Email Authentication

Every sales team doing outbound needs to know this about email deliverability in 2024: No EXCEPTIONS. Email deliverability is a “death by a thousands paper cuts” type of situation. Stop stacking paper cuts. ✅ Set up secondary domains. If you are still cold emailing off your primary email domain you may be in big trouble. The last thing you want (especially if you aren’t a reputable company) is to burn your primary domain. This doesn’t just affect your sales team. It affects everybody at your company. ✅ Set up your DNS (DMARC, SPF & DKIM) records for ALL of your secondary domains. ✅ Secondary domains should link to your primary. You want to make sure your prospects are being directed to your actual company domain if they are curious and click. ✅ Instantly.ai recommends limiting yourself to 3 email addresses per domain. ✅. Email Warmup - Domains should be “warmed up” for 14 days before cold emailing. Send at least 20-40 warm up emails per day per email account, with a 40% reply rate. This builds your domain reputation. NEVER switch off email warm-up. ✅ Email Volume - do NOT send more than 30 emails per day per email account. ✅ Keep your email signature plain text. No Links. AT ALL. Add your address in your signature and make sure you put a picture in your Outlook or Gmail profile. ✅ Vary your cold email copy. Sending the same template to every prospect signals that you are a spammer. Take the time to personalize emails. For emails further in your sequence, use Spintax. Use alternate phrases “Hi, Hey, Hello”. ✅ Understand that your domain gets TORCHED when people mark your email as spam. Good and relevant copy matter. Also, don’t run 7+ email step sequences. It’s okay to have sequences that are 15 steps. But make them multi-channel (Calls, LinkedIn, Email). ✅ Constantly monitor your email deliverability. Highly recommend using Instantly.ai to make this all easier. Maintaining good deliverability over time is key in the success of outbound. Curious - what else should I have mentioned here?

Starting from February 1st, Gmail and Yahoo are making some big changes to their policy. But the no.1 requirement is one too technical for most marketers: “Authenticate outgoing emails setting up SPF, DKIM, and DMARC” Here’s what all those terms means, and what you need to do to make sure your emails continue to reach your users: What email clients want is for a way to check the “authenticity” of your emails. So they ask you to set up these authentication techniques: 1. SPF allows a domain to specify which IP addresses can send that mail. It’s like specifying which ‘postman’ is allowed to deliver the mail. 2. DKIM is like a digital signature. Imagine a seal on the envelope telling you its contents were not altered. 3. DMARC is a policy that decides what to do with the mail if both SPF and DKIM fail. *** How can you check if your email is authenticated as a sender?  1. Open an email in your desktop  2. Click the three dots on top right  3. Click “Show original”  4. Should show PASS for SPF/DKIM/DMARC *** Besides having these in place, here are some other recommendations in the recent updates by Gmail & Yahoo: 1. DMARC policy of p=none is enough for now. DMARC policies can be of different types. In ‘p=none’, you don’t take any action against emails that have failing SPF/DKIM. But you receive reports to keep an eye. But if your brand has already seen phishing emails being sent in your name, it’s better to switch to p=reject/quarantine.  2. Separate email types by IP or DKIM domain I.e., don’t send marketing emails and transactional emails from the same source. It ensures that any negative response to a marketing campaign doesn’t also lead to your important transactional emails to land in spam. *** None of these requirements are new. They were just more often called ‘best practices.’ If you need any other questions about these changes, ask away in the comments below

1. SPF (Sender Policy Framework) 🔹 Purpose: Prevents spammers from sending messages on behalf of your domain. 🔹 How it works: The domain owner publishes a list of IP addresses (in DNS) allowed to send emails from that domain. Receiving servers check if the email’s sending server is on the list. 🔹 Pass/Fail Decision: If it’s not on the list, SPF fails. ✅ Good for: Detecting forged sender addresses in the envelope. 2. DKIM (DomainKeys Identified Mail) 🔹 Purpose: Ensures that the content of the email hasn’t been altered. 🔹 How it works: The sender’s server adds a digital signature (private key) to email headers. The receiver verifies the signature using a public key stored in DNS. 🔹 Pass/Fail Decision: If the signature matches, the email is valid. ✅ Good for: Verifying message integrity and authenticity. 3. DMARC (Domain-based Message Authentication, Reporting, and Conformance) 🔹 Purpose: Combines SPF and DKIM to enforce domain policies. 🔹 How it works: Domain owners publish a policy in DNS (e.g., reject/quarantine unauthenticated emails). DMARC checks if the email passes SPF or DKIM and if the domain in the "From" address aligns. 🔹 Reports: Domain owners get reports on who is sending mail on their behalf. ✅ Good for: Domain protection and visibility into email spoofing attempts.

80-85% of the time when a VP of Sales asks me to look at why their outbound is not performing, more often than not one of the MAIN issues is deliverability. As we are handling over 2500-3000 cold email accounts across 120+ clients, 1 day in spam can mean millions of dollars in lost potential revenue. Here is everything we are doing for them (that you can steal) to stay out of SPAM: 1. Email infrastructure: - Use Cloudflare for domains, only buy .com’s, no dashes or weird symbols, use just letters, preferably avoid numbers as well - Make sure SPF, DKIMC, DMARC is setup properly. You can use mail-tester to check your setup - Use Google work emails for other Google emails and alternative providers besides Microsoft - Use Azure accounts for messaging folks on Microsoft work emails . Outlook deliverability is still bad but this is the best solution right now - For Google we still do 2 inboxes, 1 domain in 1 workspace - For Azure accounts it’s a bit wacky 500 emails account under one domain In terms of volume and split we always look at TAM and who you are after. In general for every 30k companies I would target 7.5k prospects each month, which is about 20-25 Google inboxes with some in back up + the 500 Azure accounts. If you are after more enterprise you might need a higher % inboxes in azure, otherwise 15% or below is fine. Ramp sending slowly: - For Google inboxes 35-40 emails per day after 2-3 weeks of gradual ramp - For Azure it’s 3-4 emails per day per inbox, ramp up can be faster 1-2 weeks 2. Tech stack: I can’t stress this enough what you use to send and warm up your emails matters as much as the infrastructure. - For email warm up and sending we use PlusVibe - trust me we tested all of the competitors, this is the best one when it comes to deliverability and features - You should pay more and ask for dedicated residential IPs - this is why we started landing in spam for weeks with our previous provider - Before sending any emails run them through a debouncer like Bouncer 3. Best practices So now everything is set and you can spam random messages right? Nope. - Avoid using spam words - you can use Mailmeteor spam checker to check them - Rotate inboxes - every couple of months we switch inboxes or whenever we see them dropping to below 90-95% on the email warmup - Randomise your content with spyntax - sending the same copy will land you in spam - Change your copy every 3 months at least, even with a lot of variables it can start landing in spam - Don’t track open rates and click through rates - they are vanity metrics, depend on reply rates and lead rates - Avoid links and images - literally any even in your signature - Don’t message people from the same company more than 2-3 times in 1 week - Do spam checks on inboxes - we do these manually at least monthly by messaging other Google and Outlook/Azure inboxes and checking if they go to spam Grab a time here for a free cold email deliverability audit: https://www.hypergen.io/

I thought great copy was the secret to cold email. Then I realized 80% of my emails were landing in spam. Here’s what we found: 1️⃣ Domain protection is the #1 lever for deliverability → Most teams burn their main domain without realising it. Once a domain is flagged, everything gets filtered (even normal emails). We run 100+ secondary domains to protect our brand and reduce risk. Tool stack: Google Workspace, Namecheap, Warmup tools Next step: Move every outbound sequence off your primary domain. 2️⃣ Safe volume beats high volume → Sending 500 emails/day from one domain is the fastest path to spam. Deliverability collapses instantly. We spread volume across hundreds of mailboxes and stay under 40/day for each. Impact: Fewer red flags, higher trust, better inbox placement. Next step: Audit how many sends each domain is doing right now. 3️⃣ Authentication is non-negotiable → SPF, DKIM, and DMARC are the foundation ESPs check before letting anything through. Without proper authentication, you look suspicious by default. Tools: dmarcian, Google Admin, Cloudflare Next step: Run a deliverability test and fix whatever shows up in red. 4️⃣ Warm-up → Most domains get burned because people start sending too early. ESPs need time to trust you. We warm each domain for two full weeks before sending anything. Why it works: Slow ramp-up = better deliverability. If you just bought a domain, don’t touch it for 14 days. 5️⃣ Natural variation reduces spam triggers → Sending the same message repeatedly creates patterns that ESPs flag. You need micro-variation to look human. We use subtle spintax + a few message versions per campaign. Tools: Instantly.ai, Smartlead Next step: Add small variations to your first lines and CTAs. 6️⃣ Clean tracking protects your domain reputation → Tracking links are an instant red flag. Most agencies don’t realize this. We use custom tracking domains or disable tracking entirely for key campaigns. Next step: Replace all generic tracking links. The results: → 500,000+ emails/month reaching real decision-makers → Higher inbox placement across every ESP → Predictable revenue for ColdIQ clients → Stable domain health across all mailboxes Deliverability isn’t the flashy part of outbound, but it’s the part everything else depends on. If you want our 7-day GTM deliverability setup (domains, warm-up, templates, monitoring tools)... drop me a message, happy to help.

It’s official: email best practices are no longer best — they’re required. Here’s why... Microsoft recently announced new bulk sender requirements that mirror the ones Google and Yahoo rolled out last year. And they aren’t just doing this for fun, promise. They’re doing it because too many senders ignored best practices when they were optional. So, now they’re mandatory. ¯\_(ツ)_/¯ Starting May 5th, if you’re sending more than 5,000 emails a day and not following the rules, Microsoft’s going to start rejecting your mail. Not junking it. Rejecting it. And I wanna be clear here: this isn’t coming out of nowhere. The writing’s been on the wall for a while... and mail has been silently filtered away from the inbox all this time. Now it's just that the rules aren't written in invisible ink! So, what are these rules I speak of? 💌 Authentication (SPF, DKIM, DMARC) Yes, we’re still talkin’ about this… get used to it. Microsoft wants the same setup Google and Yahoo asked for. If your domains aren’t properly authenticated and aligned, your deliverability will suffer. 💌 Valid “From” and “Reply-To” Addresses Microsoft wants to make sure that when someone replies to your message, there’s someone on the other end. No more sending from a “noreply@brand.com” black hole. 💌 One-Click Unsubscribe (RFC 8058) They’re cracking down on bad unsubscribe flows. Make it easy. No weird hoops or loops or “oops, we need 10 days to process your request.” Just a simple unsubscribe option that actually works. If you’re already sending it right (ahem, compliant with Google and Yahoo’s requirements), this is mostly a “cool, cool, carry on” moment. But you’ll need a whole lotta margaritas and tacos to overcome your sorrow if you’ve been dragging your feet. May 5th (ahem, cinco de mayo!) is not the day to find out Microsoft doesn’t play. What happens if you’re not ready? If you need help figuring out where you stand, here are a few fast checks: ✅ SPF, DKIM, and DMARC passing in headers? ✅ “Reply-To” address monitored and functioning? ✅ One-click unsubscribe live and working? ✅ Lists clean and bounce/spam complaint rates under control? If not, now’s the time to fix it. Not next week. Not next quarter. Now. TLDR: if you’re not sending responsibly, you’re not sending at all. Because come Monday — yes, THIS Monday — non-compliant mail will be rejected at the door. No inbox. No spam folder. Just blocked. So, get it together, you (not so) filthy animals! LinkedIn says I’m outta characters, but if you need tool recommendations or a second set of eyes on your setup, I'm happy to help. Reach out, email scout. 💌

We send 800k+ emails a month, and I have spent the last 2 years understanding every reason for emails landing in spam. Today, I am sharing all the good resources I found during this journey! Most emails don’t get blocked because you’re a spammer. They get blocked because you missed one tiny config buried in a 20-year-old spec. Email delivery feels a little like a black box! Old docs, conflicting advice, and invisible rules. So sharing the list I wish I had when we started. 1. LearnDMARC (learndmarc.com) - An interactive visualizer that makes SPF, DKIM, and DMARC simple and easy to understand. 2. Postmark’s “Why Emails Go to Spam.” - The clearest explanation of sender reputation, content filters, and engagement signals. 3. MXToolbox - Debug SPF/DKIM/DNS issues 4. Mail-tester.com - Send a test email, get a deliverability score. My go-to before every big template change. 5. Google Postmaster Tools - Gmail’s own dashboard for domain reputation. No more guessing. 6. RFC 5321 (SMTP spec) - Yes, this feels intimidating. But even skimming it gave me massive clarity on how email really works. 7. Spamhaus blog: Word to the Wise - Insights on sender reputation straight from the people who run the biggest blocklists. This is one of the best blogs I have found on the internet! Email isn't glamorous. But it’s critical infrastructure. And most of the knowledge is scattered across forums and old blog posts. If you’re building anything that sends email, save this! It’ll save you a loooot of time debugging!

I've said this before and I'll say it again — we've been struggling.. with cold email deliverability. Cold email infrastructure is frustrating - even when following best practices, deliverability remains inconsistent. I researched everything to solve this problem once & for all. Let me break down what actually works: 1) Infrastructure & Setup: -> Domains & inboxes - Never send cold from your primary domain - Use 3-5 sibling domains, 3-5 inboxes each - Keep branding believable; avoid spammy TLDs (.tk, .ml) - Set up Google Workspace or M365 for legitimacy -> Authentication - SPF covers every sender, DKIM at 2048-bit minimum - DMARC from p=none → quarantine once stable (never jump to reject) - Alignment across From/Return-Path is non-negotiable - Test with mail-tester.com weekly -> Compliance - Clear opt-out, real physical address, legitimate interest docs (EU) - Honor opt-outs within 24 hrs max 2) Sending Strategy: -> Warm-up - New domains need 8-12 weeks minimum - Simulate real engagement (opens/replies/forwards) - Use warmup tools like mailwarm, lemwarm or Instantly.ai -> Volume & Pacing - Start 10-20/day per inbox, add +20-50 weekly if metrics stay green - Randomize send windows; 60-120s gaps b/w sends - Respect recipient time zones (9am-5pm local) -> Timing - B2B sweet spots: Tue-Thu late morning & early afternoon - Avoid Mondays (inbox overload) & Fridays (weekend mode) 3) Content & Copy: -> Subject lines - 6-10 words, human and specific - Personalized context beats cleverness every time - Avoid fake urgency, ALL CAPS, excessive punctuation!!! - Test: "Quick question about [specific company pain point]" -> Body - Short, skimmable, 1 idea + 1 ask maximum - Personalize in layers: hyper-custom for top 10%, segment-level for rest - Use natural language, avoid marketing speak - Images and links kill deliverability - use sparingly -> CTA - Make next step tiny (15-min scan, 1-question reply, "worth a chat?") - Single CTA only - multiple options confuse and reduce response 4) List & Data: -> Sourcing - Prioritize intent and fit over volume always - Dedupe domains (max 1-2 people per company per campaign) - Use Apollo, ZoomInfo or Clay for verified contacts -> Hygiene - Verify syntax + domain + mailbox before sending - Remove hard bounces instantly (never retry) - Prune unengaged cohorts quarterly - Never recycle unsubscribed contacts -> Segmentation - Hot/Warm/Cold bands by recency + engagement - Throttle "Cold" segments heavily 5) Monitoring & KPIs: - Delivery rate ≥98%; investigate anything <95% - Bounce rate <2% (≤1% is excellent) - Spam complaints <0.1% absolute ceiling - Track domain/IP reputation, blacklist status weekly - Use seed accounts & inbox tests ps. Have a response/POA for objections like “not the right person” / “not decision maker” / “No longer at company” / “have in-house team already” / “please contact john from abc” You can also use Valley on LinkedIn - book 2 demos/week for every seat.

Your emails are going to spam because of your DNS records, even with SPF, DKIM, and DMARC configured You did everything right. — SPF? ✅ Passed. — DKIM? ✅ Passed. — DMARC? ✅ Configured. Yet, your emails are still landing in spam. What’s going on? 🔎 Alignment Google (and other providers) don’t just check if SPF and DKIM pass They check if they’re aligned with your “From” address If they’re not? Your email looks spoofed Even if it’s 100% legit 📌 Look at the screenshot. — SPF ✅ — DKIM ✅ — Alignment ❌ → Google throws a warning. DMARC is only fully effective when SPF or DKIM aligns with the “From” domain. If they don’t match? Spam. This is why so many emails fail silently—they pass authentication but still get filtered. How to Fix It? — Make sure your sending domain is consistent across SPF, DKIM, and “From.” — Use strict alignment in your DMARC (aspf=s; adkim=s) if you want real protection. — Check your email headers. Gmail → “Show Original” → Look for domain mismatches. Most people think just setting up SPF, DKIM, and DMARC is enough Or worse, they *think* they're aligned. It’s not. Alignment is the missing piece Fix it. Get out of spam because of technicalities If you need help figuring out if your DNS records are aligned, drop me a comment and I'll do a quick audit for you :D

If you’re still sending email from an onmicrosoft.com address, Microsoft is tightening the rules. This matters because your messages could start getting throttled or blocked, which means invoices, password resets, and customer updates might never arrive. Microsoft’s goal is to stop spammers who spin up fresh tenants and abuse the shared onmicrosoft.com domain. But the side effect is real organizations will see lower deliverability and limits on bulk or automated sends until they move to a proper, verified domain. What’s changing? Microsoft is putting sending limits and stricter checks on any email that leaves an onmicrosoft.com address. Because it’s a shared domain used by millions, one bad actor can hurt the reputation for everyone. The fix is simple but urgent: switch to your own branded domain and set up modern email authentication (SPF, DKIM, and DMARC). That tells receiving mail systems, “Yes, this is really us,” and helps keep your mail out of spam and off block lists. What should you do now? Audit where onmicrosoft.com shows up—service accounts, no-reply inboxes, ticketing tools, scanners, CRM alerts, and scripts. Register or connect your custom domain, add the DNS records, and rotate apps and automations over to the new addresses. Test mail flow, watch for bounce backs, and update address books, forms, and templates. Train your team so they know which sender addresses are approved going forward. A little cleanup today will save a lot of missed messages tomorrow. #Microsoft365 #EmailSecurity #ITAdmin #ChangeYourPassword Follow me for regular updates on Microsoft 365 changes, security tips, and clean-up checklists that keep your org’s email flowing.