filtered?
Increasingly, yes. Gmail's AI-powered filtering in 2026 looks for hedging patterns, formulaic sentence structures, and the characteristic over-polished phrasing that LLMs produce. AI-generated text isn't automatically blocked, but a message that scans as machine-written, especially combined with a templated layout and a generic opener, raises the spam probability score noticeably. The fix isn't to stop using AI; it's to use AI for drafts and rewrite enough of each message in your own voice that the fingerprint isn't formulaic. Reference something specific to the recipient. Keep it under 80 words. Vary sentence rhythm.
Do I need DMARC if I only send a few hundred emails a week?
Yes, in practice. The 5,000/day threshold sets the bulk-sender enforcement bar, but Google and Microsoft apply similar filtering logic to lower-volume senders. Without DMARC, your domain is more likely to be impersonated in phishing (because the providers can't verify legitimate sends) and your messages are more likely to be filtered. The setup takes 10 minutes. There's no good reason to skip it.
What's a "custom tracking domain" and do I need one?
When you send a tracked link, it normally points to your ESP's shared tracking domain (something like track.somesalesplatform.com). That domain is shared with every other sender on the platform, including spammers and senders with damaged reputation. A custom tracking domain (e.g. links.yourcompany.com) routes your tracked URLs through your own subdomain instead, isolating your sender reputation from the platform's other tenants. Required if you're tracking links seriously; optional if you're not.
Can I send cold outbound from Postmark or SendGrid?
No. Postmark, SendGrid, Mailgun, and similar transactional ESPs are built and priced for one-to-one transactional mail (password resets, receipts, order confirmations) where the recipient has a clear prior relationship with the sender. Their terms of service prohibit cold outbound, and they enforce. Use a dedicated cold-outbound sequencer (Instantly, Smartlead, Lemlist, Apollo) on a separate dedicated domain.
Bottom line
Email deliverability in 2026 has two distinct problems and they need separate fixes. The protocol-and-domain side is mostly solved if you follow the IETF specs and the major providers' published rules: SPF, DKIM, DMARC, ARC, one-click unsubscribe, 40-50/mailbox/day, 30-day warmup, rotate domains every 4-6 months. The content side is the moving target: AI filters are getting tighter, templates degrade faster, and tracking pixels now flag you to the recipient directly.
The pattern this leaves: assume inbox-level metrics will keep degrading. Build your forecasting on signals that survive the bot layer (reply rate, engagement on content you shared, return visits on tracked links). The deliverability fight is to get the email through; the measurement fight is what to do once it lands.
If cold email is becoming unreliable as a primary channel, content-led prospecting (sharing valuable content through deal rooms and tracking who engages) is the durable adjacent strategy. This post covers the deliverability strategy. The full reference playbook adds the parts that are hard to fit in a blog post: the pre-launch compliance checklist with every DNS record you need, week-by-week warmup schedules with exact daily volumes, the three-tier domain rotation system, stop-send trigger thresholds, and the complete monitoring stack setup.
10 pages, updated for Q2 2026. It's the reference guide our own revenue operations team uses.
About the author
Ilya Spiridonov is the founder of HummingDeck. The deliverability practices in this guide are the ones we use internally to send outbound from HummingDeck domains, and the engagement-tracking arguments come from operating the tracking-and-analytics pipeline that powers HummingDeck's product. HummingDeck lets you share proposals and sales content as trackable links, so you can see who engaged, which pages they care about, and who's worth following up with, instead of guessing from an inbox you can no longer measure.
Related:
- Cold Email Open Rates Are Dead. The Metric Can't Be Saved.: why the SDR's first metric stopped working and what replaces it.
- How to Track Prospect Engagement After a Cold Email: per-slide engagement as the replacement signal.
- Why Your Deck Analytics Are Wrong: the bot-filtering mechanics behind the HummingDeck data section above.
- Do Email Read Receipts Actually Work?: the same pixel-and-receipt failure mode applied to read receipts specifically.
- Bulk Send Personalized Tracked Links for Outbound: sending hygiene applied to tracked-link distribution.
- Content Engagement Is the New MQL: how content-engagement signal replaces open rates for marketing ops.
- HummingDeck for Cold Outreach | HummingDeck for Sales | Pricing