How Cold Email Actually Works: The Mechanics Behind Every Send
Most explanations of cold email focus on copy and strategy. Those matter, but they only work if the underlying mechanics are correct. A perfectly written email that lands in a spam folder is worth nothing. Understanding the infrastructure, where addresses come from, how domains behave, and what authentication records do will save you from the category of failure that most cold email operators hit first.
This is a bottom-up explanation of how a cold email actually gets from your sending platform to a prospect's inbox.
Sending to people who never gave you their address
The first question most people have: is this even allowed? A work email address published on a company website, listed in a professional database, or displayed on a LinkedIn profile is functionally semi-public contact information. The person listed it in a professional context, which signals availability for professional contact. This is different from harvesting personal email addresses from social media or purchasing consumer data.
B2B cold email operates on the premise that a professionally relevant message to a work address is a normal part of business. Most privacy frameworks, including CAN-SPAM in the US and legitimate interest provisions under GDPR, recognise this. The threshold is whether the outreach is relevant to the person's professional role and whether it is clearly identified as a commercial communication.
Where the addresses actually come from
There are four main sources of prospect addresses for cold email, each with different coverage and data quality:
- Apollo.io is the most widely used database for SMB and mid-market B2B targeting. It aggregates contact data from public sources and provides email addresses along with firmographic filters like company size, industry, and job title. Coverage is good for US and European markets.
- Clay is a data enrichment platform that pulls from multiple sources simultaneously and lets you build targeting logic before pulling contacts. It is better for complex targeting than for raw list building.
- LinkedIn Sales Navigator provides highly accurate job title and company data. It does not give you email addresses directly, but combined with an enrichment tool it is one of the most reliable ways to build a qualified list. The combination of Sales Nav for targeting and Apollo or Hunter.io for email finding is a common workflow.
- ZoomInfo has the deepest data on enterprise contacts and includes direct-dial phone numbers and intent signals, but it comes with enterprise pricing that most early-stage programs cannot justify.
No database is 100% accurate. Bounce rates on raw lists typically run 5-15% before verification. Running addresses through a verification tool like NeverBounce or Zerobounce before sending keeps hard bounces low enough to protect sender reputation.
Why Gmail blocks bulk cold email
Gmail and Microsoft Outlook are the dominant business email providers. Both run sophisticated systems for detecting bulk and unsolicited sending. The signals they watch include:
- Daily sending volume relative to the age and history of the sending address
- Recipient complaint rates (when people click "report spam")
- Hard bounce rates (sending to invalid addresses)
- Engagement rates (whether recipients open and reply)
- Authentication status of the sending domain
- Whether the sending IP has a history of abuse
A brand-new email address that sends 200 emails on day one will trigger almost every filter in this list. It has no history, no engagement pattern, and no established reputation. The receiving mail server has no basis for trusting it. This is why sending from a fresh address without warmup is nearly guaranteed to hit spam folders.
What a sending domain is and why you use separate ones
Your primary business domain is the one your company uses for everything: customer emails, support tickets, invoices, internal communication. If cold email from that domain gets flagged as spam, marked by recipients, or results in your domain being listed on a spam blocklist, every email your company sends is affected. Customer invoices go to spam. Support replies never arrive. The damage is serious and difficult to reverse.
To isolate that risk, cold email campaigns are sent from secondary domains purchased specifically for outreach. These might be slight variations of your brand name: if your company is Meridian Solutions and your primary domain is meridiansolutions.com, you might send from getmeridian.com, merid-solutions.com, or meridian-hq.com.
Recipients can see these domains, and they work fine. The goal is not to hide the brand but to protect the primary domain's reputation. If a secondary sending domain gets flagged or burned, you retire it and create a new one. Your primary domain remains clean.
A properly scaled cold email program runs multiple sending domains simultaneously with one inbox per domain, each capped at 25 emails per working day. A program with 20 domains sends 500 emails per day while keeping risk distributed across separate sender reputations.
Inbox warmup: what it is and why it matters
Warmup is the process of gradually building a sending history and reputation for a new email address before it is used for outreach. A warmed inbox has demonstrated, through weeks of normal email activity, that it is a real person's work account: it sends emails, it receives replies, the emails get opened, and nobody marks them as spam.
In practice, warmup tools work by connecting your new inbox to a network of other inboxes. Your account sends emails to accounts in the network, those accounts receive and reply to them, building the kind of engagement history that inbox providers use as a trust signal. We warm up every domain and inbox for 3 weeks before any live sending begins.
Sending to real prospects before an inbox is warmed is the single most common infrastructure mistake in cold email. The deliverability damage from those early sends is hard to undo. Warmup first, then send.
SPF, DKIM, and DMARC in plain English
These three authentication records live in your domain's DNS settings. They are not encryption. They are identity verification: they tell receiving mail servers that the emails claiming to come from your domain actually did come from your domain, and they specify what to do if that cannot be verified.
SPF (Sender Policy Framework)
SPF is a list, published in your DNS, of the mail servers that are authorised to send email from your domain. When an email arrives claiming to be from yourcompany.com, the receiving server checks the SPF record and confirms whether the sending IP is on the approved list. If it is not, the email is suspect.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing email. The signature is generated using a private key that only you hold. The receiving server uses a public key published in your DNS to verify the signature. If the signature matches, the email has not been tampered with in transit and genuinely came from a server with access to your private key.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC builds on SPF and DKIM by specifying a policy for what receiving servers should do when authentication fails. The options are none (log it but deliver), quarantine (send to spam), or reject (block entirely). DMARC also provides a reporting mechanism: you can receive aggregate reports showing authentication results for mail claiming to come from your domain, which helps you detect spoofing attempts.
Authentication records at a glance
| Record | What It Does | What Breaks Without It |
|---|---|---|
| SPF | Lists IP addresses authorised to send from your domain | Receiving servers cannot verify your sending source; higher spam risk and potential spoofing |
| DKIM | Cryptographically signs outgoing mail so recipients can verify it has not been altered | Emails may be modified in transit without detection; lower deliverability scores from major providers |
| DMARC | Tells receiving servers what to do if SPF or DKIM fail; generates authentication reports | No enforcement policy for authentication failures; no visibility into domain spoofing attempts |
Putting it together
A functioning cold email program has all of these layers in place before the first message is sent. Secondary sending domains registered and aged. SPF, DKIM, and DMARC configured correctly in DNS. Inboxes warmed for 3 weeks. Lead lists verified to remove invalid addresses. Sending volume capped per inbox per day.
When all of that is correct, a cold email looks to the receiving mail server exactly like any other professional business email. It lands in the inbox. The copy and targeting then determine whether it gets a reply. When any layer is missing, the copy never gets the chance to work.
Quick answers
A common starting point is 10 to 20 sending domains with 1 inbox each, capped at 25 emails per working day per inbox. That gives you 250 to 500 sends daily while keeping risk distributed. As you scale, you add more domains rather than increasing per-inbox volume.
Three weeks. Warmup runs on a dedicated tool, completely separate from campaign sends. The campaign goes live only after warmup completes. Rushing warmup tends to produce inboxes with fragile reputations that degrade quickly under real sending load.
Without SPF and DKIM, major providers like Gmail and Outlook assign your emails a lower trust score by default, and some will route them to spam or reject them outright. Without DMARC, you also have no visibility if someone spoofs your domain to send fraudulent email. All three records should be set before a domain sends a single outbound email.