Cold Email Deliverability Troubleshooting with AI: A Complete Guide

The 5 Root Causes of Cold Email Deliverability Failures

After troubleshooting thousands of cold email deliverability issues, nearly every problem maps to one of these five categories. Identifying which one you're dealing with is the first step to fixing it.

1. DNS Misconfiguration (SPF, DKIM, DMARC)

Symptoms: Emails rejected outright (bounces), emails consistently landing in spam across all recipients, authentication failures in email headers.

This is the most common cause and the easiest to fix. Missing or misconfigured SPF, DKIM, or DMARC records tell receiving mail servers that your emails can't be verified as legitimate. Most providers will either reject the email entirely or route it straight to spam.

2. Sending Before Warming Completes

Symptoms: Good deliverability for the first few emails, then rapid decline. Sudden spike in spam placement after the first day or two of outreach.

New mailboxes have zero reputation. Sending 50 cold emails from a mailbox that's never sent anything before is one of the fastest ways to burn a domain. Email providers see a sudden burst of outbound volume from an unknown sender and flag it as suspicious.

3. Domain Reputation Damage

Symptoms: Gradual decline in inbox rates over days or weeks. All mailboxes on the same domain show similar decline. Warming metrics that were green turn yellow, then red.

Domain reputation is a cumulative score that major email providers (Gmail, Outlook, Yahoo) maintain for every sending domain. Once damaged, it affects every mailbox on that domain — not just the one that caused the problem.

4. Warming Stalled or Paused

Symptoms: No reputation being built. Health scores stuck at low values. Inbox rates not improving over time.

Warming works by gradually building a positive sending history. If warming is paused, misconfigured, or stalled due to technical issues, that reputation building stops. The mailbox sits idle, gaining nothing.

5. Provider or IP Blacklisting

Symptoms: Bulk rejection of emails (high bounce rates). Rejection messages mentioning specific blacklists. All mailboxes on the same server affected simultaneously.

If the IP address your emails originate from lands on a major blacklist (Spamhaus, Barracuda, SORBS), receiving servers will reject emails before they even look at your content or authentication. This affects everyone sharing that IP.

DNS Troubleshooting: The Foundation of Deliverability

DNS authentication is the foundation of email deliverability. If your DNS records are wrong, nothing else matters — warming, content, sending patterns — none of it will save you. Start every troubleshooting session here.

SPF (Sender Policy Framework)

What it does: SPF tells receiving mail servers which IP addresses and servers are authorized to send email on behalf of your domain. It's published as a TXT record on your domain.

How to check: Look up the TXT records for your domain. You should see exactly one record starting with v=spf1.

dig TXT yourdomain.com +short

What it should look like:

v=spf1 include:_spf.winnr.app ~all

Common mistakes:

• Multiple SPF records: You can only have one SPF TXT record per domain. If you have two (e.g., one for Winnr and one for Google Workspace), they must be merged into a single record with multiple include: directives.
• Missing include: If your SPF record doesn't include your email infrastructure provider's sending servers, emails will fail SPF checks.
• Too many DNS lookups: SPF has a 10-lookup limit. Each include: and a: directive counts. Exceeding this limit causes SPF to fail entirely.
• Using +all instead of ~all or -all: The +all directive means "allow everyone to send as this domain" — it completely defeats the purpose of SPF.

DKIM (DomainKeys Identified Mail)

What it does: DKIM adds a cryptographic signature to every outgoing email, proving it hasn't been tampered with in transit. The public key is published as a DNS record; the private key is held by your email server.

How to check: DKIM records are published at a specific selector subdomain. The selector depends on your provider.

dig TXT dkim._domainkey.yourdomain.com +short

Common mistakes:

• Wrong selector: If your provider uses selector dkim but you published the record under default._domainkey, DKIM verification will fail.
• CNAME vs TXT mismatch: Some providers expect a CNAME record pointing to their DKIM key server; others expect you to paste the full TXT value. Using the wrong type will cause silent failures.
• Missing record entirely: If the DKIM DNS record is missing, emails will be sent without a DKIM signature. Many providers treat unsigned emails as suspicious.
• Truncated key: DKIM public keys are long. Some DNS managers truncate values over 255 characters. If the key is cut off, verification fails.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What it does: DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also enables reporting so you can see who's sending email as your domain.

How to check:

dig TXT _dmarc.yourdomain.com +short

Recommended policy for cold email:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start with p=none while you're setting up and warming. This tells receivers to deliver emails even if authentication fails, while sending you aggregate reports. Move to p=quarantine after 2-4 weeks of clean sending. Only use p=reject once you're fully confident every legitimate sending source is properly authenticated.

Common mistakes:

• Jumping to p=reject too early: If any legitimate email source isn't properly aligned with SPF/DKIM, p=reject will silently drop those emails. Start with p=none.
• No DMARC record at all: While not strictly required, having no DMARC record reduces your authentication profile. Providers like Gmail increasingly expect it.
• Wrong record location: DMARC must be published at _dmarc.yourdomain.com, not at the root domain or any other subdomain.

MX Records

What they do: MX records tell other mail servers where to deliver incoming email for your domain. Without valid MX records, your domain can't receive replies — and many providers check for MX records before accepting outbound email.

How to check:

dig MX yourdomain.com +short

Why they matter for cold email: If a receiving server can't verify that your domain can accept replies, it's a strong signal that the domain exists only for sending — a spam indicator. Always have valid MX records pointing to a real mail server.

Warming Metrics Interpretation: What the Numbers Mean

Warming dashboards show you numbers, but knowing what those numbers mean — and when to act on them — is what separates operators who maintain high deliverability from those who constantly fight fires.

Health Score (0-100)

The health score is a composite metric that factors in inbox placement rate, spam rate, bounce rate, and sending consistency. It's the single best indicator of a mailbox's overall deliverability.

• 80-100 (Green): Healthy. The mailbox is building positive reputation and is safe for outreach.
• 60-79 (Yellow): Warning. Something is trending in the wrong direction. Investigate before it gets worse.
• Below 60 (Red): Critical. The mailbox has deliverability problems that need immediate attention. Do not send cold outreach from this mailbox.

Inbox Rate

The percentage of warming emails that land in the recipient's primary inbox (not spam, not promotions).

• Above 90%: Target. The mailbox is performing well and is ready for outreach.
• 80-90%: Warning. Usable for cautious sending, but monitor closely. This often indicates early-stage reputation issues.
• Below 80%: Critical. Do not send cold email from this mailbox. Investigate DNS, content, and sending patterns.

Spam Rate

The percentage of warming emails that land in spam folders.

• Below 5%: Target. Normal variance — even well-configured mailboxes will occasionally hit spam.
• 5-10%: Warning. Something is off. Check DNS records, sending volume, and content patterns.
• Above 15%: Critical. The mailbox is being actively flagged by email providers. Pause sending and investigate.

Daily Volume (Expected Ramp-Up Curve)

Warming gradually increases sending volume to build reputation naturally. Expect roughly this progression:

• Day 1-3: 3-5 emails per day
• Day 4-7: 5-10 emails per day
• Day 8-14: 10-20 emails per day
• Day 15-21: 15-25 emails per day
• Day 21+: 20-30 emails per day (steady state)

If volume isn't increasing on this schedule, warming may be stalled or misconfigured.

Domain Reputation Recovery: Step-by-Step Protocol

If a domain's reputation is damaged — declining inbox rates, rising spam rates across multiple mailboxes — follow this recovery protocol. Acting quickly improves the odds of recovery.

Step 1: Pause All Sending and Warming (Immediately)

Stop all outbound email from every mailbox on the affected domain. This includes cold outreach campaigns and warming. Continuing to send while reputation is damaged only makes it worse.

Timeline: Do this within minutes of identifying the problem.

Step 2: Verify DNS Records

Rule out DNS misconfiguration as the cause. Check SPF, DKIM, DMARC, and MX records using the checklist above. If DNS is the root cause, fix it before proceeding — no amount of cooling down will help if your authentication is broken.

Timeline: 15-30 minutes to check and fix.

Step 3: Wait 72 Hours (Cool-Down Period)

Email providers need time to stop associating your domain with negative signals. A 72-hour cool-down period with zero outbound email lets the most recent negative data age out of real-time reputation calculations.

Timeline: 3 full days of no sending.

Step 4: Re-Enable Warming with Conservative Settings

After the cool-down, re-enable warming with the most conservative settings available:

• Daily limit: 5 emails per day (not the default)
• Ramp-up: Enabled (let volume increase slowly)
• Reply rate: Default or high (more replies = more positive signals)

You're essentially starting the warming process from scratch, but now the domain has some history (both good and bad) that you're trying to rehabilitate.

Timeline: 5 minutes to configure.

Step 5: Monitor Daily for 7 Days

Check warming metrics every day during the first week of re-warming. You're looking for:

• Health score trending upward (even slowly)
• Inbox rate stabilizing above 70%
• Spam rate declining below 10%

If metrics continue to decline during this period, move to Step 6.

Timeline: 7 days of daily monitoring.

Step 6: Decide — Continue Recovery or Retire the Domain

After 14 days of conservative re-warming, evaluate the results:

• Improving: Health score above 70, inbox rate above 80%. Continue warming for another 7 days before resuming outreach at low volume.
• Flat or declining: Health score below 60, inbox rate below 75%. The domain reputation is likely permanently damaged. Retire this domain and replace it with a new one.

Timeline: Decision point at day 14 after re-warming started.

How AI Changes Deliverability Troubleshooting

Troubleshooting cold email deliverability has historically been a manual, time-consuming process that requires expertise across DNS, email authentication, warming strategy, and provider-specific quirks.

Manual Troubleshooting

The traditional process looks like this:

1. Log into your warming dashboard and check metrics for each mailbox
2. Open a DNS lookup tool and check SPF, DKIM, DMARC, and MX records one by one
3. Cross-reference warming metrics across multiple mailboxes to identify domain-level patterns
4. Check blacklist databases manually
5. Search forums and docs for your specific error patterns
6. Formulate a fix and hope you diagnosed correctly

For a single domain, this takes 20-45 minutes. If you're managing 10+ domains, it can take an entire morning.

AI-Powered Troubleshooting

With Winnr's Claude Code skills, the entire diagnostic process is a single command:

/winnr troubleshoot domain.com

The AI runs the full diagnostic tree in seconds:

• Checks all DNS records (SPF, DKIM, DMARC, MX) in parallel
• Pulls warming metrics for every mailbox on the domain
• Identifies patterns across mailboxes (domain-level vs. mailbox-level issues)
• Checks for blacklisting and provider-specific issues
• Returns a prioritized list of issues with specific fix instructions

The diagnostic decision trees in Winnr's troubleshooting skills encode the same reasoning that experienced email infrastructure operators use. There are 5 decision trees covering: DNS configuration, Warming health, Deliverability patterns, Provisioning issues, and Sending failures. Each tree follows the same if-this-then-that logic a human expert would, but runs in seconds instead of minutes.

Common Scenarios and Fixes: Quick Reference

When you need a fast answer, use this reference table to map symptoms to causes and fixes:

Prevention Checklist: Avoid Problems Before They Start

The best deliverability troubleshooting is the kind you never have to do. Follow this checklist to prevent the most common issues:

• Verify all 4 DNS records before sending. Check SPF, DKIM, DMARC, and MX on every domain before enabling warming or sending a single email. This alone prevents the most common deliverability failure.
• Wait the full 14-21 days of warming before starting campaigns. Impatience is the second most common cause of deliverability problems. A mailbox needs at least 14 days of warming (ideally 21) before it's safe for cold outreach.
• Start campaigns at 20-30 emails per mailbox per day, not 50+. Even well-warmed mailboxes need a gradual ramp into campaign volume. Start conservative and increase over 2-3 weeks.
• Run deliverability health checks weekly. Don't wait for problems to become visible in campaign metrics. Check warming health scores and inbox rates at least weekly. With Winnr, this is a single command: /winnr health.
• Keep 3-5 mailboxes per domain. Distributing send volume across multiple mailboxes reduces the risk of any single mailbox being flagged. If one mailbox has issues, the others on the same domain provide cover while you investigate.
• Never send cold outreach from your primary brand domain. Use separate domains for cold outreach. If a cold email domain gets burned, your main business email (support@, sales@, invoices@) is unaffected.
• Monitor blacklists proactively. Don't wait for bounces to discover your IP is blacklisted. Regular checks catch problems before they impact campaigns.
• Rotate domains before they show decline. If you're sending at high volume, plan to rotate in fresh domains regularly rather than pushing existing ones past their limits.

Frequently Asked Questions

How long does DNS propagation take for cold email domains?

Most DNS changes propagate within 15 to 60 minutes for new records. However, if you're changing existing records (especially lowering TTLs), propagation can take up to 24-48 hours depending on cached records at receiving mail servers. For new domains set up through Winnr, MX, SPF, and DKIM records are typically active within 30 minutes since the records are created fresh with no cached values to expire.

Can a burned domain reputation recover?

Sometimes, but not always. If the damage is recent and limited — say you sent too aggressively for a few days — the recovery protocol above (pause, cool down, re-warm) works well. Success depends on the severity of the damage and how long the domain was sending with poor metrics. If inbox rates don't improve after 14 days of careful re-warming, the domain should be retired and replaced. New domains are cheap; fighting a permanently damaged reputation is expensive in time and lost opportunities.

What inbox rate is "good enough" to start sending cold email?

Target an inbox rate above 90% in your warming metrics before starting cold outreach. An inbox rate between 80-90% is marginal — you can send cautiously at low volume, but monitor closely and be prepared to pause if it drops. Below 80% means the mailbox needs more warming or has underlying issues that must be resolved first. Note that these thresholds apply to warming metrics. Campaign inbox rates will typically be 5-15% lower than warming rates due to the nature of cold outreach content.

Should I use p=reject in my DMARC policy for cold email?

Not initially. Start with p=none to collect reports without affecting delivery. This lets you see who's sending email as your domain (including any legitimate sources you might not have accounted for). After 2-4 weeks of monitoring reports and confirming that all sending sources are properly aligned, move to p=quarantine. Only escalate to p=reject when you're fully confident every legitimate email from your domain passes SPF and DKIM. A premature p=reject policy can silently drop your own legitimate emails.

How many emails per day is safe per mailbox for cold outreach?

Start with 20-30 per mailbox per day for the first week of outreach (after warming is complete). You can gradually increase to 40-50 per day over the following 2-3 weeks if inbox rates remain above 90%. Sending more than 50 per mailbox per day significantly increases the risk of triggering spam filters, even on well-warmed mailboxes. The better strategy is to distribute volume across more mailboxes and domains rather than pushing higher volume through fewer mailboxes.

How does AI troubleshoot cold email deliverability differently?

Manual troubleshooting requires checking DNS records one by one, logging into dashboards, cross-referencing metrics across mailboxes, and searching forums for answers. AI-powered troubleshooting runs the entire diagnostic decision tree in seconds — checking DNS, warming status, reputation signals, and blacklists in parallel, then returning a prioritized list of issues with specific fix instructions. Winnr's Claude Code skills include 5 diagnostic decision trees (DNS, Warming, Deliverability, Provisioning, Sending) that encode the same reasoning experienced operators use.

Automate Your Deliverability Monitoring

Stop checking DNS records by hand and scrolling through warming dashboards. Winnr's AI-native tools handle the diagnosis so you can focus on the fix:

• Claude Code Skills — 5 diagnostic decision trees for DNS, warming, deliverability, provisioning, and sending issues
• MCP Server — 37 tools for managing domains, mailboxes, warming, and inbox from any AI assistant
• Email Warming — automated reputation building with real-time health monitoring
• Sign up for Winnr — free tier available, set up your first domain in 5 minutes

Related Reading

• Cold Email DNS Setup Checklist — step-by-step DNS configuration guide for SPF, DKIM, DMARC, and MX records
• How to Recover a Burned Domain Reputation — detailed recovery playbook with timelines and decision points
• Cold Email Deliverability Benchmarks 2026 — industry data on inbox rates, spam rates, and warming timelines
• Cold Email Best Practices — comprehensive deliverability guide covering sending limits, authentication, and content
• Winnr MCP Server: AI Email Infrastructure — how to connect AI assistants to your email infrastructure
• Getting Started with Winnr — 5-minute quickstart guide for domains, mailboxes, and warming