Forem: Sabo Nagy

The 5 Metrics That Predict Cold Email Domain Death (With Exact Thresholds)

Sabo Nagy — Wed, 08 Apr 2026 11:52:49 +0000

At enterprise cold email scale (100K+ emails per month), 10 to 20% of your active domains will burn every month. That's normal. The question is whether you detect it in time or find out two weeks later when your entire pipeline has dried up.

We manage 650K+ inboxes across Microsoft 365, Google Workspace, and SMTP for 1,500+ clients at MailDeck. Here are the five metrics we track per domain and the exact thresholds that trigger action.

1. Spam Complaint Rate

Where to check: Google Postmaster Tools, Microsoft SNDS

Zone	Threshold	Action
Safe	< 0.1%	Continue sending
Warning	0.1 - 0.3%	Reduce volume, review targeting
Pull domain	> 0.3%	Stop sending immediately

Google's sender guidelines explicitly flag senders above 0.3%. At that point, the domain's reputation is damaged and recovery takes weeks of zero sending. Pull it at 0.3%. Waiting for 0.5% or 1% means you've already wasted hundreds of emails landing in spam.

2. Bounce Rate

Where to check: Your sequencer dashboard (Instantly, Smartlead, etc.)

Zone	Threshold	Action
Safe	< 3%	Continue sending
Warning	3 - 7%	Audit your list verification
Pull domain	> 7%	Stop sending, verify all remaining leads

Prevention is the only real fix here. Verify every address through MillionVerifier or OmniVerifier before sending. At scale, even a 2% bad address rate compounds fast across thousands of emails per day.

3. Open Rate

Where to check: Your sequencer dashboard.

Zone	Threshold	Action
Safe	> 30%	Continue sending
Warning	10 - 30%	Investigate deliverability
Pull domain	< 10% for 7+ days	Domain reputation likely damaged

One bad day is not a signal. A full week below 10% is. Note that Apple Mail Privacy Protection inflates open rates by preloading images, so treat this as a directional signal. A sudden drop from 45% to 8% is meaningful regardless.

4. Reply Rate

Where to check: Your sequencer dashboard.

Zone	Threshold	Action
Healthy	> 4%	Copy and targeting are working
Investigate	2 - 4%	Could be copy, targeting, or deliverability
Domain issue	< 2% on one domain while others are fine	Likely a deliverability problem with that specific domain

4 to 5% is our baseline across clients. Reply rate is the hardest metric to act on because it blends multiple factors. Isolate by comparing the underperforming domain against your other domains running the same campaign.

5. Reputation Score

Where to check: Google Postmaster Tools, Microsoft SNDS

Google Postmaster rates reputation as High, Medium, Low, or Bad. Any domain hitting "Bad" should be pulled from sending immediately. Recovery from "Bad" is theoretically possible but takes weeks of zero sending, and some domains never fully recover.

Domain Rotation Math

Under active sending (3 to 5 cold emails per inbox per day), domains typically last 45 days to 2 months. Here's the reserve capacity you need:

Active Domains	Monthly Burns (10-20%)	Reserve Needed
10	1 - 2	2 - 3 ready
30	3 - 6	5 - 8 ready
50	5 - 10	8 - 12 ready
100	10 - 20	15 - 25 ready

Without warmed reserves, every burned domain means 7 to 10 days of lost capacity (purchase + DNS setup + 3 to 7 days warm-up). At 50+ active domains, you should be warming 5 to 12 new domains every month just to maintain capacity.

The Mistake That Cascades

Running identical templates across all domains. Same copy, same subject lines, same structure from 30 domains creates a fingerprint that email providers detect. When one domain gets flagged, the identical content fingerprint triggers flags on the others.

Fix: segment domains into independent groups. Each group gets its own template set, its own target audience segment, and its own sending schedule. Think of domain groups as independent businesses that share nothing detectable.

Quick Monitoring Setup

# Check domain reputation via command line
# SPF status
dig TXT yourdomain.com +short | grep "v=spf1"

# DMARC status
dig TXT _dmarc.yourdomain.com +short

# MX records exist
dig MX yourdomain.com +short

For automated daily monitoring across 50+ domains, set up alerts for:

Spam rate crossing 0.1% (warning) or 0.3% (action)
Bounce rate crossing 5% (warning) or 7% (action)
Open rate dropping below 20% (warning) or 10% (action)
Reputation change to Medium/Low (warning) or Bad (action)

All data based on Q1 2026 MailDeck platform metrics across 650K+ managed inboxes and 1,200+ domains.

Full operational guide with infrastructure planning calculator, all 6 mistakes that kill domain networks, and the complete monitoring stack: Read on maildeck.co

We Audited 1,000+ Cold Email Domains. 67% Had Broken DNS Authentication.

Sabo Nagy — Wed, 08 Apr 2026 11:50:49 +0000

If you manage domains for cold email, there is a good chance your DNS authentication is silently broken.

We audited DNS configurations across 1,000+ domains onboarded to MailDeck (we provide cold email infrastructure across Microsoft 365, Google Workspace, and SMTP for 1,500+ clients). Two thirds of those domains had at least one critical SPF, DKIM, or DMARC error before we fixed it.

The errors are silent. You won't see a bounce. You won't get an alert. Your emails just quietly move to spam and you have no idea why.

Here are the top 5 errors by frequency:

1. Multiple SPF records (23% of domains)

Someone adds an SPF record for Microsoft 365. Later, someone else adds a separate SPF record for a marketing tool. Now there are two v=spf1 records. Per RFC 7208, only one is allowed. Result: permerror, SPF fails.

# Wrong: two separate records
v=spf1 include:spf.protection.outlook.com -all
v=spf1 include:sendgrid.net -all

# Correct: merged into one
v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all

Check yours: dig TXT yourdomain.com +short | grep "v=spf1"

If you see more than one line, fix it now.

2. No DMARC record (19%)

SPF and DKIM configured. DMARC missing entirely. Without DMARC, receiving servers have no policy guidance for failed authentication. Add this immediately:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;

Then progress to p=quarantine after 2-4 weeks, then p=reject.

3. SPF ending with +all (14%)

This literally tells every server in the world "anyone can send email as my domain." There is no legitimate reason to use +all. Replace with -all.

4. Exceeding 10 DNS lookups (12%)

Each include: in your SPF record counts as a lookup. Nested includes count too. Over 10 total and SPF fails silently. Check with MXToolbox SPF Lookup.

5. DKIM never turned on (11%)

Both Microsoft 365 and Google Workspace require manual DKIM activation. It is not on by default. Verify by sending a test email to mail-tester.com.

Quick verification commands

# Check SPF
dig TXT yourdomain.com +short | grep "v=spf1"

# Check DMARC
dig TXT _dmarc.yourdomain.com +short

# Check DKIM (Microsoft 365)
dig CNAME selector1._domainkey.yourdomain.com +short

All three should return results. If any is empty, you have a problem.

At MailDeck we automate SPF, DKIM, and DMARC for every domain during our 48 hour onboarding, specifically because manual setup fails so often. But whether you use MailDeck or manage DNS yourself, these five errors account for 79% of all authentication failures we see.

Full guide with all 10 errors, setup checklists for Microsoft 365 and Google Workspace, and free verification tools: Read on maildeck.co