.svg)
Overview
Email deliverability is the silent killer of outbound campaigns. You can craft the perfect sequence, nail your personalization, and target exactly the right prospects—but if your emails land in spam, none of it matters. For teams running cold outbound through Instantly, achieving 90%+ deliverability isn't optional; it's the baseline that separates campaigns that generate pipeline from expensive exercises in sending emails into the void.
The good news: deliverability is largely a technical problem with technical solutions. SPF, DKIM, and DMARC—the authentication trinity—are your foundation. When configured correctly, they tell receiving mail servers exactly who you are and that you're authorized to send from your domain. When misconfigured (or missing entirely), you're essentially sending emails with a "might be spam" label attached.
This guide walks through the complete setup process for achieving 90%+ deliverability in Instantly, from DNS configuration to ongoing monitoring. Whether you're setting up your first sending domain or troubleshooting deliverability issues on an existing campaign, you'll find the technical details you need to get—and keep—your emails in the inbox.
Understanding Email Authentication
Before diving into configuration, it's worth understanding what SPF, DKIM, and DMARC actually do. These aren't arbitrary hoops to jump through—they're the language email servers use to determine trust.
SPF (Sender Policy Framework)
SPF is a whitelist published in your DNS records. It tells receiving servers which IP addresses and mail servers are authorized to send email on behalf of your domain. When Gmail receives an email claiming to be from yourdomain.com, it checks your SPF record to verify the sending server is legitimate.
Without SPF, anyone can send emails pretending to be from your domain. With a properly configured SPF record, only your authorized senders—including Instantly's infrastructure—can pass this check.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email you send. Your domain publishes a public key in DNS, and your email server signs each message with the corresponding private key. Receiving servers verify the signature matches, confirming the email wasn't tampered with in transit and genuinely originated from your domain.
Think of DKIM as a tamper-evident seal. It proves both authenticity and integrity—the email came from who it claims and hasn't been modified.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Should they quarantine the message? Reject it outright? DMARC also enables reporting, so you can see exactly who's sending email using your domain—legitimate or otherwise.
For cold outbound, DMARC is crucial because it builds domain reputation over time. Consistent authentication signals to email providers that you're a legitimate sender, not a spammer spoofing domains.
Setting Up Your Sending Domain
Before configuring authentication, you need the right domain infrastructure. Most teams running serious cold outbound don't send from their primary domain—and for good reason.
Why Use Separate Sending Domains
Your primary domain (company.com) carries your entire email reputation. If cold outbound campaigns damage that reputation, your entire company's email—including transactional emails, support responses, and executive communication—suffers. A separate sending domain isolates risk.
Common patterns include:
- getcompany.com or trycompany.com - Clear variations that still read professionally
- company-mail.com - Explicit but recognizable
- companyteam.com - Maintains brand connection
For high-volume outbound, consider multiple sending domains. If one domain's reputation drops, you can rotate to another while it recovers. Most teams running cold email at scale maintain 3-5 active sending domains.
Warming New Domains
Fresh domains have no reputation—which is almost as bad as having a negative one. Email providers are suspicious of new domains sending volume immediately. The solution is domain warming: gradually increasing send volume over 2-4 weeks to establish positive sending patterns.
Instantly includes automated warming features that send emails between accounts in their network, generating opens and replies that build positive engagement signals. Enable warming immediately when adding new domains, and don't rush to full volume.
Configuring SPF for Instantly
SPF configuration happens in your domain's DNS settings. You're adding a TXT record that lists all authorized senders.
Access Your DNS Provider
Log into wherever your domain's DNS is managed—Cloudflare, GoDaddy, Namecheap, AWS Route53, or your registrar's DNS panel.
Check for Existing SPF Records
Search for existing TXT records containing "v=spf1". You can only have ONE SPF record per domain. If you have multiple email services (Google Workspace, existing email marketing tools), you'll need to combine them into a single record.
Add or Modify Your SPF Record
For Instantly, add their SPF include to your record. A typical SPF record for a domain using Google Workspace and Instantly looks like:
v=spf1 include:_spf.google.com include:spf.instantly.ai ~all
The ~all at the end is a soft fail for unauthorized senders—emails still deliver but are marked suspicious. Some teams use -all (hard fail) for stricter enforcement once they're confident in their configuration.
Verify the Record
Use a tool like MXToolbox or mail-tester.com to verify your SPF record is valid and properly formatted. DNS changes can take up to 48 hours to propagate, though most complete within an hour.
SPF records are limited to 10 DNS lookups. Each "include:" counts as a lookup, and some services (like Google Workspace) use multiple lookups internally. If you're hitting limits, consider SPF flattening services or consolidating your email infrastructure.
Configuring DKIM for Instantly
DKIM setup requires coordination between Instantly and your DNS. Instantly generates the keys; you publish the public key in DNS.
Generate DKIM Keys in Instantly
In your Instantly dashboard, navigate to Settings → Email Accounts. Select the account you're configuring and look for the DKIM section. Instantly will generate a unique DKIM selector and public key for your domain.
Create the DKIM DNS Record
Add a TXT record in your DNS with:
- Host/Name: The selector provided by Instantly (typically something like
instantly._domainkey) - Value: The public key string Instantly provides, starting with
v=DKIM1;
Verify in Instantly
After DNS propagation, use Instantly's verification button to confirm DKIM is properly configured. Instantly should show a green checkmark once it can validate the DNS record.
Teams running outbound sequences often overlook DKIM when troubleshooting deliverability issues. Unlike SPF failures which are common and often tolerated, DKIM failures are taken seriously by email providers. A message with broken DKIM is more suspicious than one with no DKIM at all.
Configuring DMARC
DMARC brings everything together. It references your SPF and DKIM configuration and specifies enforcement policies.
Start with a Monitoring Policy
Add a TXT record with:
- Host/Name:
_dmarc - Value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
The p=none policy means no enforcement—emails are delivered regardless of authentication results, but you receive reports. This is essential for the initial setup phase.
Monitor Reports for 2-4 Weeks
DMARC reports arrive as XML files showing all email sent using your domain. Review these to identify legitimate senders you may have missed and catch any configuration issues before enforcing.
Gradually Increase Enforcement
Once you're confident all legitimate email passes authentication, move to stricter policies:
p=quarantine- Failed emails go to spamp=reject- Failed emails are blocked entirely
You can also use the pct tag to apply policies to a percentage of emails: p=quarantine; pct=25 quarantines only 25% of failing emails.
For cold outbound specifically, reaching p=quarantine or p=reject signals to email providers that you take authentication seriously—a positive reputation signal. Teams focused on deliverability optimization typically aim for full DMARC enforcement within 60 days of initial setup.
Optimizing Instantly Settings for Deliverability
Authentication is the foundation, but Instantly's platform settings significantly impact deliverability outcomes.
Send Volume and Timing
Aggressive send volumes trigger spam filters. Instantly recommends starting new accounts at 20-30 emails per day and gradually increasing. Even warmed accounts should typically stay under 50-75 daily sends for cold outbound—sequencer settings that push beyond this often see deliverability suffer.
| Account Age | Recommended Daily Volume | Notes |
|---|---|---|
| Week 1-2 | 10-20 emails | Warming phase; enable auto-warming |
| Week 3-4 | 20-40 emails | Gradually increase while monitoring |
| Month 2+ | 40-75 emails | Established account; monitor bounce rates |
| Established (3+ months) | 50-100 emails | High-reputation accounts only |
Email Content Best Practices
Technical authentication gets emails considered; content determines the final verdict. Avoid excessive links, image-heavy layouts, spam trigger words ("free," "guarantee"), and overly complex HTML. The best cold emails look like regular business correspondence—AI-powered personalization helps emails read as genuinely personal rather than templated.
List Hygiene
Bounces destroy deliverability faster than almost anything else. If 5% of your emails bounce, expect spam filter scrutiny to increase dramatically. Automated SDR research tools and email verification should be standard before any address enters your sequences.
Instantly tracks bounce rates automatically—if you're consistently above 2%, stop sending and clean your lists before continuing.
Monitoring and Maintaining Deliverability
Deliverability isn't set-and-forget. Reputation fluctuates based on engagement, complaints, and sending patterns.
Key Metrics to Track
- Inbox placement rate - Tools like GlockApps or Mail-Tester provide visibility
- Bounce rate - Keep below 2%
- Spam complaint rate - Keep below 0.1%
- Reply rate - Positive engagement signals improve reputation
Weekly Deliverability Audit
Check Instantly's account health indicators, bounce and complaint rates, DMARC reports for authentication failures, and blacklist status via MXToolbox.
Teams running A/B tests on sequences should correlate content variations with deliverability metrics—sometimes a winning subject line variation triggers more spam complaints.
Troubleshooting Common Issues
Even with proper setup, deliverability problems arise. Run mail-tester.com sends to get deliverability scores and identify specific issues.
Common Culprits When Emails Hit Spam
- Missing or misconfigured SPF/DKIM/DMARC
- New domain without sufficient warming
- Shared IP reputation issues
- Content triggering spam filters
Authentication Failures in DMARC Reports
If DMARC reports show failures for legitimate emails, verify your DNS records match exactly what Instantly specifies. Common errors: extra spaces in record values, wrong record types (CNAME instead of TXT), or multiple SPF records.
Sudden Deliverability Drops
Check for new blacklist entries, review recent content changes, verify DNS records haven't been modified, and reduce volume temporarily while investigating.
FAQ
With proper authentication and warming, expect 4-6 weeks. The first 2 weeks are critical for domain warming, followed by gradual volume increases. Rushing this process almost always results in worse long-term outcomes.
Yes. SPF, DKIM, and DMARC are all domain-specific. Each sending domain you use with Instantly needs its own complete set of authentication records. This is why managing multiple sending domains adds operational overhead.
For most teams, shared IPs work fine—Instantly actively manages their reputation. Dedicated IPs give you more control but require you to build and maintain reputation yourself. They're typically only worthwhile at very high volumes (1000+ daily sends) or when you have specific compliance requirements.
For cold outbound, 50-75 emails per day per account is a sustainable ceiling. Higher volumes are possible with established accounts and clean lists, but the marginal benefit rarely outweighs deliverability risk. Scale by adding accounts, not increasing volume per account.
Check your DMARC reports first—if SPF and DKIM are passing, authentication isn't the issue. Then send test emails to mail-tester.com to see content-specific scores. If authentication passes and content scores well but deliverability is still poor, the issue is likely domain/IP reputation or list quality.
What Changes at Scale
Managing deliverability for one Instantly account with proper authentication is straightforward. Managing it across 20 accounts, 5 domains, and 50,000 monthly sends is a different challenge entirely.
At scale, manual checks become unsustainable. You need automated monitoring that alerts before reputation damage, unified visibility across sending infrastructure, and the ability to correlate deliverability metrics with prospect data.
This is where a unified GTM data layer becomes essential. Your email engagement data in Instantly needs to connect with your CRM and enrichment data to create feedback loops that actually improve outcomes. When a prospect replies, that signal should flow back to your scoring models. When deliverability drops for a segment, you need to understand why—was it the ICP, the message, or the data quality?
Platforms like Octave handle this orchestration layer. Instead of manually tracking which domains are warmed, which accounts have capacity, and how engagement correlates with prospect attributes, Octave maintains this context graph automatically. For teams running serious cold outbound volume, it's the difference between reactive firefighting and proactive optimization.
Conclusion
Achieving 90%+ deliverability in Instantly comes down to three fundamentals: proper authentication (SPF, DKIM, DMARC), patient domain warming, and ongoing monitoring. The technical setup takes an afternoon; maintaining it takes weekly attention.
Start by auditing your current authentication setup using mail-tester.com to get a baseline score for each sending account. Fix DNS gaps, implement DMARC monitoring, and commit to the weekly audit habit. Teams that treat deliverability as infrastructure consistently outperform those who only think about it when campaigns underperform.
Your outbound sequences are only as effective as their deliverability allows. Invest in the foundation.