Cold Email Setup Checklist: Everything Before You Send Your First Campaign

Most cold email campaigns fail before a single email is sent. Not because the copy is wrong. Not because the offer is weak. Because the technical foundation — the boring infrastructure stuff everyone skips — was never built.

A 2026 study of 16.5 million cold emails found that 1 in 5 legitimate outreach emails never reaches an inbox. For senders who skip the setup steps below, that number jumps to 1 in 2.

This checklist covers everything you need before you hit send on your first campaign. Each skipped step costs you deliverability. Stack enough skipped steps and your entire campaign lands in spam.

The 20-Point Pre-Flight Checklist

1. Buy a Separate Sending Domain

Never send cold email from your primary business domain. If yourdomain.com gets blacklisted, your client emails, invoices, and support tickets all go down with it. Buy 2-4 lookalike variants — tryyourbrand.com, getyourbrand.io, yourbrandhq.com. Budget: $10-15/year per domain. Register through Cloudflare, Namecheap, or Porkbun. Stagger registration dates — registering 5 domains on the same day looks suspicious to spam filters.

2. Set Up Google Workspace or Microsoft 365 on the Sending Domain

Free @gmail.com and @outlook.com addresses are not for cold outreach. Google's terms explicitly prohibit bulk/commercial email from free accounts. Google Workspace starts at $6/month per user. Microsoft 365 Business Basic also starts at $6/month. Google Workspace gives you 2,000 recipients/day (safe cold email cap: 100-300/day). Microsoft 365 gives 10,000 recipients/day (safe cold email cap: 200-500/day). Create one user per sender persona — name them like real people, not send1@, send2@.

3. Configure SPF (Sender Policy Framework)

SPF tells receiving servers which mail servers are authorized to send from your domain. Without it, your emails look like spoofed spam. Add a TXT record at your root domain: v=spf1 include:_spf.google.com ~all (for Google Workspace) or v=spf1 include:spf.protection.outlook.com ~all (for Microsoft 365). One record only — multiple SPF records break evaluation entirely. Use ~all (softfail) initially; move to -all (hardfail) once stable. Stay under the 10 DNS lookup limit — every include: counts toward it.

4. Generate and Publish DKIM Keys

DKIM adds a cryptographic signature to every outgoing email. Receiving servers verify it against a public key in your DNS. In Google Admin Console: Apps > Google Workspace > Gmail > Authenticate email > Generate new record. Use 2048-bit minimum — 1024-bit is considered insecure in 2026. Publish the TXT record at google._domainkey.yourdomain.com. Enable DKIM signing in the Admin Console afterward. Wait 24-48 hours for full DNS propagation.

5. Publish a DMARC Policy

DMARC tells receiving servers what to do when SPF or DKIM checks fail. Without it, Google and Yahoo default to quarantine in 2026. Start with monitoring: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. After 4 weeks of clean reports, move to p=quarantine. After 8+ weeks, move to p=reject for full enforcement. The rua= address receives aggregate reports showing who's sending from your domain — including spoofing attempts.

6. Configure MX Records for Reply Handling

If your cold email tool needs IMAP access to track replies and detect bounces, MX records must point to your email provider. Missing MX records are a spam signal — legitimate domains receive email. For Google Workspace: ASPMX.L.GOOGLE.COM (priority 1), ALT1.ASPMX.L.GOOGLE.COM (priority 5), and so on.

7. Set Up a Custom Tracking Domain

Most cold email tools use shared tracking domains for open and click tracking. If another user on that shared domain gets flagged, your tracking data and deliverability suffer too. Create a CNAME record like click.yourdomain.com pointing to your sending platform's tracking endpoint. This isolates your reputation and makes tracked links show your domain, not a generic one.

8. Enable IMAP Access

Gmail: Settings > See all settings > Forwarding and POP/IMAP > Enable IMAP. Outlook: Settings > Mail > Sync email > Enable IMAP. This lets your cold email tool read replies and detect bounces by scanning your inbox — essential for automated reply classification and bounce suppression.

9. Generate an App Password (Not Your Main Password)

Never paste your account password into a cold email tool. Enable 2FA first (Google Account > Security > 2-Step Verification), then generate an app-specific password (Security > App passwords > Select "Mail"). This is a 16-character token that grants SMTP/IMAP access without exposing your main credentials.

10. Set Up Google Postmaster Tools

Go to postmaster.google.com, add your domain, verify it. Postmaster Tools shows your actual domain reputation (High/Medium/Low/Bad), spam complaint rate, delivery errors, and authentication status. This is ground truth data — everything else is an estimate. Check it weekly.

11. Start Email Warmup (Minimum 14 Days)

A brand new domain with zero sending history is automatically suspicious. Warmup gradually builds reputation: Week 1: 5-15 emails/day. Week 2: 15-40 emails/day. Week 3: 40-80 emails/day. Week 4: 80-100+ emails/day. All warmup emails go to a pool of real accounts that auto-open and reply, generating positive engagement signals. Skip this and your first 50 cold emails go straight to spam — and that first impression is hard to recover from.

12. Verify Your DNS Configuration

Use MXToolbox (free) to run a full deliverability check. It verifies SPF, DKIM, and DMARC in one scan. Also check with Google Admin Toolbox > Check MX. A typo in any DNS record silently breaks authentication — your emails send fine, they just all land in spam. Verify before, not after.

13. Check DNS Blacklists

Run your sending domain and IP through a multi-blacklist checker. The major ones: Spamhaus, SpamCop, SORBS, Barracuda, UCEProtect. If your domain appears on any of them, delist before sending. Each blacklist has its own removal process — most have self-service forms. Spamhaus is the most critical to clear.

14. Write Your Cold Email Copy

Keep it under 125 words. Plain text only — no HTML, no images, no heavy formatting. Structure: one specific observation about their business (the opener), 2-3 sentences of value (the outcome your product creates for them), and one low-friction CTA requiring a one-word answer. No links in the first email. The subject line should be under 50 characters and look like something a human typed to another human — not marketing copy.

15. Run a Spam Word Check on Your Copy

Spam filters scan for trigger words using weighted scoring. Hard triggers to eliminate entirely: "free money," "act now," "limited time," "click here," "100% free," "risk-free," excessive exclamation marks, ALL CAPS. Soft triggers to minimize: "opportunity," "offer," "deal," "marketing," "sales," multiple links, heavy HTML. Read your email out loud — if it sounds like marketing, it'll be filtered like marketing.

16. Build Your Prospect List

Never buy a list. Bought lists are full of spam traps, invalid addresses, and people who will mark you as spam. Build from Apollo.io (275M+ contacts, free tier gives 50 leads/month), LinkedIn Sales Navigator (Boolean search with intent filters), or manual research. Minimum columns per prospect: email, first name, company name. Better: add job title, industry, and a personalization note.

17. Verify Every Email Address

Use NeverBounce, ZeroBounce, or Bouncer to verify every address before uploading. A proper verification checks: syntax validity, MX record existence, disposable address detection, spam trap databases, and catch-all domain detection. List quality is the #1 factor in deliverability — a verified list with 2% bounce rate vs. an unverified list with 15% bounce rate is the difference between inbox and spam.

18. Segment Your List Into Cohorts

Don't send the same email to 500 people. Segment by industry, role, company size, or trigger event. A 2026 Hunter.io study found that lists of 50 or fewer recipients had 158% higher reply rates than lists of 500+. Small, targeted cohorts let you personalize at the right level and A/B test within segments.

19. Test With a Seed List First

Before sending to your real list, send to 5-10 seed accounts you control — Gmail, Yahoo, Outlook, and any industry-specific providers your prospects use. Check where each email lands: Primary inbox, Promotions tab, or Spam. If any land in spam, fix the issue before sending to real prospects. This 10-minute step saves campaigns.

20. Set Sending Schedule and Daily Limits

Best sending days: Tuesday, Wednesday, Thursday. Best times: 7-11 AM recipient-local time (the morning email triage window). Set a daily send limit below your provider's threshold: 100-150/day for new Google Workspace accounts, 200-300/day for new Microsoft 365 accounts. Spread sends across the full window — don't send all 100 emails in the first hour.

Common Setup Mistakes That Kill First Campaigns

• Skipping warmup entirely. A new domain sending 50 emails on day one is the single strongest spam signal. First impressions are permanent in email reputation.
• Forgetting to enable DKIM signing. Publishing the DNS record isn't enough — you must toggle it on in your provider's admin panel. Un-enabled DKIM = no signature = spam folder.
• Using the same domain for cold email and business email. One spam complaint on your cold outreach can tank deliverability for client emails, invoices, and support tickets simultaneously.
• Not verifying the list. A 10% bounce rate on your first campaign tells providers you don't know who you're emailing. They treat that as a spam signal.
• Tracking links in email #1. Wrapped links through tracking domains are a pattern-match for automation tools. Wait until follow-up #2 for any links.

What "Ready to Send" Actually Looks Like

Your first campaign is ready when:

• Your sending domain is at least 14 days old with 14 days of warmup history
• SPF, DKIM, and DMARC all show "PASS" in MXToolbox
• Postmaster Tools shows your domain reputation as "High"
• You're not on any major DNS blacklists
• Your email copy passes a spam word check (no hard triggers, minimal soft triggers)
• Your prospect list is verified with <2% expected bounce rate
• You've seeded tested to Gmail, Yahoo, and Outlook — all landed in Primary inbox
• Your daily volume is set below 50% of your provider's safe limit

XSendFlow's setup wizard walks you through each of these steps in order — domain connection, DNS verification, warmup activation, and pre-flight deliverability check — before your first campaign is allowed to send. The preflight checker verifies SPF, DKIM, DMARC, MX records, scans 6 DNS blacklists, and scores your email content for spam triggers. Advisory only, never blocks sending — but shows you exactly what needs fixing before your reputation takes the hit.