How to Set Up Domains for Cold Email

Why You Need Separate Sending Domains

Never send cold outreach from your primary business domain. If your company operates on acme.com, your cold emails should come from a different domain entirely. The reason is risk containment, and the consequences of skipping this are serious enough to understand before setting anything up.

Cold email, even when done correctly, generates higher bounce rates and complaint rates than transactional or internal email. If those rates damage the reputation of your primary domain, every email your company sends is affected: invoices, customer support replies, onboarding sequences, password resets. Google Postmaster Tools tracks domain reputation at the domain level, which means a deliverability problem caused by cold email campaigns shows up as a domain health issue that applies to your entire email operation on that domain.

The second reason is recovery time. If a sending domain gets blacklisted or develops a poor reputation, you can replace it — delist it, age a new domain, and move on. If your primary domain gets blacklisted, recovery takes weeks of clean sending behavior, and during that period your legitimate business email is compromised.

A third consideration: recipients who receive cold email from your primary domain and mark it as spam are registering a complaint against the same domain that sends order confirmations and support responses. Isolation keeps complaint signals from cold campaigns away from the reputation of your core communication domain.

How to Choose Sending Domains

Pick domains that are clearly related to your brand but distinct from your primary domain. If your company is acme.com, good options include acme.co, tryacme.com, acmehq.com, getacme.com, or acmemail.com. The domain should be recognizable as connected to your company — a recipient who checks the sender domain should understand who you are without looking anything up.

On TLDs: .com is the safest choice. .co is widely accepted and readable. Avoid .xyz, .info, .online, and similar low-cost TLDs — they are disproportionately used for spam and carry a negative bias with some filters that adds friction you do not need.

On registrars: use Namecheap, Cloudflare Registrar, or Squarespace Domains (formerly Google Domains). Before registering, check the domain history with a WHOIS lookup or a tool like DomainTools — previously registered domains may carry existing reputation, positive or negative.

On how many domains to run by volume: under 100 emails per day, one to two domains with two mailboxes each is enough. At 100-500 per day, run three to four domains with two to three mailboxes each. At 500-2,000 per day, plan for five or more domains across multiple providers. Above 2,000 per day, add Amazon SES as a parallel sending channel alongside your mailbox accounts. Buy at least two domains before you start — running on a single domain means a single point of failure. If that domain develops a reputation problem, your outreach stops while you wait for recovery or spin up a replacement.

DNS Setup Step by Step

Configure all four DNS record types before creating mailboxes or starting warmup. DNS changes can take up to 48 hours to propagate fully.

MX records tell mail servers where to deliver email addressed to your domain. Even if your sending domains receive few replies, MX records must be configured — receiving servers use their presence to validate that the domain is set up as a real mail-capable domain. Your email provider supplies the MX record values when you add the domain to their service.

SPF is a TXT record published at the root of your domain listing which mail servers are authorized to send on its behalf. One record per domain only — multiple SPF records cause a PermError that fails authentication. Provider-specific values: Google Workspace uses v=spf1 include:_spf.google.com ~all, Microsoft 365 uses v=spf1 include:spf.protection.outlook.com ~all, Zoho uses v=spf1 include:zoho.com ~all. For SES with a custom MAIL FROM subdomain, publish v=spf1 include:amazonses.com ~all on that subdomain. The ~all qualifier is a soft fail — use -all only once you have DMARC at p=reject and are confident no legitimate mail paths are missing from the record.

DKIM adds a cryptographic signature to outgoing messages that receiving servers verify using a public key in your DNS. Your provider generates the records. Google Workspace: generate a 2048-bit key in the Admin Console under Apps > Google Workspace > Gmail > Authenticate email, then publish the resulting TXT record. Microsoft 365: enable DKIM in the Defender portal under Email and Collaboration > Policies, and publish the two CNAME records Microsoft provides. Amazon SES: Easy DKIM generates three CNAME records automatically when you verify your domain — add all three.

DMARC ties SPF and DKIM together and sets enforcement policy. Publish a TXT record at _dmarc.yourdomain.com. A safe starting record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Start at p=none (monitor only) while you confirm authentication is passing in aggregate reports. Once reports confirm SPF and DKIM are both passing consistently, move to p=quarantine. After two to four weeks of clean quarantine results with no legitimate mail being filtered, move to p=reject. The rua= tag routes aggregate reports to an inbox — configure a real address you will check, or use a free tool like Postmark DMARC Digests to parse the XML into readable summaries.

Mailbox Setup

Three providers are practical for cold email sending mailboxes.

Google Workspace costs $6 per mailbox per month (Business Starter). DKIM is configured in the Admin Console and managed automatically after setup. Google's sending reputation is well established, and Gmail-to-Gmail delivery is reliable. The daily sending limit via SMTP is 2,000 — far above the 30-50 per day you should be sending per account for cold email. Google Workspace is the most reliable baseline choice for most teams.

Microsoft 365 costs $6 per mailbox per month (Business Basic). Uses Exchange Online. DKIM setup is done through the Microsoft Defender portal. If a significant portion of your prospects use Microsoft 365 email, Outlook-sourced cold email can perform well for delivery since you are sending through the same infrastructure your recipients use. Microsoft accounts have generous daily limits for the volumes cold email requires.

Zoho Mail starts around $1 per mailbox per month on the Mail Lite plan. Significantly cheaper than Google or Microsoft, which makes it useful for running a larger number of mailboxes on a constrained budget. Zoho's sending reputation is less established, which can slightly affect placement with some filters. Best used as a supplementary provider alongside Google Workspace accounts rather than as a primary provider for a new domain.

Regardless of provider: create two to four mailboxes per domain using real names (first.last@yourdomain.com or first@yourdomain.com). Fill in the display name and a profile photo for each account — these details appear in email headers and affect both filter evaluation and recipient trust. Plan for 30-50 cold emails per mailbox per day as the sustainable ceiling. To scale volume, add mailboxes and domains rather than pushing single accounts past safe limits.

Pre-Launch Checklist

Run through these before the first campaign send on any new domain.

DNS validation. Send a test email to a Gmail address and check the original message headers. SPF, DKIM, and DMARC should all show "pass." Alternatively, run your domain through MxToolbox's email health checker. Any failure needs to be resolved before sending.

Website live with SSL. Confirm the sending domain loads a real page over HTTPS. A redirect to your primary domain is sufficient. Confirm MX records are resolving — use dig MX yourdomain.com or MxToolbox.

Warmup running for at least two weeks. New mailboxes need warmup before any cold campaign traffic. Inbox placement during warmup should be above 90% consistently before you start sending to real prospects. Do not shortcut this — warmup placement tells you whether your infrastructure is working correctly.

DMARC report inbox configured. Confirm the rua= address in your DMARC record is a real inbox you will check. If aggregate reports show any legitimate mail failing authentication after your campaign starts, you need to know quickly.

Test batch before full campaign. Send 10-20 emails to a small segment before scaling the full campaign. Check placement manually — confirm they land in inbox rather than spam — before increasing volume. A small test batch catches infrastructure issues that DNS checks alone will not surface.

How EmailQo Helps with Domain Setup

EmailQo connects to mailboxes on any domain through Gmail, Outlook, Zoho, or Amazon SES. When you add a sending account, pre-send checks validate that SPF, DKIM, and DMARC are correctly configured on that domain. If any record is missing or misconfigured, the check flags it before your first campaign goes out. Built-in warmup is included on every plan, so you can start building reputation on new mailboxes immediately after setup.

Related Resources

• SPF Setup Guide for Cold Email Senders
• DKIM Setup for Amazon SES | Step by Step
• DMARC Setup Guide for Cold Email Senders
• Cold Email Deliverability Guide 2026 | Own Infrastructure Approach