A fintech founder arrived with a list of 4,200 qualified prospects, a three-email sequence that had taken three weeks to write, and an open rate of 0.4%. Not 4% — 0.4%. The domain was six weeks old, had no DMARC record, and had been sending 300 emails on day one from a shared IP pool. Every message was in spam before a single human read a word.
The sequence was fine. The targeting was fine. The deliverability infrastructure was non-existent. That's the most common version of this problem: teams that spend weeks on copy and five minutes on the technical setup that determines whether anyone sees it.
This is the technical setup guide. Not the copywriting guide — the infrastructure guide that decides whether your carefully-written email reaches an inbox or a spam folder.
Why 70% of cold outbound fails before the human decides
Validity's 2024 Email Deliverability Benchmark report found that 17% of legitimate commercial email never reaches the inbox globally. For cold outbound specifically — sent to addresses that haven't opted in — the figure is considerably higher.
The filtering stack a recipient's mail server runs against your message is largely invisible to you, but it works on signals you can control:
- Domain reputation: how old is the sending domain, and what's its history?
- Authentication: do SPF, DKIM, and DMARC all pass?
- Sending infrastructure: is the IP on any major blocklists? Is it shared with senders who behave badly?
- Engagement history: do recipients from similar senders open, reply, or mark as spam?
- Content signals: does the email look like spam to a Bayesian classifier?
You can't control recipient engagement history in your first campaign. You can control everything else. Most teams don't.
Domain and infrastructure setup: what you need before sending
The foundational decision: never cold-outbound from your primary business domain. If that domain gets flagged, your transactional email — invoices, contracts, customer onboarding — gets damaged with it. Register a close variant (yourcompany-hq.co.uk, mail.yourcompany.co.uk, hi.yourcompany.co.uk), point its MX records to your sending provider, and keep your primary domain entirely clear of outbound.
Your sending infrastructure options:
| Option | Inbox placement | Cost | Setup effort |
|---|---|---|---|
| Shared sending IP (e.g. basic Mailchimp) | Poor for cold outbound | £0–£30/month | Minimal |
| Dedicated IP (e.g. SendGrid dedicated) | Good if warmed correctly | £75–£200/month | Moderate |
| Private SMTP (self-managed) | Best control, hard to scale | Variable | High |
| Outbound-specialist SaaS (Instantly, Lemlist) | Built for this use case | £50–£150/month | Low |
For most UK SMEs at under 500 emails/day, an outbound-specialist SaaS tool with a built-in warm-up engine is the pragmatic choice. For volumes above 2,000 emails/day, a dedicated IP on a reputable ESP (SendGrid, Postmark, or AWS SES) with your own warm-up process gives better control.
SPF, DKIM, and DMARC: the authentication trifecta
These three DNS records are non-negotiable. Missing any one of them increases your spam rate substantially; missing all three means you'll barely reach an inbox at scale.
SPF (Sender Policy Framework) — a TXT record on your sending domain that lists which mail servers are authorised to send on its behalf:
TXT @ "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
The ~all softfail is the standard; use -all (hardfail) only once you've confirmed all your legitimate sending sources are enumerated. Using +all (allow anyone) is effectively no SPF at all — don't do it.
DKIM (DomainKeys Identified Mail) — a cryptographic signature on outgoing messages, verified with a public key in DNS. Your ESP generates the key pair; you publish the public key as a TXT record:
TXT mail._domainkey "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
Use 2048-bit keys. 1024-bit keys are considered weak by current standards and increasingly rejected by major providers.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — a policy record that tells receiving servers what to do when SPF or DKIM fails, and where to send reports:
TXT _dmarc "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100"
Start with p=none (monitoring mode) for two weeks to catch any legitimate sending sources you missed. Then move to p=quarantine, and eventually p=reject once you're confident your authentication is complete. The rua address receives aggregate reports — read them. They'll show you unauthorised senders using your domain, which is worth knowing regardless of deliverability.
Domain warm-up: the schedule most people skip
A new sending domain starts with no reputation. Mail servers that encounter a domain sending high volumes with no history treat that as a spam signal. Warm-up establishes reputation by starting at low volume and increasing gradually, while accumulating positive engagement signals.
A realistic warm-up schedule for a new dedicated domain:
| Week | Daily send volume | Target open rate | Notes |
|---|---|---|---|
| 1 | 20–30 | >50% | Send only to your warmest contacts: previous customers, colleagues |
| 2 | 50–80 | >40% | Add recent opt-ins, warm prospects |
| 3 | 100–150 | >35% | Broaden to recent enquiries |
| 4 | 200–300 | >30% | Begin cold targeting at low volume |
| 5–6 | 400–600 | >25% | Increase cold volume gradually |
| 7–8 | 800–1,200 | >20% | Full cold campaign scale |
The engagement target matters as much as the volume ramp. If your open rate falls below 20% during warm-up, slow down. Sending to low-engagement segments during warm-up is how you bury a domain before it's ready.
If you're using an outbound SaaS tool with a built-in warm-up feature (Instantly, Smartlead), use it — but don't mistake the tool's automated warm-up for a substitute for your own engagement seeding in weeks 1–2.
Monitoring inbox placement: tools and signals
Three layers of monitoring, used together:
Seed testing before each campaign: send to a panel of real addresses across providers (Gmail, Outlook, Apple Mail, ProtonMail) using a service like GlockApps or Mail-Tester. This tells you, before a single prospect receives the email, whether it's landing in inbox, spam, or promotions across major clients.
Google Postmaster Tools for Gmail-specific signals: domain reputation, IP reputation, spam rate, authentication pass rates. Free, and essential. Gmail accounts for a large proportion of UK B2B inboxes; their classification of your domain matters more than almost any other provider's.
SMTP reply codes from your ESP's bounce logs: 421 and 450 are soft bounces (temporary throttling — the receiving server is suspicious of you but not rejecting outright); 550 and 551 are hard bounces (permanent rejection). A spike in soft bounces at a specific provider (e.g. Microsoft 365) tells you their filters have caught something — investigate before it becomes a hard block.
PECR and UK compliance: what cold email actually requires
The Privacy and Electronic Communications Regulations (PECR) governs cold email in the UK. The key rules for B2B outbound:
Cold email to a business email address (e.g. [email protected]) does not require prior consent, provided the message is relevant to the recipient's professional role and includes a functioning unsubscribe mechanism. You must honour unsubscribes promptly — the ICO recommends within 10 days, though faster is better practice.
Cold email to personal email addresses (Gmail, Hotmail, Outlook personal accounts) requires prior consent under PECR, even when the content is B2B. If your data list includes personal addresses, segregate them.
A counterpoint worth considering: some UK data-rights practitioners argue that the PECR B2B exemption is narrower than commonly assumed, particularly for sole traders (who are treated as consumers under PECR). The ICO's direct marketing guidance is the authoritative reference — read it rather than relying on secondhand summaries, including this one.
What changed in 2025–2026: Google and Yahoo bulk sender requirements
In February 2024, Google and Yahoo introduced mandatory requirements for bulk senders (over 5,000 emails/day to Gmail or Yahoo): DMARC must be present, SPF or DKIM must pass, and one-click unsubscribe headers must be present in marketing emails. Non-compliant senders face rejection, not just spam filtering.
For UK SMEs sending under 5,000 emails/day, these requirements don't apply — yet. But Google's pattern has been to tighten requirements over time, and it's considerably less work to implement them now than to retrofit them when they become mandatory. DMARC with p=reject, DKIM with 2048-bit keys, and a List-Unsubscribe header with List-Unsubscribe-Post: List-Unsubscribe=One-Click should be your baseline for any new sending setup.
Bounce management and list hygiene
Deliverability degrades fast when you send to bad addresses. A hard-bounce rate above 2% signals to receiving servers that you're using stale or purchased lists — both of which correlate with spam. Most major ESPs will suspend your account at 5%.
Practical list hygiene before any cold campaign:
Verify addresses before sending. Services like ZeroBounce or NeverBounce identify invalid, role-based (info@, contact@), or catch-all addresses before you send. For a list of 1,000 contacts, expect 8–15% to bounce or be unverifiable — sending to them is wasted spend and reputation damage.
Suppress role-based addresses. info@, hello@, contact@, admin@, sales@ are catch-all or distribution addresses that rarely reach a named decision-maker. They also tend to have higher spam-complaint rates because multiple people see the email and one of them will click "report spam." Filter them out before campaigns.
Monitor your bounce rate per sending batch. Set an alert to pause the campaign automatically if hard bounces exceed 1.5% on any given day. Better to stop and investigate than send a further 500 emails to a bad segment while your domain reputation erodes.
Re-verify lists older than 90 days. Email addresses go stale faster than most teams expect — average B2B email churn is approximately 30% per year. A list you verified in January should be re-verified in April.
Good / Bad / Ugly: infrastructure patterns that determine fate
Good: A dedicated sending subdomain (outbound.yourcompany.co.uk), six-week warm-up with positive engagement seeding in weeks 1–2, DMARC at p=reject, DKIM at 2048-bit, SPF hardfail, seed-tested before each campaign batch, SMTP bounce monitoring wired to an alert. This setup hits inbox on cold outbound at 85–90% of sends to verified addresses.
Bad: Using your primary business domain for cold outbound. Sending 500 emails on day one. No DMARC record ("I'll add it later"). First campaign: 12% open rate, second: 4%, third: filtered entirely. Domain reputation takes months to recover.
Ugly: Buying a list of 20,000 UK emails from a data broker, sending 2,000/day from a fresh domain with no warm-up, no SPF, no unsubscribe link. PECR breach, immediate spam block from Microsoft 365 and Gmail, and a domain that's effectively burned in 72 hours.
A deliverable cold email system pairs with the enrichment and scoring layer that decides who gets emailed and in what order. For that part of the stack, see CRM Enrichment and ICP Scoring for UK SME Outbound. For how a LinkedIn outbound system was built end-to-end for a UK B2B client, the LinkedIn AI SDR case study covers the full technical design. And for the speed constraints that determine when your first email needs to arrive relative to a lead's enquiry, see Speed to Lead: The 5-Minute Window UK SMEs Actually Need to Hit.
Book a 30-minute call and we'll audit your current sending infrastructure before you start your next campaign.