The 6-Layer Deliverability Stack: How We Hit 95%+ Inbox Placement, Every Time

Why deliverability is engineering, not a checkbox

Pick any cold email agency's website and you'll see the same line: "we handle deliverability." What that usually means in practice is one DNS record per domain and a 7-day warmup before launch. Then the campaign goes live, replies trickle in for two weeks, and the open rate quietly collapses from 64% to 22%.

Our take is different. Deliverability is six interlocking systems, not a single setup task. Each layer protects the next. Skip one, and the others compensate for a few weeks before the cracks show — usually right when you're scaling volume and care most about results.

The six layers, top to bottom:

1. Domain strategy — what you send from, and how you protect your primary brand
2. Authentication — SPF, DKIM, DMARC, BIMI configured per-domain
3. Mailbox warmup — the 14–21 day reputation ramp
4. Content & sending behavior — copy, links, send patterns, reply handling
5. List hygiene — verification, suppression, segmentation
6. Monitoring — daily seeding, blacklist checks, placement tests

This piece walks through each one, with the actual settings, thresholds, and tools we use in production across 100+ active client campaigns.

Layer 1 — Domain strategy

The single biggest mistake we see when auditing new clients: they send cold email from their primary domain. jane@yourcompany.com sounds great in theory — until your domain reputation tanks and your sales team can't email warm prospects either.

The rule we never break: cold outreach goes through secondary look-alike domains. The primary stays untouched, reserved for transactional, sales, and marketing email to known contacts.

Look-alike patterns we use

• get-yourcompany.com — adds a verb prefix
• yourcompany-hq.com — adds a department-style suffix
• tryyourcompany.com — alternate verb prefix
• yourcompany.io / .co — TLD swap (least preferred — looks generic)

For each client we register 3–5 secondary domains, each with 2 mailboxes. That gives 6–10 sending mailboxes per client, with daily volume capped at 25–30 emails per mailbox. Total throughput: ~150–300 cold emails per day.

"Why so few mailboxes per domain? Because Google's heuristics treat 5+ mailboxes on a freshly-purchased domain as suspicious. Two is invisible — and it's the same volume you'd send from a small startup's actual sales team."

Domain age matters

Brand-new domains (less than 30 days old) get throttled aggressively by Microsoft 365 in particular. We register domains at least 14 days before warmup begins, point them at a static "we're hiring" or "about" page, set up basic DNS, and let them age. By the time we start warmup at day 14, the domain has a small but real history.

Layer 2 — Authentication (SPF, DKIM, DMARC)

If layer 1 is "what you send from," layer 2 is "how you prove you're allowed to send it." Mailbox providers run every inbound email through three checks. Fail any one and you're in spam or blocked outright.

SPF — Sender Policy Framework

SPF is a TXT DNS record listing which servers are authorized to send mail for your domain. The most common mistake: too many include: entries, blowing past the 10-lookup limit. Result: SPF fails silently.

v=spf1 include:_spf.google.com include:sendgrid.net -all

Use -all (hard fail) once you're confident in your sender list. Use ~all (soft fail) during initial testing.

DKIM — DomainKeys Identified Mail

DKIM cryptographically signs each email so receivers can verify it wasn't tampered with in transit. Set this up at the mailbox provider level (Google Workspace and Microsoft 365 both publish DKIM keys for you to add to DNS as TXT records).

Key rotation matters. We rotate DKIM keys every 6 months — long enough to stay stable, short enough to stay secure.

DMARC — Domain-based Message Authentication

DMARC tells receivers what to do when SPF or DKIM fails. We start every domain at p=none (just monitor) for 14 days, review the aggregate reports, fix any legitimate sources that fail, then move to p=quarantine.

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com; pct=100

Layer 3 — Mailbox warmup

A brand-new mailbox sending cold email to strangers on day one will land in spam. Mailbox providers track sender reputation per address, and a fresh address has zero reputation — neither good nor bad. Your job during warmup is to build positive signal before any cold prospect ever sees your address.

Our 21-day warmup schedule

The two non-negotiables: (1) warmup never stops, even after launch — it runs at 10–15 mails/day in the background indefinitely. (2) New mailboxes always start in pairs, so we have a "spare" if one underperforms during early sends.

Layer 4 — Content & sending behavior

Authentication and warmup get your email delivered. Content and sending behavior decide whether it lands in inbox vs. promotions vs. spam. The rules are simpler than people think.

Content rules we enforce

• Plain text first. No HTML, no images, no inline CSS. Plain text inherits the recipient's default styling and looks like a real person typed it.
• One link maximum, ideally zero. A cold email that just asks a question (no link) outperforms one with a link by 18% in our data.
• No tracking pixels. Open-rate tracking inserts an external image — a known spam signal in 2026. We turned tracking off across all clients in Q3 2025 and reply rates went up.
• No unsubscribe link in cold mail. Counterintuitive but legal under CAN-SPAM if you're B2B and the recipient is a business contact. Unsub links boost spam classification when present in low-volume cold campaigns.
• Word limit: 90 words. Anything longer reads like a pitch.

Sending behavior

• Stagger sends across business hours in the recipient's local timezone
• Random delays of 30–180 seconds between sends from the same mailbox
• Maximum 30 cold sends per mailbox per day, every day
• Skip weekends entirely for cold email — Tuesday through Thursday produce best results

Layer 5 — List hygiene

The fastest way to destroy a warmed mailbox is to send to a bad list. One bad list — 20% bounce rate — and your sender reputation drops by half overnight. We've seen accounts go from 96% inbox placement to 41% in 48 hours from a single dirty list.

The verification stack

Every email address goes through three verification passes before it touches a sending mailbox:

1. Syntax + MX record check — free, instant, removes obvious junk
2. SMTP handshake via NeverBounce or ZeroBounce — confirms the mailbox accepts mail
3. Catch-all detection — domains that accept all mail get flagged as "risky" and either skipped or sent at half volume

Our target bounce rate per campaign is under 2%. Anything above 4% triggers an immediate pause.

Layer 6 — Monitoring

The first five layers prevent problems. Layer 6 catches the ones that slip through anyway. Daily monitoring is what separates "we set it up correctly" from "we're keeping it healthy."

What we monitor, daily

• Seed-list placement tests — every Monday we send a real campaign mail to seed accounts at Gmail, Outlook, Yahoo, Apple Mail. We track which folder it lands in.
• Blacklist monitoring — we check every sending domain against Spamhaus, Barracuda, SORBS, and 6 others nightly via MXToolbox API.
• Bounce/complaint thresholds — bounce above 4% or complaint above 0.1% triggers an automatic pause and Slack alert.
• Reply rate trend — when reply rate drops 30%+ week-over-week without a campaign change, that's a deliverability signal we investigate within 24 hours.

Real-world numbers

Across 47 client campaigns we audited in Q1 2026, here's what running the full 6-layer stack delivered vs. campaigns running 1–2 layers:

Takeaway

If you only remember three things from this article:

1. Send from secondary domains, never your primary. Protect your brand reputation.
2. Warm up for at least 14 days before any cold send. No exceptions.
3. Monitor daily, not weekly. Deliverability problems compound fast — a bad day undetected becomes a bad month.

The agencies that hit 95%+ inbox placement aren't doing anything magical. They're just running all six layers, every time, for every client. It's boring engineering — and that's exactly why it works.