Why Your Cold Emails Are Going to Spam (And How to Fix It)

You spent three days writing the perfect cold email. You verified your list. You warmed up your sending account. You hit send on 200 emails.

Open rate: 3%. Reply rate: zero. You check your spam tester and discover the truth: 85% of your emails never reached an inbox. They went straight to spam.

This is the most frustrating problem in cold email — and the most common. A 2025 study found that 1 in 5 legitimate marketing emails never reach the inbox. For cold outreach, the number is higher — closer to 1 in 3.

Here are the 10 most common reasons your cold emails are going to spam, and exactly how to fix each one.

1. Missing or Misconfigured SPF Record

What it is: SPF (Sender Policy Framework) is a DNS TXT record that tells receiving mail servers which IP addresses and mail servers are allowed to send email from your domain.

How to check: Open a terminal and run: nslookup -type=TXT yourdomain.com. If you don't see a record starting with v=spf1, you don't have SPF configured.

What happens without it: Receiving servers have no way to verify that your email actually came from you. When the SPF check fails, your email gets a negative spam score before anyone reads a single word of your copy.

How to fix it: Add a TXT record at your domain's root:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Replace the includes with your actual email providers. ~all means "soft fail" — mark as suspicious but don't reject. Use -all (hard fail) only after you're certain you've listed every sending service.

2. Missing DKIM Signature

What it is: DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server checks this signature against a public key in your DNS to verify two things: the email genuinely came from your domain, and nobody tampered with it in transit.

How to check: Send a test email to a Gmail address. Open it, click the three dots > Show original. Look for "DKIM: PASS" or "DKIM: FAIL." If you don't see DKIM at all, it's not configured.

What happens without it: Gmail and Outlook both weight DKIM heavily in their spam algorithms. No DKIM = automatic suspicion. It's the equivalent of showing up at airport security without an ID.

How to fix it: Generate a DKIM key in your email provider's admin panel (Google Workspace, Outlook, SendGrid all have this), then add the public key as a TXT record at google._domainkey.yourdomain.com (or your provider's selector). The exact steps vary by provider, but every major provider has a one-click "Generate DKIM" option and gives you the DNS value to paste.

3. No DMARC Policy

What it is: DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer on top of SPF and DKIM. It tells receiving servers what to do when an email fails both checks: quarantine it (spam folder), reject it (don't deliver), or let it through anyway.

How to check: Run nslookup -type=TXT _dmarc.yourdomain.com. If nothing comes back, DMARC isn't configured.

What happens without it: Receiving servers make their own decisions about what to do with unauthenticated email from your domain. In 2026, Gmail and Yahoo both default to quarantine when no DMARC policy exists. You're letting Google decide your deliverability — and Google defaults to "spam" when unsure.

How to fix it: Add this TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; rua=mailto:you@yourdomain.com; pct=100

p=quarantine tells servers to send failed emails to spam. rua gives you aggregate reports showing who's sending email from your domain (including spoofing attempts). Start with quarantine; move to p=reject once you're confident your setup is correct.

4. Spam Trigger Words in Your Subject Line or Body

Spam filters scan your email content against a weighted list of trigger words and phrases. Some are hard triggers (heavy weight), some are soft triggers (light weight). Enough soft triggers add up to a spam verdict even if no single word crosses the line.

Hard spam triggers (avoid entirely):

• "Free money," "Act now," "Limited time," "Exclusive offer"
• "100% free," "Risk-free," "Satisfaction guaranteed"
• "Click here," "Click below," "Open this link"
• "Once in a lifetime," "You've been selected," "Congratulations"
• Excessive exclamation marks (even one can hurt in cold email)
• ALL CAPS in the subject line or excessive caps in the body

Soft triggers (minimize — a few are fine, too many hurt):

• "Opportunity," "Offer," "Deal," "Discount"
• "Marketing," "Sales," "Revenue," "Growth"
• "Meeting," "Call," "Demo," "Schedule"
• Multiple links (more than 1-2 in a cold email is a spam signal)
• Heavy HTML formatting (cold emails should be plain text or minimal HTML)

The fix: Run your copy through a spam word checker before sending. Most cold email tools include one. Read your email out loud — if it sounds like marketing copy, rewrite it to sound like something you'd actually type to a colleague.

5. Your Sending IP or Domain Is Blacklisted

What it is: DNS blacklists (DNSBLs) are databases of IP addresses and domains known to send spam. If your sending IP or domain appears on one, receiving servers that reference that blacklist will reject or spam-filter your email.

How to check: Use a multi-blacklist checker like MXToolbox or a dedicated deliverability tool. Check your domain AND your sending IP — they're checked separately. The major blacklists to monitor are Spamhaus, SpamCop, SORBS, Barracuda, and UCEProtect.

Common reasons for listing: Sending to spam traps (inactive addresses repurposed for monitoring), high spam complaint rates, sudden volume spikes on a new IP, or using a shared IP that another sender got blacklisted.

How to fix it: Each blacklist has its own delisting process. Most have a self-service removal form. For Spamhaus — the most widely used — go to their Blocklist Removal Center, enter your IP, and follow the instructions. Fix the underlying problem first (clean your list, reduce volume, fix your content) or you'll be re-listed within days.

6. No Warmup on a New Sending Account

A brand new email account has zero reputation. Email providers have no data on whether you're a legitimate sender or a spammer — so they default to "suspicious" and route your first emails to spam.

What proper warmup looks like: Start at 5 emails/day. Increase by 5 every 3 days. Generate positive engagement signals (opens, replies, "not spam" markings) from a warmup pool of real accounts. Continue for 14-30 days before sending a single cold email from the account.

What happens without it: You send 50 emails on day one from a brand new Google Workspace account. Gmail sees a new sender with no reputation history suddenly blasting volume. The algorithm flags you as "likely spammer" — and that flag doesn't just disappear when you slow down. First impressions matter in email reputation, and you only get one.

The fix if you already skipped warmup: Stop sending. Wait 7 days. Start a proper warmup from scratch. Your reputation will recover — it just takes longer than if you'd warmed up from the start.

7. High Bounce Rate on Your List

Every hard bounce — an email sent to an address that doesn't exist — damages your sender reputation. Bounce rates above 2% trigger throttling on most providers. Above 5% and your domain is at risk of blacklisting.

The main causes of high bounce rates:

• Sending to unverified or purchased email lists
• Using old lists that haven't been cleaned in 6+ months
• No MX record verification before sending
• Typo-ridden manual entry without validation
• Sending to catch-all domains that accept all mail then silently discard

The fix: Verify every email address before it enters a campaign. A proper verification checks syntax, MX records, disposable address databases, and spam trap databases. Remove hard bounces immediately and add them to a suppression list so they're never contacted again. Re-verify your full list every 60-90 days.

8. Sending From a Free Email Address

Gmail, Yahoo, and Outlook all apply stricter filtering to email from free consumer addresses (@gmail.com, @yahoo.com, @outlook.com) than from custom domains with proper authentication. This is intentional — consumer accounts are where most actual spam originates.

What to do instead: Set up Google Workspace ($6/month) or Microsoft 365 Business Basic ($6/month) on your own domain. The domain itself should be a sending-specific domain — not your primary company domain. If your sending domain gets blacklisted, your company email stays operational.

The difference: A properly authenticated email from yourname@tryyourcompany.com has a significantly higher chance of inbox placement than the exact same content sent from yourname@gmail.com. The same email, the same list, the same timing — different outcome based entirely on the sending address domain.

9. Image-Heavy Emails or HTML Newsletters

Cold email is not email marketing. Marketing emails are HTML-heavy, image-rich, and sent through platforms like Mailchimp or HubSpot. Cold emails should be plain text — or minimal HTML — and look like they were typed by a human.

Spam signals in email formatting:

• Images (especially large images or an image-only email)
• Multiple font sizes, colors, or typefaces
• Background colors or complex layouts
• Email signatures with 5+ lines of contact info, logos, and social links
• Tracking pixels (use them, but know that some filters flag them)

The fix: Send plain-text or minimal-HTML emails. Your email should look like something you'd type into Gmail's compose window. A simple, clean signature with your name, title, company, and one link is fine. A 10-line signature with a logo, headshot, 4 social links, a disclaimer, and a "Sent from my iPhone" tag is not.

10. Low Engagement Rates From Previous Campaigns

Email providers track how recipients interact with your emails — not just this campaign, but all previous campaigns from your domain. If your historical open rate is 5% and reply rate is 0%, providers learn that recipients don't value your emails. Your future emails get pre-filtered before they even check the content.

This creates a vicious cycle: Low engagement → spam filtering → even lower engagement → stricter filtering → eventually blacklisted.

The fix: If your engagement metrics are historically bad, you may need a new sending domain. Start fresh with proper warmup, better targeting, and better copy. It's faster than trying to rehabilitate a domain with years of poor engagement history. Keep the old domain for transactional email (password resets, invoices) and use the new one exclusively for cold outreach.

How to Know If You're Actually in Spam (Not Just Low Opens)

Low open rates don't always mean spam. Sometimes your subject line is just weak. Here's how to tell the difference:

1. Seed test: Create email accounts at Gmail, Yahoo, Outlook, and your target industry's common providers. Add them to every campaign. Check where your emails land.
2. Google Postmaster Tools: Shows your actual spam complaint rate, IP reputation, domain reputation, delivery errors, and authentication status. This is ground truth — if Postmaster says your reputation is low, your subject lines don't matter.
3. Spam test services: Mail-Tester, GlockApps, and MXToolbox all offer free or low-cost spam tests. They show you which blacklists you're on, which authentication checks pass/fail, and a spam score for your content.
4. Reply rate as a signal: If your open rate is 3% but reply rate is 2%, your emails are probably reaching inboxes — just with a weak subject line. If your open rate is 3% AND reply rate is 0%, your emails are probably in spam.

The 5-Minute Deliverability Checklist

Before every campaign, run through this:

1. DNS: SPF, DKIM, DMARC all configured and verified? Check with MXToolbox.
2. Blacklists: Domain and sending IP clean? Check with a multi-blacklist tool.
3. Content: Ran a spam word check? No hard triggers, minimal soft triggers.
4. List: Verified every address? MX check, no disposables, no known spam traps.
5. Warmup: Account has 14+ days of warmup history? Don't skip this for new accounts.
6. Format: Plain text or minimal HTML, no images? Cold email, not marketing email.
7. Volume: Daily send count within safe limits for your provider? 100-300/day for Google Workspace, 200-500/day for Outlook.

Pre-Flight Checks Before Every Campaign

XSendFlow includes a preflight deliverability checker that automatically verifies SPF, DKIM, DMARC, and MX records, scans against 6 major DNS blacklists, and scores your email content for spam triggers — before your campaign sends a single email. If something's broken, you know before it affects your deliverability, not after your open rate tanks.

Your emails can't get replies if they never reach an inbox. Fix deliverability first — then optimize copy. The best cold email in the world won't generate a single reply from a spam folder.