Quick Answer

Cold email infrastructure is the sending system behind outreach: 3-5 secondary domains (never your root domain), 2-3 mailboxes per domain, SPF/DKIM/DMARC aligned on every domain, 14-30 days of warmup, verified prospect lists, and a sequencer rotating sends at 20-30 per mailbox per day. Built correctly, it scales linearly; skip a layer and you burn domains.

Cold Email Infrastructure: The Complete Setup Guide for Serious Outreach

By Braedon·Mailflow Authority·Cold Email Infrastructure·Updated 2026-06-10·Reviewed 2026-06-10

Cold email infrastructure is the sending system underneath your outreach: secondary domains isolated from your brand, two to three mailboxes per domain, SPF/DKIM/DMARC aligned on every domain, 14-30 days of warmup, verified prospect lists, and a sequencer that rotates sends at 20-30 per mailbox per day. That's the whole architecture in one sentence. The rest of this guide is how to build each layer so it survives contact with Gmail and Microsoft in 2026 — and what to do when a domain degrades anyway.

Infrastructure, Not Copy, Decides Cold Email Results

If your email lands in spam, no subject line test will save it. The campaign failed before the first word was read.

Here's the pattern I see over and over in audits: a funded startup hires its first SDRs, points them at the company domain or one hastily bought lookalike, and starts sending the day the sequences are written. Most of those teams burn their first sending domain within 90 days. Replies dry up, someone blames the messaging, the team rewrites copy for three weeks, and the actual problem — a domain reputation that already cratered — never gets touched.

Copy determines whether a delivered email gets a reply. Infrastructure determines whether it gets delivered. Those are sequential gates, and the second one never opens if the first one is shut. Decent copy on healthy infrastructure beats brilliant copy on a burned domain every single time.

The full stack, top to bottom:

  1. Domains — dedicated secondary domains, isolated from your brand
  2. Mailboxes — real inboxes on Google Workspace, Microsoft 365, or a dedicated provider
  3. Authentication — SPF, DKIM, and DMARC, aligned, on every sending domain
  4. Warmup — building reputation for 14-30 days before real outreach
  5. Sequencer — rotation, caps, and tracking configuration
  6. List quality — verification before a single send
  7. Monitoring — reputation dashboards, blocklist watch, and an incident playbook

Skip any layer and the others can't compensate. Now, layer by layer.

The Architecture: Domains, Mailboxes, and Providers

Secondary Domains — Never Your Root

Cold email gets marked as spam sometimes. Even well-targeted, compliant outreach generates the occasional complaint, hits the occasional spam trap, trips the occasional filter. That's not failure; it's the baseline cost of unsolicited contact. The architectural question is where that damage lands.

If you send from your root domain, every complaint degrades the reputation that your invoices, password resets, customer support, and investor updates depend on. One blocklist entry and your whole company's email is compromised. Send from secondary domains and the worst case is losing a $12 asset you replace in an afternoon. This is blast-radius isolation, the same logic as separating production from staging — you never run experiments on the system that has to keep working.

Domain Naming and Registration

Buy 3-5 domains that plausibly resemble your brand:

  • getyourbrand.com
  • tryyourbrand.com
  • yourbrand-hq.com
  • yourbrandapp.com

Stick to .com. Cheap TLDs like .xyz, .online, and .top are overrepresented in spam corpora, and filters know it. Register at a mainstream registrar (Cloudflare, Namecheap, Porkbun), keep WHOIS consistent with your company, and put a simple one-page site on each domain that redirects or links to your main site — a parked domain sending outbound email is a filter signal, and prospects who type the domain into a browser should land somewhere real.

The Mailbox Math

Create 2-3 mailboxes per domain — no more. Mailboxes on the same domain share its reputation, so stacking ten inboxes on one domain just concentrates risk without adding safe capacity.

The per-mailbox number that actually holds up in 2026: 20-30 cold sends per mailbox per day, with 50 as the hard ceiling for mature, fully warmed mailboxes. Yes, you'll find people running hotter. They're also the ones rebuying domains every quarter.

The math compounds simply from there:

  • 1 mailbox × 25/day = 25 sends/day
  • 1 domain (3 mailboxes) = ~75/day
  • 1 SDR at 150 sends/day = ~6 mailboxes across 2-3 domains
  • A 4-SDR team at 600/day = ~24 mailboxes across 8-10 domains

That last line surprises founders every time. A modest outbound team needs a small fleet of domains, provisioned and warmed before the SDRs start, not after the first domain dies.

Make each mailbox look like a person, because filters and prospects both check: real first/last names, profile photos, signatures, a sensible display name. [email protected], not [email protected].

Provider Choice: Google, Microsoft, or Dedicated

Three realistic options for hosting the mailboxes:

Google Workspace ($6-12/user/month) is the default for B2B outreach. Best baseline inbox placement at Gmail-hosted targets — which, given Google Workspace's market share in tech, is most of them if you sell to startups. Tooling support is universal.

Microsoft 365 ($6-22/user/month) makes sense when your prospect list is Outlook-heavy enterprise. Be aware that Microsoft has tightened abuse enforcement on new tenants in recent years; fresh M365 tenants doing cold outreach get suspended more readily than Workspace accounts, so ramp conservatively.

Dedicated cold email providers (Maildoso, Infraforge, Mailscale, and similar) sell pre-configured domains plus mailboxes purpose-built for outbound, typically at $2-4/mailbox/month — a fraction of Workspace pricing once you're past 20-30 mailboxes. The trade: you're on infrastructure whose IP reputation is shared with other cold emailers of varying discipline, and quality varies meaningfully between providers. My take: start on Google Workspace while you're proving the motion, and consider dedicated providers as a cost layer once you're scaling past ~1,000 sends/day and can monitor placement closely enough to catch a bad provider fast.

One thing that is not an option: SMTP relay services. Mailgun, SendGrid, and AWS SES are excellent transactional infrastructure, and all three explicitly prohibit cold outreach in their acceptable use policies — they will terminate your account when complaints spike. Cold email needs real two-way mailboxes that receive replies, not a relay.

Authentication: SPF, DKIM, DMARC — Aligned, on Every Domain

This stopped being optional in February 2024, when Google and Yahoo began enforcing their bulk sender requirements: SPF and DKIM, a DMARC policy, an aligned From domain, one-click unsubscribe for bulk senders, and spam complaint rates under 0.3%. Microsoft followed with matching requirements for Outlook consumer domains in 2025. The thresholds formally target senders of 5,000+ messages/day, but in practice unauthenticated mail now gets junked or rejected at any volume. Authentication is table stakes; what it buys you is a chance at the inbox, not a guarantee.

Every sending domain needs all three records:

SPF — authorizes your provider to send for the domain:

v=spf1 include:_spf.google.com -all

(Swap the include for Microsoft's or your provider's. One SPF record per domain, ever — duplicates invalidate both.)

DKIM — cryptographically signs each message. Generate a 2048-bit key in your provider's admin console and publish the TXT record it gives you (for Google Workspace, at google._domainkey.yourdomain.com). Critically, DKIM must sign with your domain, not the provider's default — that's what makes it align.

DMARC — tells receivers what to do when SPF/DKIM fail, and gets you reporting:

v=DMARC1; p=none; rua=mailto:[email protected]

Start at p=none, watch the aggregate reports for 4-6 weeks, then advance to p=quarantine and eventually p=reject once everything passes cleanly. The full progression is in my DMARC setup guide.

Alignment is the detail most teams miss: DMARC passes only when the domain in the visible From header matches the domain that SPF or DKIM validated. Misconfigured sequencer settings break alignment silently — your dashboard shows "sent," receivers see an authentication failure. Check the DMARC reports; that's what they're for.

Warmup: The 14-30 Days You Can't Skip

A fresh domain has no sending history. To Gmail's filters, no history plus sudden volume equals exactly one pattern: spammer who just bought a domain. Warmup exists to write a different history before your first real send.

Warmup tools (built into Instantly and Smartlead; standalone options like Warmbox and Mailreach run $19-25/mailbox/month) exchange emails between your mailboxes and a peer network, generating opens, replies, and rescues from the spam folder. The good ones tier the engagement — heavy positive signals early, tapering to a maintenance trickle as your real sending takes over.

The schedule I run on every new mailbox:

DaysWarmup activity
1-35-10 warmup emails/day, no cold sends
4-10Ramp to 20-30 warmup emails/day, no cold sends
11-21Hold steady; mailbox builds reply history, no cold sends
22+Begin cold sends at 10-15/day, warmup continues at reduced volume
35+Cold sends at 20-30/day, warmup at maintenance level

Fourteen days is the floor; 21-30 is better, and domains destined for higher volume should get the full month. Keep warmup running at low volume after real sending starts — cold email's engagement profile (low opens, few replies) needs the offset.

Two honest caveats. First, warmup networks technically simulate engagement, which sits in a gray zone of Gmail's spam policies — Google has signaled it can detect crude simulation, which is one more reason to favor gradual schedules over aggressive ones. Second, warmup is not a shield. It builds enough reputation to start; only real sends to a clean, engaged list sustain it. Full ramp schedules and tool specifics are in my domain warmup guide.

What happens when teams skip this? I've audited a setup where the team burned through 12 domains in six months — buy domain, create mailbox, send 200 emails on day one, domain dead within a week, repeat. Over $1,200 in wasted Workspace seats and domains, plus six months of pipeline that never existed, all to avoid a three-week wait.

Sequencer Configuration

The sequencer — Instantly, Smartlead, Apollo, lemlist — is the control plane. It holds your mailbox fleet, rotates sends across it, and enforces the caps. Instantly and Smartlead are the purpose-built infrastructure choices (warmup, rotation, and unified inbox included — my head-to-head comparison covers the differences). Apollo bundles a sequencer with its prospect database, which is convenient but gives you less granular sending control; lemlist leads on personalization features. Architecturally they all do the same job, and configuration matters more than brand:

Inbox rotation on, always. The sequencer should distribute each campaign across every connected mailbox so no single account carries the load. This is the mechanism that makes the mailbox math work.

Hard daily caps per mailbox. Set 20-30 for cold sends and don't let campaign deadlines override it. The sequencer will happily send 200/mailbox/day if you tell it to; it's your reputation, not theirs.

Custom tracking domains. Open and click tracking routes links through a tracking domain, and the default is a domain shared with every other customer — when it lands on a blocklist (it will), you inherit the penalty. Set up a CNAME like track.yourdomain.com per sending domain. Better yet, consider disabling open tracking entirely: the pixel adds a spam signal and the data is unreliable anyway.

Humanized sending. Randomized intervals between sends, business-hours windows in the prospect's timezone, plain-text emails. No HTML templates, no images, no five-link signatures.

Spintax or per-mailbox variation. Identical bodies sent from 24 mailboxes cluster instantly in filter analysis. Vary openings, phrasing, and signatures across mailboxes.

List Quality: Verification Is Not Optional

Mailbox providers read your bounce rate as a direct measure of whether you know who you're emailing. A sustained bounce rate above 2-3% doesn't read as bad luck — it reads as negligence: a sender who scraped a list and didn't bother checking it. The penalty lands on the whole domain.

So: nothing enters the sequencer unverified. Run every list through ZeroBounce, NeverBounce, or MillionVerifier ($0.001-0.005 per address — the cheapest insurance in this entire stack), then:

  • Keep only "valid" results. Discard unknowns.
  • Strip catch-all domains. They accept everything, verify as deliverable, and hide both dead addresses and traps. If the segment is valuable, route catch-alls to a separate low-volume campaign on a domain you can afford to lose.
  • Strip role addresses (info@, sales@, admin@) — high complaint rates, low reply rates.
  • Refresh every 90 days. B2B contact data decays as people change jobs; a list that verified clean in January bounces in June.

Spam traps deserve specific fear. Pristine traps are addresses that never belonged to a human, planted where scrapers harvest. Recycled traps are abandoned mailboxes that providers resurrected as tripwires. Neither bounces — they accept your mail and silently report you. Verification catches some recycled traps via inactivity signals; the only real defense against pristine traps is sourcing lists from reputable databases instead of scraping, and never buying bulk lists.

Monitoring and Incident Response

You cannot manage reputation you can't see, and your sequencer dashboard does not show it. Sent ≠ delivered ≠ inboxed.

The instrument panel:

  • Google Postmaster Tools — domain reputation, spam complaint rate, and a compliance dashboard for the 2024 requirements, straight from Gmail. Free, takes ten minutes to verify each domain, and it's the closest thing to ground truth for the provider that matters most. Setup details in my Postmaster Tools guide.
  • Microsoft SNDS — IP-level reputation data, relevant when you control your sending IPs (dedicated providers or self-hosted). On Workspace/M365 you don't, so Postmaster Tools plus bounce-message forensics carry more weight.
  • Blocklist monitoring — weekly automated checks of every sending domain against Spamhaus DBL, SURBL, and URIBL (domain lists matter more than IP lists for this architecture). MXToolbox or your monitoring tool of choice.
  • Sequencer metrics, daily — bounce rate (under 2%), reply rate (1-5% baseline), complaint signals. A reply-rate cliff is usually the first visible symptom of placement loss.

When a domain degrades — reputation drops in Postmaster Tools, bounces spike, or replies flatline — run the playbook in order:

  1. Pause all campaigns on that domain immediately. Every additional send digs the hole deeper.
  2. Diagnose: check blocklists, DMARC reports for auth failures, recent list quality, and whether someone quietly raised the volume caps. It's almost always one of those four.
  3. Delist where you're listed — Spamhaus and most major lists have removal processes that work once you've fixed the cause.
  4. Rotate the affected domain's volume onto healthy domains (this is why you keep ~20% spare warmed capacity) and rest it for 2-4 weeks.
  5. Re-ramp the rested domain through an abbreviated warmup, starting at day-one volumes. If reputation won't recover after a full cycle, retire it; replacement costs $12 and three weeks.

When teams come to me with "deliverability problems," the fix is almost never copy. It's one of: per-mailbox volume too high, warmup skipped, an unverified list, or sending from a domain that handles other traffic. Audit those four before touching a subject line.

Scaling: 0 → 1,000 → 10,000 Sends a Day

What the architecture looks like at each volume tier:

Target VolumeDomainsMailboxesDaily CapacityRough Monthly Cost
5,000/month36-9240-450/day$80-150
10,000/month510-15500-750/day$200-350
20,000/month816-24800-1,200/day$350-600
50,000/month15+30-451,500-2,250/day$900-1,500+

Costs cover domains, mailboxes, sequencer, and warmup; verification is additional. The capacity column assumes the 50/day ceiling on mature mailboxes — run the 20-30 band on anything younger than two months and treat the gap as headroom, not a target.

The architecture is identical at every tier; what changes is the operational discipline:

0 → 300/day (one SDR or founder-led). Three domains, manual everything. Your risk is impatience — compressing warmup because pipeline pressure is real.

300 → 1,000/day (small team). 5-10 domains. Monitoring has to become automated — you can no longer eyeball every mailbox daily. Domain provisioning becomes a rolling process: plan for 25-30% domain churn per year, which means new domains entering warmup continuously, not reactively after something burns. Keep ~20% warmed spare capacity for incident rotation.

1,000 → 10,000/day (scaled team or agency-grade). 30+ domains, 100+ mailboxes. At this tier you need tooling for DNS automation (templated SPF/DKIM/DMARC on every new domain), dashboard aggregation across Postmaster Tools properties, and dedicated providers usually enter the cost equation. The failure mode shifts from "burned a domain" to "burned ten domains the same way simultaneously" — because at scale, a bad list or a bad cap change hits the whole fleet at once. Stagger changes; never roll a new list or volume policy to every domain on the same day.

When scaling volume, double every 2-3 days at most. A 10x jump in a week is the signature move of every burned fleet I've audited.

When AI SDR Agents Are Doing the Sending

The newest failure mode I get called about: teams wiring up AI SDR agents — Clay-to-sequencer pipelines, autonomous prospecting tools, agent frameworks plugged into Instantly's API — on infrastructure sized for humans.

Nothing about the physics changes. Gmail doesn't care whether a human or an agent clicked send; the per-mailbox limits, warmup requirements, and bounce thresholds are identical. What changes is that the natural rate-limiter disappears. A human SDR gets tired, gets distracted, plateaus around 100-150 sends a day. An agent will happily generate 4,000 sends the moment the list is ready, and your infrastructure either absorbs that or dies in an afternoon.

So the rules become code instead of habit:

  • Hard caps enforced at the infrastructure layer, not in the agent's prompt. The sequencer's per-mailbox limit is the backstop; never rely on the agent to self-throttle.
  • Provision ahead of the agent. Capacity has a three-week warmup lead time; agents scale in minutes. Build the fleet for the volume you intend before the agent exists.
  • Verification in the pipeline, not as a manual step an automated workflow can skip. The list API call comes before the send API call, every time.
  • Automated circuit breakers: if bounce rate crosses 2% or Postmaster reputation drops, the domain pauses programmatically — because nobody is watching the dashboard at 2 a.m. when the agent is sending.

I've written up the full architecture for this — agents, data layer, sequencer, and infrastructure as one system — in my GTM email infrastructure stack guide.

The 4-Week Setup Timeline

Week 1 — Foundation. Buy 3-5 domains. Set up Google Workspace (or your chosen provider) with 2-3 mailboxes per domain. Publish SPF, DKIM, and DMARC on every domain and confirm alignment with a test send. Profile photos, signatures, one-page sites, custom tracking domains. Connect every mailbox to warmup. Verify each domain in Google Postmaster Tools.

Weeks 2-3 — Warmup. Let it run. No cold sends. Use the time to verify prospect lists, build sequences, and configure the sequencer: rotation on, caps set, sending windows defined. Check DMARC reports for alignment problems while the stakes are zero.

Week 4 — Ramp. Connect mailboxes to the sequencer. Start at 10-15 cold sends/mailbox/day with warmup still running. Watch bounce rate and replies daily. Ramp toward 20-30/mailbox/day over the following two weeks if metrics hold: bounces under 2%, no blocklist hits, reputation steady in Postmaster Tools.

Common Mistakes That Burn Infrastructure

  1. Sending from your primary domain. One blocklist entry compromises your entire company's email.
  2. Skipping or compressing warmup. Day-one volume on a fresh domain is the fastest possible way to a dead domain.
  3. Pushing per-mailbox volume past 50/day. Filters notice; reputation doesn't survive it.
  4. Importing unverified lists. Bounces and spam traps end domains within a week.
  5. Identical templates across all mailboxes. Filters cluster duplicate bodies and flag the lot.
  6. Sending to catch-alls. They verify as deliverable and hide spam traps.
  7. Ignoring DMARC reports. Alignment failures are invisible in your sequencer — only the reports show them.
  8. No blocklist monitoring. By the time replies stop, you've been listed for days.
  9. Scaling everything at once. A bad change rolled to the whole fleet simultaneously is how one mistake becomes ten burned domains.

Build It Yourself, or Have It Built

Everything above is doable in-house: it's roughly a month of calendar time, a few hundred dollars a month in tooling, and — the part teams underestimate — permanent operational attention. Domains churn, lists decay, providers change enforcement, and the monitoring only works if someone owns it. Done-for-you mailbox providers and agencies can absorb pieces of that, at the cost of control and visibility.

If you're a funded team scaling outbound — human SDRs or AI agents — and you want this architecture designed, built, and monitored by someone who does it for a living, that's exactly what my outbound infrastructure service is. I build the system; your team sends.

Sources


v2.0 · June 2026

Frequently Asked Questions

What's the minimum cold email infrastructure I need to start?

Three secondary domains, six to nine mailboxes, SPF/DKIM/DMARC on every domain, 14-21 days of warmup, a verified prospect list, and a sequencer with inbox rotation. That's roughly 150-300 safe cold sends per day for $80-150/month. Anything less and you're either risking your primary domain or sending at volumes too low to learn anything.

Can I use my main company domain for cold email?

No. Cold email occasionally generates spam complaints, hits spam traps, or lands on blocklists. You want that damage contained to a disposable outreach domain — not the domain that handles employee email, transactional sends, and customer communication. Always send cold email from separate secondary domains.

How long does it take to set up cold email infrastructure properly?

Three to four weeks. Week 1: buy domains, create mailboxes, configure SPF/DKIM/DMARC. Weeks 2-3: warmup on every mailbox. Week 4: begin sending at low volume and ramp. Trying to compress this timeline is the single most common cause of burned domains.

How many cold emails can I send per mailbox per day?

20-30 cold sends per mailbox per day is the sustainable band; treat 50 as the absolute ceiling for mature, fully warmed mailboxes. Scale by adding mailboxes and domains, not by raising per-mailbox volume. An SDR sending 150 emails a day needs about six mailboxes across two to three domains.

How much does cold email infrastructure cost?

Production setup for 500 sends/day runs roughly $200-350/month; 2,000/day runs $600-1,000/month. Costs scale primarily with mailbox count (~$6-12/mailbox/month on Google Workspace or Microsoft 365, less on dedicated cold email providers) and domains (~$12/year each). List verification adds $0.001-0.005 per address.

What happens if my cold email domain gets burned?

Stop sending from it immediately. Check blocklists and request delisting where you're listed. Rest the domain 2-4 weeks, then attempt re-warmup. If reputation doesn't recover, retire the domain and bring a replacement online. This is exactly why you use secondary domains — a burned outreach domain never touches your brand.

Do AI SDR agents need different cold email infrastructure?

Same architecture, stricter enforcement. An AI agent removes the human bottleneck that naturally throttles volume, so per-mailbox caps, list verification, and reputation monitoring have to be enforced in software instead of habit. Provision capacity before the agent needs it, hard-cap sends per mailbox, and auto-pause any domain that trips bounce or complaint thresholds.

Want this handled for you?

Free 30-minute strategy call. Walk away with a plan either way.