Does OS Domains support cold outbound?
Most mainstream email infrastructure providers (AWS SES, SendGrid, Mailgun, Postmark) will close your account the moment they detect cold outbound activity, because cold email has a higher complaint rate, attracts spam-trap hits, and creates the kind of reputation problems that affect their other customers on shared IPs. We support cold outbound because we run dedicated infrastructure with per-customer IP pools, segregated from transactional and marketing reputation — but we do enforce hard conditions: lists with verified email addresses (not scraped junk), reasonable daily volume per inbox (the Gmail-tolerated range), and an actual unsubscribe flow. Customers who hit our prohibited-use criteria (purchased lists, scraped emails, fake unsubscribe) are dropped without refund.
What architecture does cold outbound need?
A serious cold outbound operation looks like this: 20-100 sending domains rotated systematically, each with its own SPF/DKIM/DMARC, each tied to a small pool of warmed inboxes (3-10 per domain), with daily caps of 25-35 sends per inbox to stay below Gmail and Outlook anti-abuse thresholds. You need the ability to spin up new domains in days, retire damaged domains without leaking traffic to others, and monitor reputation at the per-domain rather than per-IP level because cold outbound damage typically hits the domain reputation harder than the IP reputation. This is the architecture our Cold Email Infrastructure service is built around.
What we do not do.
We do not provide lists. We do not sell email scrapers or contact databases. We do not connect to LinkedIn auto-scrapers. We are infrastructure for outbound that you have sourced and verified yourself through whatever lawful means apply in your jurisdiction (B2B research, opt-in events, public regulatory filings, etc.). What is legal varies by jurisdiction — Germany under TMG/UWG has stricter rules than the US under CAN-SPAM — and we expect customers to know which rules apply to them. We do not give legal advice on cold outbound legality; that is what your lawyer is for.
DMARC enforcement killed lazy outbound, and that helped the senders who stayed.
Google began requiring authentication for bulk senders in February 2024, escalated to hard rejection of non-compliant mail in November 2025, and Microsoft moved in the same direction from May 2025. By 2026 the practical reality is that a sending domain without aligned SPF, DKIM, and a DMARC policy does not land in spam — it is rejected at the door. That change cut the volume of the laziest outbound, the operations spraying unauthenticated mail from throwaway domains, which had been a large share of the spam-trap hits and complaints that poisoned deliverability for everyone else. For an operator who authenticates every rotation domain to enforcement, the inbox is marginally less crowded with the worst senders than it was two years ago. We authenticate every sending domain to DMARC enforcement at provisioning rather than leaving it at p=none, because a cold domain that is not at enforcement is no longer a domain that underperforms; it is a domain whose mail does not arrive. The teams still complaining that cold email is dead are usually the teams that never finished the authentication work that became mandatory.
What is a realistic cold-email reply rate?
The honest benchmark for B2B cold outbound in 2026 sits between roughly 3.4% and 5.8% reply rate depending on the dataset and the targeting, with the top tenth of campaigns clearing 10% on tight, hyper-personalized lists. The average has drifted down from around 5% a year earlier and higher before that, and the cause is structural rather than personal: inboxes carry more than a hundred messages a day for many professionals, AI-generated outreach has flooded the channel, and buyer fatigue has risen. A falling reply rate is usually the market, not your copy. The dangerous response, and the one we design against, is to send more volume to make up the shortfall, which pushes each domain past the caps that hold reputation together and accelerates the decline into spam placement. We cap per-inbox volume and report reply rate per domain so the lever you reach for when the number drops is tighter targeting and better list quality, not a bigger blast. If a campaign is replying below one percent, more sending infrastructure will not fix what is a targeting problem, and we will say so rather than sell you more domains.
Is B2B cold email allowed under GDPR?
European law does not ban B2B cold email; it permits it under the legitimate-interest basis, provided you contact a person in their professional capacity, about something genuinely relevant to their role, with a clear and working opt-out, and a documented assessment that your interest does not override their rights. The conditions are where most operations fail, not the basis itself. National rules layer on top: Germany under UWG is stricter and effectively expects prior consent even for business addresses, the United Kingdom under PECR sets a lower bar for corporate addresses than for personal ones, and the United States under CAN-SPAM runs on opt-out with statutory penalties that can reach tens of thousands of dollars per email if you systematically ignore removal requests. We do not give legal advice on which rule binds you — that belongs to your lawyer — but the platform is built to support the compliant pattern: List-Unsubscribe on every send, a suppression list the API cannot bypass, and an audit log that produces evidence of what was sent and what was honored on demand. The legitimate-interest basis collapses the instant you cannot show you respected an opt-out, so the evidence trail is not a formality.
List quality is the lever; infrastructure cannot rescue a bad list.
Industry analysis puts most of the failure in cold outbound on targeting rather than on deliverability: a large majority of the messages that go nowhere were sent to prospects who never fit the profile or lacked the authority to act, and bad data drives the bounces that then damage the domain. Verification fixes one half of that — we require verified addresses and drop scraped junk, because a high bounce rate alone will sink a domain — but verification only removes the invalid addresses, it does not make a valid-but-irrelevant list relevant. A clean list of the wrong people still fails. The operations that perform send fewer, tighter, more relevant messages to a curated set, and the data consistently shows curated outreach beating bulk sends to unvetted contacts. Our per-inbox caps and per-domain reputation tracking reward that discipline and punish spray-and-pray, which is the deliberate design choice behind a platform that drops customers who push junk. We are the wrong vendor for an operation that wants to blast a purchased list of half a million contacts, and we would rather say that before you sign than after your domains are blocked.
Domain and inbox rotation is risk isolation, not a volume trick.
The rotation architecture — twenty to a hundred sending domains, each with a small pool of warmed inboxes, each domain authenticated independently and capped per inbox — is often read as a way to push more volume past the filters. That reading misses the point and gets people banned. Rotation is blast-radius containment. A single send to a weak list can take a domain from inbox to spam in a couple of days, and the entire value of rotation is that the damaged domain is a disposable one you retire rather than the brand domain your company actually uses, which should never carry cold traffic at all. We provision new domains in days, retire damaged ones without leaking their traffic onto healthy domains, and track reputation per domain because cold damage lands on the domain harder than on the shared IP. The disciplined pattern keeps tested, high-quality lists on premium domains and routes experimental campaigns to domains that can be sacrificed, so a bad experiment costs a domain rather than a quarter of pipeline. Volume is an output of that discipline, not the goal of it.
Plain, short, single-link messages clear filters that decorated templates trip.
The content guidance that holds up across the 2026 benchmarks is unglamorous: plain text or very light HTML, under roughly eighty words, a single link at most, written like a person rather than a brand. Heavy HTML templates, image-laden layouts, and multiple tracking links raise spam scores, and on a cold domain with no established trust they tip the message into the junk folder regardless of how clean the authentication is. The pattern that earns replies tends to reference a specific, real problem the recipient has, and the follow-up that attaches a relevant case study often outperforms the first touch. We do not write your copy and we do not police your message beyond the abuse line, but the deliverability defaults we recommend on cold domains — minimal markup, one link, no image-heavy templates, no link shorteners that share a blocklisted reputation — exist because they keep per-domain reputation from eroding faster than rotation can replace the domains. A beautiful template on a cold domain is a deliverability liability wearing a designer suit.
How dangerous are spam traps for cold lists?
Cold lists, especially anything aged or sourced broadly, carry spam-trap risk that verification alone does not remove. Recycled traps are abandoned addresses that a provider has repurposed to catch senders mailing stale data, and pristine traps are addresses that no human ever used, seeded specifically to catch scrapers. A single pristine-trap hit can land a domain on a major blocklist within hours, and a blocklisted domain does not recover on a schedule you control. Verification strips out the obviously invalid addresses, but it cannot flag a well-formed trap that accepts mail like any real mailbox. The defenses are list provenance — knowing where every address came from, which is the reason we drop scraped lists rather than clean them — conservative volume that limits how much exposure any one domain takes, and continuous blocklist monitoring per domain so a listing surfaces in hours instead of being discovered weeks later when the reply rate has already collapsed. The disposable-domain pattern is the containment: a trap hit on an experimental domain costs that domain, while the premium domains carrying your tested lists stay clean. We track domain reputation at Gmail through Postmaster Tools and at Outlook through SNDS, and watch the major blocklists alongside, because in cold outbound a blocklisting is usually the first hard signal that a list was dirtier than it looked.