Warming Up a New Sending Domain Without Torching Its Reputation
Warming a domain is not warming an IP. On shared infrastructure the IP already has a reputation you don't control — the brand-new, unproven asset is your domain identity. Here's how to accumulate engagement under the radar before you ever hit a volume that trips a spike detector.
EvilMail TeamJuly 16, 202611 min read
A new domain fires its first real campaign. Twenty percent of it lands in spam, another chunk bounces with 421-4.7.28, and the operator's first instinct is to blame the IP and ask for a fresh one. That instinct is wrong, and it's expensive. On SES, SendGrid, Postmark, or Google Workspace you send from a shared pool where the IP's reputation was set by thousands of tenants before you ever logged in — you don't own it and you can't reset it. The genuinely brand-new, unproven thing is your domain: the DKIM d= you sign with, the visible From, and the aligned Return-Path. That is what Gmail and Microsoft key reputation on. Move to a new IP and a burned domain stays burned; put a cold domain on a warm IP and it still gets filtered. So a "domain warmup" is not a volume exercise. It's an engagement-accumulation exercise: you spend the first few weeks proving that real humans open, reply to, and don't complain about mail signed by d=yourdomain — *before* you send a volume big enough to trip a spike detector.
Reputation follows the domain, not the box
When an inbound message hits Gmail's or Outlook's edge, the receiver extracts three identities and asks whether they line up:
How to Warm Up a New Sending Domain Safely (2026 Guide) — EvilMail Blog
RFC5322.From — the address the human sees.
DKIM `d=` — the domain that cryptographically signed the message.
RFC5321.MailFrom — the Return-Path / bounce domain in the SMTP envelope.
DMARC passes only when at least one of DKIM or SPF *aligns* with the From domain. That aligned domain identity is the primary key for reputation. The IP is a secondary signal, and on shared infrastructure it's one you have no control over. The domain is the one durable asset you actually own and carry between providers.
Google builds its dashboard around exactly this split. Gmail Postmaster Tools shows Domain reputation and IP reputation as two separate views — for shared-pool senders the IP graph is mostly noise and the domain graph is your scoreboard. Everything below is about moving that domain graph from "no data" to High without ever giving it a reason to drop.
Get authentication perfect before byte one
Since February 2024, Google and Yahoo treat authentication as a hard gate for anyone sending 5,000+ messages/day to their users: SPF *and* DKIM *and* DMARC all present and aligned, valid forward and reverse DNS on the sending host, mandatory TLS, one-click unsubscribe honored within two days, and a user-reported spam rate held under 0.30%. None of it is optional, and none of it can wait until "later" in a warmup.
Publish these before you send a single message:
dns
; SPF — one record, mind the 10-lookup ceiling
example.com. IN TXT "v=spf1 include:amazonses.com include:_spf.google.com -all"
; DKIM — 2048-bit, datable selector so you can rotate cleanly
s2026a._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."
; DMARC — start at p=none during warmup to READ alignment, not to block
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=s; aspf=s; pct=100"
; Dedicated bounce/Return-Path subdomain for envelope alignment
bounce.example.com. IN TXT "v=spf1 include:amazonses.com -all"
bounce.example.com. IN MX 10 feedback-smtp.us-east-1.amazonses.com.
Verify every record from a machine that isn't sitting behind your resolver cache:
Two opinions I'll defend. First, use -all, not ~all, once your sending sources are stable — softfail is a "maybe" and gives you no protection against spoofing. Second, keep DMARC at p=none *only for the warmup window*. p=none lets you read rua reports and confirm every legitimate source aligns without bouncing real mail. The moment your aggregate reports are clean, move to p=quarantine, then p=reject. The 2024 rules require you to reach at least quarantine; a permanent p=none tells receivers you won't stand behind your own domain, and more of them now weigh that against you.
Split your streams onto subdomains
Never mix transactional and marketing under the same d=. A password reset and a Black Friday blast have completely different engagement profiles, and a marketing complaint spike must not be able to drag your login OTPs into the spam folder with it. Partition by intent:
Root `example.com` — person-to-person and corporate mail. Highest trust, lowest volume. Protect it.
`mail.` or `news.` — bulk marketing. The stream you're actively warming, and the one most likely to take complaints.
`t.` or `notify.` — transactional (receipts, resets, alerts). High engagement, low complaint, warms almost by itself.
Subdomain reputation partially inherits from the organizational domain, so a clean root gives each subdomain a small head start — but a complaint spike on news. stays largely insulated from the root. That's the whole point. Put your List-Unsubscribe and List-Unsubscribe-Post headers on every bulk stream from message one:
Here's the table everyone wants. It's the boring half, so I'll keep it short:
Phase
Daily volume
Audience
Days 1–2
20–50/day
Top-engaged only
Days 3–4
~100/day
Recent openers
Days 5–7
250–500/day
Recent openers
Week 2
1,000 → 5,000/day
Verified, engaged
Week 3
10,000 → 25,000/day
Widening carefully
Week 4+
50,000+/day
Normal cadence
Two rules govern the whole table. Never more than double day-over-day — a smooth curve reads as organic growth, a 10x jump reads as a compromised account. And hold volume flat the instant engagement or deferrals wobble; don't climb on a bad day. Ramp against *each mailbox provider independently* — Gmail, Outlook, and Yahoo track your domain separately and throttle on their own terms, so segment your seed list by recipient provider and pace each one alone. Clearing 5,000/day at Gmail tells you nothing about what Outlook will tolerate.
The lever that actually matters isn't the numbers in that table — it's the order of who receives them. Send to your most-engaged recipients first.
Engagement is the currency you're minting
This is the section that separates a warmup that works from one that quietly fails at 5,000/day. Opens, replies, "not spam" recoveries, and low complaint and bounce rates are what convert a neutral domain into a trusted one. You are, quite literally, buying reputation with human attention — so spend the early volume where attention is guaranteed:
Week 1: only people who opened in the last 30 days, or who explicitly double-opted-in. Nobody else.
Suppress everything unverified. No purchased lists, no "we think this is still good" addresses, no unconfirmed role accounts.
Engineer a reply or a real click early. A welcome message that asks a question and gets an answer is worth more to your domain than a thousand silent deliveries. Replies are the strongest positive signal there is.
Prune hard bounces the same day. Not weekly — same day. A rising bounce rate on a young domain is a fast track to Low reputation.
Targets to hold during warmup: complaint rate under 0.10% (0.30% is where Google starts hurting you; 0.10% keeps comfortable margin), hard bounce under 2%, and open rate on your seed segment above 25–30%. If your seed segment can't clear 25% opens, your list is the problem, not your ramp.
Watch the instruments
You cannot warm a domain you can't measure. Check these daily:
Gmail Postmaster Tools — Domain reputation (High / Medium / Low / Bad), the spam-rate trend line, and the authentication panel showing your SPF/DKIM/DMARC pass percentages. During warmup those pass rates must be pinned at 100%. A dip means a misconfigured source.
Microsoft SNDS + JMRP — enroll before you send to any Outlook/Hotmail address. SNDS shows complaint and trap data; JMRP feeds you the actual complaints so you can suppress complainers immediately.
DMARC `rua` aggregate XML — read it. This is how you catch the forgotten sending service (a helpdesk tool, a CRM, an old cron script) that's mailing as your domain, failing DKIM, and quietly dragging your alignment below 100%.
Learn the deferral strings, because they tell you exactly what's wrong:
421-4.7.28 ... unusual rate of unsolicited mail — Gmail is rate/reputation-throttling you. You climbed too fast, or engagement is too thin.
550-5.7.1 ... this message has been blocked — a hard reputation block, not a throttle. Stop and investigate.
421 4.7.500 Server busy / S3150 — Outlook throttling. Confirm SNDS/JMRP enrollment and slow down.
When it slips: back off, don't push
Deferrals and reputation dips are normal in a warmup. The failure mode isn't the dip — it's panicking and pushing harder. On sustained 4xx deferrals or a reputation drop to Low/Bad:
Cut volume to the last known-good level — not to zero. Zero teaches the filter nothing and wastes days; returning to yesterday's working number keeps positive signal flowing.
Tighten to your most-engaged segment only. Re-concentrate the good signal.
Hold for 3–5 days before you try to climb again.
Never retry-storm a deferral. A 421 means "try later," and the receiver is timing your backoff. Hammer it and you look exactly like the botnet you're trying not to resemble.
A complaint spike takes days to decay out of your rolling window. No command fixes it faster — patience is the tool. This is the real reason a fresh domain is no shortcut: you'd throw away every day of positive history to escape a dip that would have healed on its own.
Pre-flight and daily checklist
Before the first send:
SPF, DKIM (2048-bit), and DMARC published and confirmed with dig +short
DMARC at p=none with rua flowing to a mailbox you actually read
Dedicated bounce subdomain with its own SPF + MX, aligned to your From
List-Unsubscribe + List-Unsubscribe-Post: List-Unsubscribe=One-Click live and tested end-to-end (a swaks probe to a real Gmail/Outlook seed)
Transactional and marketing streams split onto separate subdomains