30-second verdict
Cold email burns domains. That is the cost of doing it, so you pay it with domains you can afford to lose. Buy two or three lookalike domains, put two or three mailboxes on each, publish SPF, DKIM, and DMARC before anything sends, warm up for three weeks, and cap every mailbox at 20 to 30 cold emails a day. Add CASL identification and an unsubscribe that works across every campaign, because Canadian penalties run up to $10 million per violation. The DNS work takes about two hours. The warmup takes three weeks and cannot be compressed.
Your main domain sends invoices, password resets, contract renewals, and replies to customers. Its reputation took years to build and there is no way to migrate it. Cold email, even well-run cold email, generates spam complaints. If those complaints attach to your main domain, every email your company sends gets worse delivery, including the ones that make you money.
So the rule is simple: cold campaigns never touch the main domain. Not the sending, not the tracking links, not the reply address. This guide is the exact build we use inside our GTM engineering work: the records, the schedules, the limits, and the CASL mechanics for Canadian senders.
One honest note before you spend anything. If your pipeline runs on referrals and you write ten genuinely personal emails a week, you do not need any of this. One-to-one email from a human is not what filters punish. This infrastructure exists for sequenced volume: hundreds of emails a week to people who have never heard of you. Below that, skip the build and spend the money on your list instead.
Prerequisites
- Registrar access where you can add TXT, CNAME, and MX records. Cloudflare, Namecheap, and GoDaddy all work.
- Budget for domains and mailboxes. Domains cost tens of dollars a year each. Each mailbox is a paid seat on Google Workspace or Microsoft 365, and the cheapest tier is fine.
- A sending tool with inbox rotation and warmup built in: Instantly, Smartlead, or similar. Entry plans cover a setup this size.
- A verified lead list and an offer worth replying to. Infrastructure protects deliverability. It does not rescue bad targeting.
- Calendar time: roughly two hours of setup, then 14 to 21 days of warmup before the first real send. No tier of any tool removes the waiting.
Why the main domain never sends
Gmail and Microsoft score senders at the domain level. Complaints, bounces, and spam-folder placements all feed that score. Google's published guidance says to keep your spam complaint rate under 0.1% and never let it reach 0.3%, and a cold campaign can cross that line in one bad afternoon. When a secondary domain gets burned, you retire it, buy another, and your business email never notices. When the main domain gets burned, your quotes land in spam folders and you find out from a confused customer weeks later.
Step 1: Buy the secondary domains
Buy lookalike .com domains that a prospect would read as obviously yours. If the main domain is acmeops.com, register tryacmeops.com, getacmeops.com, and acmeopshq.com. No hyphens, no numbers, no clever spellings. Skip cheap endings like .xyz or .info, filters treat them worse.
How many: plan one domain for every 60 to 90 cold sends per day you intend, since each domain carries two or three mailboxes at 20 to 30 sends each. Most small teams need two or three domains.
Two things on day one:
- Redirect the root. Set a 301 redirect from each secondary domain to your main site. In Cloudflare that is Rules, then Redirect Rules, then Create rule, matching all incoming requests with a 301 to your main URL. Most registrars also offer plain domain forwarding. A prospect who types the domain into a browser must land somewhere real, and filters check this too.
- Start the clock. Set up DNS and mailboxes the same day you buy. Domain age counts from registration, but reputation only builds once mail flows, so every idle day is wasted waiting.
Step 2: Create the mailboxes in a separate tenant
Open a new Google Workspace account on the first secondary domain. Do not add these domains to your company's existing Workspace. If Google ever flags the sending activity, suspensions hit at the account level, and you want that blast radius to contain nothing you care about. Add the remaining secondary domains inside the new account at Account, Domains, Manage domains, Add a domain, choosing the Secondary domain option.
Create two or three users per domain at Directory, Users, Add new user. Use real human names that match real people on your team: rajat@tryacmeops.com, not outreach@ or sales@. Add a profile photo and a plain signature in each Gmail account. Filters and prospects both check whether the sender looks like a person.
Point MX at Google with a single record: Type MX, Host @, Value smtp.google.com, Priority 1. That is the current Google Workspace setup, one record, not the older set of five.
Step 3: Publish SPF, DKIM, and DMARC, exactly
All three records, on every sending domain, before the first warmup email. Gmail's sender requirements treat missing authentication as a reason to reject outright.
The SPF record
One TXT record at the root of each domain:
Type: TXT. Host: @. Value: v=spf1 include:_spf.google.com ~all
On Microsoft 365 the value is v=spf1 include:spf.protection.outlook.com -all instead. A domain gets exactly one record starting with v=spf1. Keep that sentence in mind for the failure callout below.
The DKIM record
In the Google Admin console go to Apps, Google Workspace, Gmail, Authenticate email. Select the domain, click Generate new record, and choose a 2048-bit key. Google shows two values: the DNS host name, which is google._domainkey, and a TXT record value starting v=DKIM1; k=rsa; p= followed by a long key. Publish that TXT record, wait for DNS to propagate (up to 48 hours, usually under one), then return to the same screen and click Start authentication. The status must change to "Authenticating email with DKIM". The button is the step people miss: publishing the record alone signs nothing.
The DMARC record
One TXT record per domain:
Type: TXT. Host: _dmarc. Value: v=DMARC1; p=none; rua=mailto:dmarc@yourmaindomain.com
Start at p=none, which only collects reports. After three or four weeks of clean reports, change the policy to p=quarantine. A cold sending domain sitting at p=none forever looks like a sender who does not stand behind their mail, and the aggregate reports arriving at that rua address are how you spot authentication problems before Gmail does.
The tracking domain
Sending tools rewrite links through a tracking host, and the default is a shared domain used by thousands of other senders, some of them spammers. Add a CNAME with Host track pointing at the target your tool displays on its custom tracking domain settings page, then register track.yourdomain.com inside the tool. Our honest preference: turn open tracking off entirely on cold campaigns. Tracking pixels add weight, their accuracy is poor since Apple and Gmail prefetch images, and reply rate is the metric that matters anyway.
The full DNS set per sending domain:
| Record | Host | Type | Value |
|---|---|---|---|
| MX | @ | MX | smtp.google.com, priority 1 |
| SPF | @ | TXT | v=spf1 include:_spf.google.com ~all |
| DKIM | google._domainkey | TXT | v=DKIM1; k=rsa; p= (key from Admin console) |
| DMARC | _dmarc | TXT | v=DMARC1; p=none; rua=mailto:dmarc@yourmaindomain.com |
| Tracking | track | CNAME | Host shown in your sending tool's settings |
Where this breaks: the second SPF record
Months from now someone connects a new tool, follows its setup wizard, and adds another TXT record starting v=spf1. SPF allows one. With two, validators return permerror and Gmail treats the domain as failing authentication, silently, on every send. The fix is merging the includes into a single record. How to catch it: send a test to a Gmail account you control, open the message, click the three-dot menu, then Show original. The summary at the top must read SPF: PASS, DKIM: PASS, DMARC: PASS. Permerror appears right there. While you are in the record, count your include statements: SPF dies past 10 DNS lookups, and each include spends at least one.
Step 4: Warm up on a schedule
Turn on your tool's warmup the day the mailboxes exist. Warmup pools send automated mail between members and rescue each other's messages from spam, which builds engagement history. Honesty requires a caveat: these pools sit against Google's policies and Microsoft has shut some down. They remain standard practice across the industry, but the safer foundation is the part nobody can take away from you: low volume, slow ramp, real replies.
| Period | Warmup emails per day | Cold emails per day |
|---|---|---|
| Days 1 to 7 | Start at 5, ramp to 20 | 0 |
| Days 8 to 14 | 20 to 30 | 0 |
| Days 15 to 21 | 20 to 30 | 5 to 10 |
| Days 22 to 28 | Taper to 15 | 15 to 20 |
| Day 29 onward | 10 to 15, ongoing | 20 to 30, the permanent cap |
The temptation is always the same: the campaign is written, the list is loaded, and day 9 feels close enough. It is not. Reputation is built on weeks of consistent, low-volume, replied-to mail. Every mailbox that gets rushed ends up back at day one on a new domain, which costs more time than the patience would have.
Step 5: Set sending limits per mailbox
The permanent settings once warmup is done:
- 20 to 30 cold emails per mailbox per day. Not 50, not 100, no matter what the tool allows. In Instantly the field is Daily limit on each email account; in Smartlead it is Message per day.
- A randomized gap of 8 to 15 minutes between sends. Instantly calls this Minimum wait time, Smartlead calls it Minimum time gap. Humans do not send 30 emails in 4 minutes, and the pattern is visible to filters.
- A hard ceiling of 50 total messages per mailbox per day, including warmup and follow-ups.
- Inbox rotation on. Load one campaign across all mailboxes and let the tool distribute, instead of running one campaign per mailbox.
If those numbers feel too small for your targets, the answer is more domains and mailboxes, never higher limits. Three domains with nine mailboxes is roughly 180 to 270 cold sends a day, which covers most small teams' pipeline math.
Where this breaks: the warmup numbers overstate placement
Week three, the warmup tab shows near-perfect inbox placement, so you ramp hard. Then real prospects, unlike pool members, ignore you or hit Report spam, and the domain reputation slides while the dashboard stays green. Pool members rescue each other; strangers do not. The scoreboard that counts is Google Postmaster Tools. Add every sending domain at postmaster.google.com, verify each with the TXT record it gives you, and read it weekly. Low-volume domains show no data at first, which is normal. The moment domain reputation drops from High to Medium, halve your sending for two weeks before it reaches Low, because climbing back from Low takes months.
Step 6: CASL identification and unsubscribe mechanics
CASL covers commercial electronic messages sent to or from Canada, and unlike the American CAN-SPAM rules it has no general carve-out for cold outreach. You need consent, express or implied, and penalties for corporations run up to $10 million per violation. Enforcement targets the worst senders, but compliance costs almost nothing, so build it in.
The implied consent paths a B2B cold sender can actually use:
- Conspicuously published address. The person's business email is published, the publication carries no note refusing unsolicited messages, and your message relates to their business role. This is the basis most compliant Canadian cold email runs on.
- Recent inquiry. They contacted your business within the last 6 months.
- Existing business relationship. They bought from you within the last 2 years.
The burden of proof sits with the sender, so keep records. In your Clay table, add columns named consent_basis, consent_source_url, and consent_date, fill them during enrichment, and export them with every lead. If you cannot say where you found an address, do not email it.
Every message needs an identification block and an unsubscribe. The footer must show who is sending: your legal business name, a mailing address, and at least one of a phone number, an email address, or a website. That information has to stay valid for 60 days after the send. The unsubscribe must work without a login or a fee, stay functional for 60 days, and be honored within 10 business days. Honor it the same day; the 10 days exist for processing time, not for extra sends. A working footer looks like this:
{Legal business name}, {street address}, Toronto, ON. You are receiving this because your work email is published on {company site}. Reply UNSUB or use this link to stop hearing from us: {unsubscribe link}
Enable the unsubscribe link in your sending tool and also watch replies for plain-language opt-outs. "Please remove me" in a reply counts under CASL even though no link was clicked.
Where this breaks: the unsubscribe that only works once
A prospect unsubscribes from campaign A. The suppression lives inside that one workspace. Six weeks later your Clay table pushes a refreshed list into campaign B, the same person is on it, and they get emailed again. That is a CASL violation with a timestamped paper trail you built yourself, and it is the single most common compliance failure we see in DIY setups. The fix is a master suppression list outside the sending tool: a Google Sheet or a CRM property such as cold_email_status = Unsubscribed, written to by a Zapier, Make, or n8n workflow on every unsubscribe event, and checked by every new campaign before its first send. Our automation work treats this sync as non-negotiable.
The weekly deliverability checklist
Fifteen minutes every Monday:
- Google Postmaster Tools. Spam rate under 0.1%, never at or above 0.3%. Domain reputation High. Authentication chart near 100%.
- Blacklist check. Run each sending domain through the MXToolbox blacklist check. A Spamhaus listing means stop sending on that domain today and find the cause before anything else.
- Bounce rate per mailbox. Under 3% is healthy. Above 5% means the list is the problem, not the infrastructure: re-verify it before sending another batch.
- DMARC aggregate reports. Skim the reports arriving at your rua address, or run them through a free DMARC report parser. You are looking for unknown sources failing alignment, which is how spoofing and misconfigured tools surface.
- Manual seed test. Send the live campaign template from each mailbox to a fresh Gmail and a fresh Outlook account. Note where it lands: Primary, Promotions, or Spam. Outlook is harsher on young domains, so expect Junk there early on.
- Suppression audit. Pick two unsubscribes from last week and confirm they appear in the master suppression list and would be excluded from the next campaign.
How you know it worked
Run this acceptance test on day 14 to 21, before the first cold send. Every line must pass for every mailbox:
- Send a message to a Gmail account you control. Open it, click Show original, and confirm the summary reads SPF: PASS, DKIM: PASS, DMARC: PASS, with the DKIM signature showing your sending domain, not a tool's domain.
- Send the same message to an Outlook account and confirm it arrives, even if in Junk for now.
- Type each secondary domain into a browser and confirm it redirects to your main site over https.
- Click the unsubscribe link in your own test message and confirm the address lands in the master suppression list, not just the campaign's local one.
- Read the footer: legal name, mailing address, contact method, all present.
- Check the tool settings: every mailbox capped at 30 or fewer cold sends per day with a randomized gap between sends.
If all of that passes, start cold sends at 5 to 10 per mailbox per day and ramp along the schedule above. If any line fails, fix it before sending, because every failure on this list compounds with volume.
When to stop DIYing, and what it costs either way
First, the cases where you should not build this at all. If you send a handful of personal, researched emails a week, use your normal mailbox and skip everything above. If your list is scraped junk, infrastructure will only help you land bad emails in more inboxes; fix targeting first. And if you have never sent cold email, run a small manual test from a single secondary mailbox before investing in three domains' worth of infrastructure.
The DIY math is honest and favourable: domains cost tens of dollars a year, each mailbox is one cheap monthly seat, the sending tool is a monthly subscription, and the setup is about two hours of careful DNS work plus three weeks of patience. A founder who follows this guide exactly can do it alone. The expensive part of DIY is not the setup, it is the silent failure modes: the second SPF record, the warmup dashboard you trusted, the unsubscribe that did not sync. Each of those costs a burned domain and a month of waiting.
If we build it: a typical setup of three domains and six mailboxes, including DNS, the Workspace tenant, tool configuration, the CASL footer and consent columns, the cross-workspace suppression sync, and the acceptance test above, runs 4 to 6 hours at our flat $150 per hour, so $600 to $900 CAD. We quote the scope in writing before starting, and unused hours never expire. The DNS itself takes a session; the part that earns the fee is the suppression sync and the weekly check routine we hand over, the same discipline behind the 600+ workflows we have shipped. If you want the whole outbound system around it, list building in Clay, sequencing, and the CRM handoff, that is our GTM engineering work, and how we work explains the process.
Frequently asked questions
Can I send cold email from my main domain if my volume is low?
True one-to-one email, written by a human for one recipient, is fine from your main domain at any volume. Sequenced campaigns are not, even small ones, because spam complaints attach to domain reputation and there is no way to transfer a clean reputation back once it slips. The cost of a secondary domain is small. The cost of your invoices landing in spam is not.
How long until a new domain can safely send cold email?
Fourteen days of warmup is the minimum and twenty-one is safer. Full volume of 20 to 30 cold sends per mailbox per day arrives around week four. Domain age, consistent low-volume sending, and real replies are the inputs, and none of them can be bought or accelerated by a higher tool tier.
Does CASL really apply to B2B cold email in Canada?
Yes. CASL has no blanket exemption for business-to-business outreach. Compliant cold email is still possible through implied consent, most often the conspicuously published address rule: the prospect's work email is public, carries no anti-solicitation note, and your message relates to their role. You must keep proof of where and when you found each address, identify your business in every message, and honor unsubscribes within 10 business days.
Do I need a separate Google Workspace account for the sending domains?
Yes, separate from your company's main tenant. Google suspensions act at the account level, so cold sending should live in a tenant where a suspension costs you nothing important. One new Workspace account can hold all your secondary domains; you do not need one tenant per domain.
Want this handled instead of read about?
We scope this exact work in hours, quote it in writing, and ship it in weeks. The 30-minute call is free and useful either way.
Book a 30-minute call$150/hr flat · published pricing · no retainer pitch