Cold Email Deliverability Audit: The 14-Point Checklist

By Puzzle Inbox Team · Jan 18, 2026 · 11 min read

Run through this checklist before every cold email campaign to ensure maximum inbox placement and avoid spam folders.

The Pre-Campaign Deliverability Checklist

I have seen cold email campaigns fail for every possible reason — bad copy, wrong ICP, terrible timing. But the most frustrating failures are the ones where the emails never even reach the inbox. You write a great email, target the right people, and 65% of your sends land in spam because your DNS was misconfigured or your inboxes were not warmed up.

This checklist exists to prevent that. I run through it before every campaign launch, and it takes about 10 minutes. Those 10 minutes have saved me from burning domains, wasting client budgets, and the headache of rebuilding infrastructure from scratch. Run through all 14 points below before you hit send.

DNS Authentication (Points 1-3)

1. SPF Record Passing

Why it matters: SPF (Sender Policy Framework) tells receiving email servers which IP addresses are allowed to send email on behalf of your domain. Without a valid SPF record, receiving servers have no way to verify your email is not forged — and most will either flag it as suspicious or send it straight to spam.

How to check: Use MXToolbox\'s SPF Lookup tool. Enter your sending domain and verify the result shows "pass." You can also send a test email to a Gmail account and click "Show Original" to see the SPF authentication result in the email headers.

What bad looks like: "SPF: FAIL" or "SPF: SOFTFAIL" in the email headers. This happens when your sending platform\'s IP is not included in the SPF record, when the record has syntax errors, or when you have more than 10 DNS lookups in the SPF chain (Google enforces this limit strictly).

What good looks like: "SPF: PASS" in the headers. A clean SPF record that includes your email provider and sending platform, with no extra entries left over from old tools.

Quick fix: Log into your domain registrar, find the TXT record for SPF, and make sure it includes the correct "include:" statement for your email provider. For Google Workspace, it should contain include:_spf.google.com. For Outlook, include:spf.protection.outlook.com. If you use a provider like Puzzle Inbox, they configure this for you automatically.

2. DKIM Record Passing

Why it matters: DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server uses the public key published in your DNS to verify the email was not altered in transit. Without DKIM, your emails look less trustworthy and are more likely to be flagged.

How to check: Send a test email to Gmail, open it, click "Show Original," and look for "DKIM: PASS." You can also use MXToolbox\'s DKIM lookup — you will need to know your DKIM selector (it varies by provider).

What bad looks like: "DKIM: FAIL" or "DKIM: NONE" in the headers. Common causes: the DKIM DNS record was never added, the record was added to the wrong domain, or the record has a typo in the key value.

What good looks like: "DKIM: PASS" for every test email, consistently. Both your email provider and your sending platform should have valid DKIM entries.

Quick fix: Generate a DKIM key pair through your email provider\'s admin console and add the public key as a TXT record in your DNS. Google Workspace makes this available under Admin Console > Apps > Gmail > Authenticate Email. Copy the record exactly — even a single missing character will cause DKIM to fail.

3. DMARC Record Present

Why it matters: DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Without DMARC, you are missing a layer of authentication that major providers (especially Google and Microsoft) now expect to see.

How to check: Use MXToolbox\'s DMARC lookup. Enter your domain and verify a DMARC record exists.

What bad looks like: No DMARC record at all. Or a DMARC record with p=reject when your SPF and DKIM are not fully configured — this will cause legitimate emails to be rejected.

What good looks like: A DMARC record with p=none or p=quarantine at minimum. For cold email, v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com is a safe starting point. The rua tag gives you reports on authentication failures so you can diagnose issues.

Quick fix: Add a TXT record on the subdomain _dmarc.yourdomain.com with the value above. This takes 2 minutes and propagates within 24-48 hours.

Inbox Readiness (Points 4-6)

4. Warmup Completed (14-21 Days Minimum)

Why it matters: A brand-new email inbox has zero sender reputation. If you immediately start sending 25 cold emails per day from it, email providers see a sudden burst of activity from an unknown sender and flag it as suspicious. Warmup builds reputation gradually by exchanging emails with other inboxes and maintaining positive engagement signals (opens, replies, moving out of spam).

How to check: Verify in your warmup tool (built into most sending platforms, or standalone tools like Warmbox) that each inbox has completed at least 14 days of warmup with 30-40 warmup emails per day. Check that the warmup engagement rate is above 50%.

What bad looks like: Sending cold email from inboxes with less than 7 days of warmup. I have watched campaigns get 15% inbox placement because someone was impatient and launched after 3 days. The entire batch of domains got burned and had to be replaced — a $200-400 mistake plus 3 weeks of lost time.

What good looks like: Full 14-21 day warmup completed, warmup tool showing strong engagement metrics, and warmup continuing to run alongside your cold email campaigns (never turn warmup off while actively sending).

Quick fix: If you ordered inboxes from Puzzle Inbox, pre-warming is included and starts automatically. If you set up inboxes manually, connect them to your sending platform\'s warmup feature or a standalone warmup tool immediately after creation. Set warmup volume to 30-40 emails per day and wait the full 14-21 days.

5. GlockApps Inbox Placement Test Above 85%

Why it matters: Warmup completion does not guarantee inbox placement. GlockApps sends test emails from your inbox to seed accounts across Gmail, Outlook, Yahoo, and other providers, then reports exactly where each email landed — primary inbox, promotions tab, spam, or not delivered at all.

How to check: Create a GlockApps account (they have a free tier), run an inbox placement test for each of your sending inboxes (or at least a sample of 3-5), and review the results. You want 85%+ inbox placement across providers.

What bad looks like: Below 70% inbox placement, especially if most of the failures are on Gmail or Outlook. I once audited an agency\'s campaign where they had 40% inbox placement to Gmail — meaning 60% of their emails to Gmail users were going to spam or promotions. They had been running this campaign for 3 weeks wondering why reply rates were under 0.5%.

What good looks like: 85-95% inbox placement across major providers. Some spam folder placement is normal — 5-10% is acceptable. You will never get 100%.

Quick fix: If inbox placement is below 85%, do not launch. Continue warmup for another 7-10 days, check your DNS records (points 1-3 above), and verify you are not on any blacklists (point 6). Then retest.

6. Domain Blacklist Check

Why it matters: If your sending domain or your email provider\'s IP address is on a blacklist (like Spamhaus, SORBS, or Barracuda), your inbox placement will tank regardless of how good everything else is. Blacklisting can happen because of previous domain owners, shared IP abuse, or your own sending practices.

How to check: Use MXToolbox\'s Blacklist Check. Enter your domain and your sending IP address. MXToolbox checks against 80+ blacklists simultaneously.

What bad looks like: Being listed on any major blacklist, especially Spamhaus or Barracuda. I have seen newly purchased domains that were already blacklisted because a previous owner used them for spam. Always check new domains before investing in warmup.

What good looks like: Clean results across all major blacklists. Minor listings on obscure blacklists (there are hundreds) are usually not a problem — focus on the top 10-15 major ones.

Quick fix: If blacklisted, submit a delisting request directly with the blacklist provider. Most process requests within 24-48 hours. If the domain is listed on multiple blacklists, it may be faster to abandon it and order a replacement domain.

Campaign Configuration (Points 7-10)

7. Sending Volume Under 20-25 Per Inbox Per Day

Why it matters: High per-inbox sending volume is the fastest way to get flagged and suspended. Email providers monitor sending patterns, and an account sending 50-100 emails per day looks nothing like a normal business user. The sweet spot for cold email is 20-25 sends per inbox per day — high enough to generate volume across multiple inboxes, low enough to look like normal human behavior.

How to check: Look at your sending platform\'s per-inbox daily limits. Make sure no single inbox is configured to send more than 25 emails per day. Also check the sending schedule — emails should be spread across the business day (9 AM to 5 PM in the recipient\'s timezone), not blasted out in a 30-minute window.

What bad looks like: 40-50+ sends per inbox per day, all sent within a 2-hour window. This pattern screams automation and will trigger spam filters. I saw one client\'s campaign sending 80 emails per inbox per day — every single inbox got suspended within a week.

What good looks like: 20-25 sends per inbox per day, spread across 6-8 hours, with random intervals between sends (most sending platforms handle this automatically). If you need more volume, add more inboxes instead of increasing per-inbox volume.

Quick fix: Reduce your per-inbox daily limit in your sending platform\'s settings. If you need to maintain total volume, order additional inboxes to distribute the load.

8. No Links in First Email

Why it matters: Links in cold emails are a major spam trigger, especially in the first email of a sequence. Spam filters analyze links for known tracking domains, shortened URLs, and redirect chains. A cold email with a Calendly link, a website link, and an unsubscribe link has three opportunities to trigger a spam filter.

How to check: Review your first email template. It should contain zero clickable links — no website URLs, no calendar links, no social media links. Save those for follow-up emails or replies.

What bad looks like: First email with a Calendly link, a company website link, or a "learn more" button. Even worse: shortened links from bit.ly or similar services, which are heavily associated with phishing and spam.

What good looks like: A plain text first email with zero links. Your CTA should be a question ("Worth a quick call?") that prompts a text reply, not a link click.

Quick fix: Remove all links from your first email. Move your calendar link to email 2 or 3 in the sequence, or share it in your reply after the prospect responds positively.

9. No Open Tracking Pixels

Why it matters: Open tracking works by embedding a tiny invisible image (a 1x1 pixel) in your email. When the recipient opens the email and loads images, the pixel fires and records the open. The problem: spam filters know this trick. Google and Microsoft can detect tracking pixels, and their presence increases the chance of spam classification. Additionally, Apple\'s Mail Privacy Protection pre-loads images, making open rate data unreliable anyway.

How to check: Go into your sending platform\'s settings and make sure open tracking is disabled. Some platforms enable it by default — do not assume it is off.

What bad looks like: Open tracking enabled, inflated open rates of 70-80% (thanks to Apple\'s pre-loading), and lower inbox placement because of the tracking pixel.

What good looks like: Open tracking disabled. You lose open rate data, but open rates were already unreliable anyway. Focus on reply rates and meeting bookings as your primary metrics.

Quick fix: Disable open tracking in your sending platform\'s campaign settings or global account settings. This takes 30 seconds.

10. Unsubscribe Mechanism Present

Why it matters: Beyond being a legal requirement under CAN-SPAM (and similar laws globally), having an unsubscribe option actually helps deliverability. Gmail and Outlook give higher trust scores to emails that include unsubscribe options. And from a practical standpoint, you would rather have someone unsubscribe than mark you as spam — an unsubscribe does not hurt your sender reputation, but a spam complaint does.

How to check: Review your email sequence. There should be an unsubscribe link or opt-out line in every email. Most sending platforms add this automatically, but verify it is there.

What bad looks like: No unsubscribe option anywhere in the sequence. Or an unsubscribe link that does not actually work — I have audited campaigns where the unsubscribe link returned a 404 error.

What good looks like: A simple "If you\'d prefer not to hear from me, reply STOP or click here to unsubscribe" line at the bottom of each email. Keep it subtle but functional.

Quick fix: Enable your sending platform\'s built-in unsubscribe feature. If you prefer a text-based opt-out, add "Reply STOP to opt out" to your email footer.

Content and Compliance (Points 11-14)

11. Email Copy Under 100 Words

Why it matters: Long emails get lower reply rates in cold outreach. Our testing across 50,000+ cold emails shows that emails between 50-80 words get 2-3x higher reply rates than emails above 150 words. Shorter emails also look more like genuine person-to-person communication and less like marketing blasts — which helps both deliverability and engagement.

How to check: Copy your email text into a word counter. Every email in the sequence should be under 100 words, ideally 60-80. This includes the greeting and CTA.

What bad looks like: 200+ word emails with multiple paragraphs, bullet points, company descriptions, and a long signature block. These read like marketing emails and get treated like marketing emails — straight to promotions tab or spam.

What good looks like: 60-80 words, 3-4 short paragraphs, plain text, no formatting. It should look like something you would actually type to a colleague. Read our B2B SaaS cold email playbook for copy frameworks that work in under 80 words.

Quick fix: Cut everything that does not directly serve the Problem-Agitate-Solve framework. Remove company descriptions, long intros, and multiple CTAs. One problem, one insight, one question.

12. No Spam Trigger Words

Why it matters: Spam filters analyze email content for words and phrases commonly associated with spam. Using these words does not guarantee spam placement, but it increases your risk — especially when combined with other red flags like tracking pixels or high sending volume.

How to check: Review your copy for common triggers: "free," "guaranteed," "act now," "limited time," "click here," "buy now," "special offer," "100% satisfied," and similar sales-heavy language. Also watch for ALL CAPS and excessive exclamation marks.

What bad looks like: "I guarantee our FREE tool will 100% TRANSFORM your sales process!!! Click here NOW." Every word in that sentence is a spam trigger.

What good looks like: Conversational, specific language that sounds like a real person. "I noticed your team is hiring 3 new SDRs — we helped [Company] cut onboarding time in half" contains zero spam trigger words and communicates real value.

Quick fix: Read your email out loud. If it sounds like an ad, rewrite it. Replace sales language with specific, conversational statements.

13. Physical Address in Signature

Why it matters: CAN-SPAM requires a valid physical mailing address in all commercial emails. Beyond compliance, having an address in your signature adds legitimacy and trust. It signals that you are a real business, not a fly-by-night operation.

How to check: Look at your email signature. There should be a physical address — it can be a PO Box or virtual office address. It does not need to be your home address.

What bad looks like: No address at all. Or a fake address that does not correspond to a real location. Both are CAN-SPAM violations that carry fines of up to $50,120 per email.

What good looks like: A simple, clean signature with your name, title, company, and a physical address. Keep it short — a bloated signature with logos, social links, and legal disclaimers adds HTML weight that can trigger spam filters.

Quick fix: Add your company\'s address to your email signature. If you work remotely, use a virtual office address or PO Box. Services like iPostal1 or Regus offer virtual addresses for $15-30/month.

14. Bounce List and Opt-Out List Exclusions Confirmed

Why it matters: Sending to email addresses that have previously bounced or opted out is harmful on two levels. Bounces damage your sender reputation directly — providers interpret high bounce rates as a sign you are sending to purchased or scraped lists. Sending to people who opted out is a legal violation and will generate spam complaints that further damage reputation.

How to check: In your sending platform, verify that your global suppression list is active and up to date. Check that bounced addresses from previous campaigns are automatically excluded from new campaigns. Verify that unsubscribed addresses are also excluded. Cross-reference your prospect list against your suppression list before launching.

What bad looks like: Re-sending to addresses that bounced in previous campaigns. Sending to people who unsubscribed last month. This is both a deliverability killer and a compliance risk. One agency I know got hit with multiple spam complaints because they reimported an old list without filtering out previous opt-outs.

What good looks like: A clean suppression list that automatically updates with every bounce and unsubscribe. Your sending platform should handle this natively — but verify it is actually working, especially if you use multiple sending platforms or switch tools.

Quick fix: Export your bounce and opt-out lists from previous campaigns, combine them into a master suppression list, and upload it to your sending platform\'s global exclusion settings. Run this process before every new campaign launch.