Key Takeaways
- →A fresh domain sent to cold prospects without warmup hits spam 90%+ of the time - no exceptions
- →The 21-day protocol: start at 10 emails/day, scale by 10-15 per day, never exceed 50 emails/inbox/day for cold email
- →SPF, DKIM, and DMARC must be configured before day 1 - sending without authentication flags your domain immediately
- →Tool-based warmup (Instantly warmup, Mailwarm, Warmbox) supplements but does not replace real send-and-receive volume
Quick Answer
Domain warmup is the process of gradually increasing cold email sending volume on a new domain to build sender reputation before reaching cold prospects at scale. Without it, Gmail and Outlook route new senders directly to spam. The standard warmup period is 21-30 days before full cold outreach volume.
Most cold email deliverability problems are not copy problems. They are not subject line problems, not personalization problems, and not timing problems. They are infrastructure problems that were baked in before a single email was ever sent - specifically, the domain was never properly warmed up.
Without warmup, new domains typically see 80-95% spam placement rates in the first 30 days. That number comes from the way Gmail and Outlook evaluate sender reputation: a domain that has never sent email before suddenly blasting 200 messages to cold contacts is treated as an anomaly - and anomalies get filtered. Every campaign running on a cold domain is dead before it starts.
This guide documents the exact 21-day warmup protocol Deep-Y uses for every client domain setup. It covers authentication requirements, daily volume targets, what to monitor, and the six mistakes that kill warmup before it begins.
Why Do Cold Email Domains Need Warmup?
Gmail, Outlook, and corporate email security systems evaluate sender reputation before making routing decisions. That reputation is built from a combination of signals: prior send volume, engagement history, bounce rates, spam complaint rates, and authentication records. A brand-new domain has none of these signals.
When a fresh domain sends its first 200 emails on day 1, every major inbox provider flags it as suspicious. The pattern matches a known spam playbook: register a new domain, blast a list, abandon when blocked, repeat. Even if the intent is entirely legitimate, the behavior fingerprint is identical. The filters do not care about intent.
The warmup process forces a pause. Instead of sending 200 emails on day 1, you send 10 - and you make sure those 10 get opened, replied to, and marked as safe. You build the engagement history that tells Gmail this sender is real before you ever ask it to deliver a cold prospecting message. The specific signals that matter: consistent send-and-receive patterns that look like normal business email, genuine engagement (opens, replies, "not spam" markings), steady daily volume without sudden spikes, and authenticated sends verified by SPF, DKIM, and DMARC.
Skip the warmup and you are essentially asking Gmail to trust a stranger. It will not. The consequences are not just spam placement for that campaign - a damaged domain reputation is slow to recover and can require weeks of remediation or a full domain reset.
What Authentication Setup Is Required Before Day 1?
Three DNS records are non-negotiable before any email is sent from a new domain. Sending without them is not just suboptimal - it is the fastest way to have your domain flagged permanently. Configure all three before the warmup clock starts.
SPF (Sender Policy Framework)
SPF is a TXT record in your DNS that lists which mail servers are authorized to send email from your domain. When a receiving server checks an incoming message, it looks up your SPF record and verifies the sending IP is on the approved list. If it is not, the message fails SPF - and most providers will route it to spam or reject it entirely.
A standard SPF record for Google Workspace sending looks like this:
v=spf1 include:_spf.google.com ~all
The ~all at the end is a soft fail - it tells receiving servers to accept but flag messages from unauthorized IPs. Use -all (hard fail) once you are confident all your sending sources are listed.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing message header. The receiving server checks this signature against your public key published in DNS, confirming the message was sent by an authorized sender and was not altered in transit. Your email service provider (Google Workspace, Microsoft 365) generates the DKIM key pair and gives you the public key to publish as a DNS TXT record.
DKIM setup is done entirely inside your ESP's admin panel - Google Workspace calls it "Authenticate email" under Gmail settings. After enabling it, propagation takes 24-48 hours. Verify it is active using Google's Admin Toolbox before starting warmup.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC tells receiving servers what to do with messages that fail SPF or DKIM checks - and instructs them to send you reports about what they are seeing. Start with a monitoring-only policy while you confirm all legitimate sending sources pass authentication:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
After 30 days of clean data in your DMARC reports, move to p=quarantine (spam folder for failures) and eventually p=reject (full block). This progression protects your domain from spoofing while keeping legitimate sends safe during the transition.
| Record | DNS Format | Where to Add | Propagation Time |
|---|---|---|---|
| SPF | TXT record at root domain | Domain registrar or DNS host | 1-4 hours |
| DKIM | TXT record at selector._domainkey subdomain | Domain registrar or DNS host | 24-48 hours |
| DMARC | TXT record at _dmarc subdomain | Domain registrar or DNS host | 1-24 hours |
| BIMI (optional) | TXT record at default._bimi subdomain | Domain registrar or DNS host | 24-72 hours |
| Custom Tracking Domain | CNAME record pointing to ESP | Domain registrar or DNS host | 1-4 hours |
One additional setup step that most guides skip: configure a custom tracking domain for your ESP instead of using their shared tracking domain. Shared tracking domains carry the reputation of every other sender on the platform. A custom tracking domain (such as track.yoursendingdomain.com) isolates your link tracking reputation completely.
No domain can achieve 89% open rates without clean authentication. Every Deep-Y client domain is authenticated before day 1 of warmup - SPF, DKIM, DMARC, and custom tracking domain configured and verified before a single warmup email leaves the inbox.
What Is the 21-Day Domain Warmup Protocol?
The warmup schedule below is the actual protocol Deep-Y follows for every new sending domain. The targets are conservative by design - there is no competitive advantage to rushing warmup, and the cost of hitting spam is always higher than the cost of taking one extra week.
21-Day Sending Schedule
The 50 emails per inbox per day ceiling is the most commonly violated rule in cold email. It is not published officially by Google, but exceeding it consistently triggers algorithmic throttling that looks identical to a spam flag. The only way to scale volume beyond 50 per day is to add more inboxes - not to push one inbox harder.
A critical rule for days 8-14: the cold prospects introduced in this window must come from verified lists. Use a list verification service (NeverBounce, ZeroBounce, or Millionverifier) before any cold send. A single batch of unverified emails that generates 5%+ bounces on a domain that is still in warmup can reset your reputation progress significantly.
How Many Domains and Inboxes Do You Actually Need?
This is where most cold email operators make their biggest math error. If you want to send 500 cold emails per day, you do not configure one domain to send 500 emails. You build a domain infrastructure that distributes volume across 10-12 warmed, authenticated sending domains - each running at 40-50 emails per day.
The rule of thumb is one domain per 30-50 daily cold emails. At Deep-Y, we size client sending infrastructure before any warmup begins: target volume divided by 40 = minimum number of sending domains required. A 200-email-per-day campaign needs at least 5 domains. A 1,000-email-per-day campaign needs 20-25 domains - each warmed separately, each with its own SPF, DKIM, and DMARC setup.
Domain selection matters as much as count. Use .com, .io, or country-specific TLDs that look like legitimate businesses. Avoid .info, .biz, and .co extensions - they carry negative prior reputation signals baked in from years of spam association. The sending domain name itself should be company-adjacent and credible: getdeep-y.com or trydeep-y.com rather than a random string.
Most importantly: your primary business domain is off-limits for cold outreach. The risk is asymmetric. Cold email generates inevitable spam complaints - even a 0.05% complaint rate on a 10,000-email campaign means 5 complaints. Those complaints on your primary domain affect transactional email, inbound replies, and brand communication. The cost of a separate sending domain ($15/year) is trivial compared to the cost of damaging primary domain reputation.
Which Domain Warmup Tools Are Worth Using?
Warmup tools occupy a specific and limited role in the protocol. They create artificial send-and-receive activity between a network of inboxes - essentially simulating the engagement patterns that tell Gmail and Outlook this domain is actively used for real correspondence. In the first 14 days, they are valuable. They should not be the only warmup activity, and they cannot replace the engagement signals that come from real human interaction.
The four tools worth knowing about in 2026: Instantly warmup (included in Instantly subscription at no extra cost), Mailwarm, Warmbox, and Lemwarm. All four create synthetic send-and-receive pairs across their user networks. The meaningful differences are in pool size - a larger warmup pool creates more diverse engagement signals - and in control over daily send volume targets.
What warmup tools do well: they catch authentication errors immediately (a failed DKIM signature shows up in the first day of tool warmup), they establish the base reputation signals Gmail looks for, and they run automatically without manual attention. What they cannot do: they do not generate the kind of engagement signals that come from a real person reading, replying, and marking as safe. The best warmup combines tool automation with real sends to colleagues and contacts who will interact genuinely with the messages.
| Tool | Pricing | Key Feature | Limitation |
|---|---|---|---|
| Instantly Warmup | Included with Instantly subscription | Large pool (200K+ inboxes), automated volume scaling | Warmup quality tied to Instantly subscription tier |
| Mailwarm | Standalone subscription | Clean dashboard, real engagement simulation, spam complaint recovery | Smaller pool than Instantly; standalone cost adds up |
| Warmbox | Standalone subscription | Detailed inbox placement tracking, blacklist monitoring built in | Limited integrations; works best with Google Workspace |
| Lemwarm | Included with Lemlist subscription | Deep Lemlist integration, smart warmup pauses on deliverability drops | Requires Lemlist subscription; pool size smaller than Instantly |
The combination that consistently works: tool-based warmup running from day 1 through at least day 21, real sends to warm contacts throughout the first two weeks, and first cold prospects introduced no earlier than day 8 with verified lists only. Remove any one of these three elements and warmup quality degrades.
How Do You Know Your Domain Is Ready for Cold Outreach?
Three objective signals confirm that warmup is complete and the domain is ready for full cold volume. Each should be checked at days 7, 14, and 21 - not just at the end.
Signal 1: GlockApps inbox placement shows 90%+ inbox rate on both Gmail and Outlook. GlockApps sends a test message to a set of seed addresses across providers and reports where it lands: inbox, promotions tab, spam, or missing entirely. A domain ready for cold outreach hits 90%+ inbox on Gmail and Outlook simultaneously. If it is landing in promotions consistently, check your subject line patterns and tracking domain setup. If it is landing in spam, stop all sends and audit authentication.
Signal 2: Test emails to your own Gmail and Outlook accounts land in primary inbox without warning banners. This is the fastest manual check - send a plain-text message from the warmed domain to a personal Gmail and Outlook account you control. If it arrives in primary inbox with no "This message seems dangerous" banner, the domain is in good standing with those providers. AirCentral reached 89% open rates only after this test passed on every sending domain.
Signal 3: No bounce rate spikes on first 100 real sends, staying below 2%. The first 100 cold sends are a real-world stress test. If the bounce rate stays below 2%, the list quality and domain reputation are both holding. A spike above 2% in the first batch is a red flag - pause, verify the list, and check for authentication issues before continuing.
If warmup fails any of these checks, the remediation path is: verify all DNS records are correctly published (use Google Admin Toolbox and MXToolbox), check whether any IPs are on spam blacklists, review bounce error codes (5xx permanent bounces indicate reputation issues; 4xx soft bounces indicate throttling), and pause all sends for 48-72 hours before restarting at lower volume. A single spam trap hit in early warmup resets progress significantly.
What Are the Most Common Domain Warmup Mistakes?
95% of cold email deliverability problems trace back to infrastructure issues, not copy issues. Deep-Y audits domain health before writing a single email line for any client. The six mistakes below account for the overwhelming majority of failed warmups.
Mistake 1: Skipping authentication. Sending without SPF, DKIM, and DMARC configured is automatic spam flagging on every major provider. There is no workaround and no gradual consequence - the first sends go to spam and reputation damage accumulates from minute one.
Mistake 2: Jumping to high volume too fast. Day 3 at 100 emails triggers exactly the anomaly pattern that spam filters are designed to catch. The ramp schedule exists because reputation is built through consistent behavior over time - not through high single-day sends.
Mistake 3: High bounce rates on early sends. Using unverified prospect lists in the first two weeks of warmup is one of the most common ways to collapse a warmup. A 5% bounce rate at day 10 can take weeks to recover from. Verify every list before any send during warmup.
Mistake 4: Using only tool-based warmup with no real engagement. Warmup tools generate synthetic signals that Gmail increasingly recognizes. Supplementing tool warmup with genuine human send-and-receive creates the engagement mix that builds durable reputation.
Mistake 5: Using your primary domain for cold outreach. One spam complaint spike on your primary domain can damage transactional deliverability for months. The separation between sending domains and your primary domain is a core infrastructure rule - not a nice-to-have.
Mistake 6: Not monitoring placement throughout warmup. A domain can degrade mid-warmup without obvious warning signals. Running GlockApps tests at days 7, 14, and 21 catches problems while they are still recoverable. Skipping monitoring and only checking at the end of 21 days means discovering a failed warmup after cold sends have already gone out.
Solar Direct came to Deep-Y with 6 sending domains that had been running cold outreach without proper warmup - average open rates were sitting at 12%, well below what authenticated and warmed infrastructure produces. Deep-Y rebuilt the sending infrastructure from scratch: registered 8 new domains, ran the full 21-day warmup protocol with authentication and tool warmup, and verified placement before any cold sends went live.
85%average open rate on the first post-warmup campaign batch.
The difference between 12% and 85% was not copy. It was not subject lines. It was infrastructure that was set up correctly from the start - the exact difference proper domain warmup makes in real campaigns.
Frequently Asked Questions: Domain Warmup for Cold Email
How long does domain warmup take for cold email?
A standard cold email domain warmup takes 21-30 days before the domain is ready for full cold outreach volume. The first 7 days focus on authentication verification and base reputation signals through tool warmup and sends to warm contacts. Days 8-14 introduce a small percentage of cold prospects to test real-world deliverability. Days 15-21 bring the domain to full production volume at 40-50 emails per inbox per day. Compressing this timeline increases the probability of spam flagging proportionally.
Can I use Instantly or Mailwarm for warmup?
Yes - Instantly warmup (included in Instantly subscriptions), Mailwarm, Warmbox, and Lemwarm are all legitimate warmup tools that create artificial send-and-receive activity to build base reputation signals. They are a required component of the first 14 days of warmup. The critical limitation: they cannot replace the engagement signals that come from real humans opening, replying to, and marking emails as safe. Use them alongside real sends to warm contacts rather than as the sole warmup method.
Do I need separate domains for cold email?
Yes, always. Your primary business domain should never be used for cold outreach. Cold email carries inherent spam complaint risk - even a 0.05% complaint rate on a large campaign means multiple complaints that can damage your primary domain's reputation for transactional email (receipts, confirmations, inbound replies). Use company-adjacent sending domains on credible TLDs (.com, .io) for all cold outreach, and keep your primary domain exclusively for inbound communication.
What sending volume per day is safe for cold email?
The safe ceiling for cold email is 50 emails per inbox per day. Exceeding this triggers algorithmic throttling on Gmail that looks identical to a spam flag. Start at 10 per day during warmup and scale to 40-50 over 21 days. To send higher total volumes, add more warmed inboxes and domains - do not push a single inbox past 50. A campaign targeting 500 daily sends requires 10-12 warmed sending domains running at 40-50 emails each.
How do I set up SPF, DKIM, and DMARC?
SPF is a TXT record added at your root domain in your DNS host or registrar - it lists the mail servers authorized to send from your domain. DKIM is set up inside your email service provider (Google Workspace or Microsoft 365) which generates a key pair; you publish the public key as a TXT record in DNS. DMARC is a TXT record at the _dmarc subdomain specifying your policy - start with p=none for monitoring, move to p=quarantine after 30 days of clean data. All three propagate within 1-48 hours; verify them with Google Admin Toolbox before starting warmup.
What happens if I don't warm up my domain?
Skipping domain warmup results in 80-95% spam placement rates in the first 30 days - the campaign is effectively invisible before a single cold prospect reads it. Beyond the immediate campaign failure, the reputation damage accumulates: Gmail and Outlook learn from spam placement and make future sends harder, not easier. Recovery typically requires pausing all sends for 2-4 weeks, restarting the warmup process from scratch, and in severe cases, abandoning the domain and registering a new one.
How do I check if my emails are landing in spam?
The most reliable method is GlockApps inbox placement testing - it sends a test message through your domain to a set of seed addresses across Gmail, Outlook, and other providers, and reports exactly where each message landed (inbox, promotions, spam, or missing). Mail-Tester is a free alternative that gives a deliverability score and identifies specific issues. For ongoing monitoring during warmup, Google Postmaster Tools tracks spam complaint rates and domain reputation signals directly from Gmail's perspective - set it up on day 1.
What is a good open rate after domain warmup?
A properly warmed, authenticated domain sending to a targeted, verified B2B list should achieve 40-60% open rates in cold outreach. Deep-Y clients regularly hit 85-89% open rates (AirCentral: 89%, Solar Direct: 85%) because authentication is complete, targeting is precise, and the sending infrastructure is maintained correctly. The industry "average" open rate of 20-25% for cold email reflects unwarmed domains, poor authentication, and untargeted lists - not what is achievable with proper infrastructure.
How many domains do I need for a large cold email campaign?
Divide your target daily send volume by 40 to get the minimum number of sending domains required. A 200-email-per-day campaign needs 5 domains. A 1,000-email-per-day campaign needs 25 domains. Each domain should have 1-2 inboxes, its own SPF, DKIM, and DMARC configuration, a custom tracking domain, and must complete the full 21-day warmup before any cold sends. Running warmup on all domains in parallel is standard practice - they can all be warming simultaneously while the first domains reach production-ready status.
What is BIMI and should I set it up?
BIMI (Brand Indicators for Message Identification) is an optional DNS record that displays your brand logo in supported email clients (Gmail, Yahoo, Apple Mail) next to messages that pass DMARC authentication. It increases visual brand recognition and provides a marginal trust signal to recipients. BIMI requires a validated DMARC policy at p=quarantine or p=reject before it activates. It is worth setting up after the first 30 days of warmup once DMARC enforcement is in place - do not prioritize it over SPF, DKIM, and DMARC in the initial setup phase.
What bounce rate is acceptable during warmup?
Keep bounce rates below 2% at all stages of warmup. During days 1-7 when sending only to warm contacts, bounce rates should be near zero - any bounce at this stage typically indicates a DNS configuration issue. When introducing cold prospects from day 8 onward, a 1-2% bounce rate is acceptable if you are using verified lists. Above 2% is a signal to pause, verify your list quality with NeverBounce or ZeroBounce, and investigate whether there are authentication errors causing legitimate messages to be rejected as undeliverable.
My warmup is done but I'm still hitting spam - what now?
Post-warmup spam issues almost always trace to one of four causes: an authentication record that was misconfigured or has drifted (check SPF, DKIM, DMARC with MXToolbox), an IP address on a blacklist (check all sending IPs on MXToolbox Blacklist Check), a spam complaint rate above 0.1% triggering Gmail throttling (check Google Postmaster Tools), or a custom tracking domain that has been flagged. Audit all four in sequence. If the domain reputation has been significantly damaged, a full reset - stopping all sends for 2-4 weeks and restarting the warmup protocol - is often faster than trying to recover incrementally.
Can I speed up domain warmup?
The warmup timeline cannot be compressed meaningfully without increasing spam risk. What looks like "faster warmup" in practice is usually cutting corners that catch up later - skipping authentication verification, pushing volume too early, or relying entirely on tool warmup without real engagement. The 21-day minimum is calibrated to how long Gmail and Outlook need to build a stable reputation assessment. Starting warmup on multiple domains simultaneously (so more domains are ready sooner) is the correct way to accelerate the timeline for large campaigns - not compressing warmup on individual domains.
Getting 95% spam rate despite following warmup guides?
Deliverability is an infrastructure problem. We fix it.
Every Deep-Y engagement starts with a full deliverability audit - authentication, domain reputation, infrastructure setup, and blacklist checks. Most issues are fixed in week 1 before any outreach goes out.