Field notes
Cold email for recruitment agencies without burning your domain
13 July 2026
On this page
The sequence looked fine in the preview. Open rate sitting at 34 percent on day one, replies coming in, a couple of meetings booked. By week three the numbers had collapsed. Not gradually. The agency's primary domain had been flagged, their Google Workspace account was under review, and every email they sent, including internal ones, was landing in spam. The sequence was still running.
This is how domain reputation dies. Not with a warning. With silence.
Outbound email is still the highest-ROI channel most recruitment agencies have for business development. The problem is that the infrastructure question gets treated as a technical afterthought, something the person who set up the CRM handles once and never revisits. That is the wrong way to think about it. Deliverability is a workflow problem. The tool is the easy part.
This post covers infrastructure and compliance posture for outbound email. It is not legal advice. If you are sending into EU markets or running high-volume sequences, take specific legal counsel on your GDPR and ePrivacy obligations.
Most people use deliverability as a synonym for "emails getting through." It is more specific than that. Deliverability is the probability that a given email lands in the primary inbox of the intended recipient, as opposed to spam, promotions, or nowhere at all.
That probability is determined by three things: your sending domain's reputation and the technical authentication signals attached to your emails. Both interact with the engagement behaviour of the people who receive them. A clean domain with poor authentication still fails. A well-authenticated domain that gets mass-flagged as spam by recipients recovers slowly, if at all.
The reason agencies burn their domains is that they treat outbound email as a volume game and run it from the same domain that handles client invoices, candidate confirmations, and internal communication. When that domain gets flagged, everything stops.
The fix is structural. You do not send cold outbound from your primary domain. You send from a secondary domain, set up specifically for prospecting, with its own authentication stack and its own warmup history.
The secondary domain should be close enough to your brand to look legitimate but clearly separate. If your agency is at talentbridge.co.uk, you might send from talentbridge-connect.co.uk or hi.talentbridge.co.uk on a subdomain. The goal is that a recipient who looks it up does not feel deceived, and your primary domain is never at risk.
Authentication on the secondary domain is non-negotiable: SPF, DKIM, and DMARC all need to be configured before a single email goes out. DMARC should start at p=none with reporting enabled so you can see what is happening, then move to p=quarantine once you have established a clean sending history. Skip this step and you are building on sand.
Warmup is the part most agencies either skip or do badly. You cannot take a new domain and send 200 emails a day from day one. Inbox providers use sending history as a trust signal. A domain with no history that suddenly sends at volume looks like a spam operation, because it usually is one. The warmup period is a minimum of four weeks, starting at 10 to 15 emails per day and increasing by no more than 20 percent per week. Use a warmup tool (Instantly and Lemlist both have this built in) to generate positive engagement signals while you are building history.
After warmup, the daily cap on a single domain and mailbox stays low. The number that keeps you safe is different from the number that feels productive.
sending_infrastructure:
primary_domain:
use_for: ["client comms", "candidate comms", "internal email", "invoicing"]
use_for_cold_outbound: false
secondary_domain:
examples: ["agency-connect.co.uk", "hi.agencyname.co.uk"]
authentication:
SPF: required_before_first_send
DKIM: required_before_first_send
DMARC: "start p=none with rua reporting, move to p=quarantine after 30 days clean"
warmup:
tool_examples: ["Instantly", "Lemlist warmup pool", "Mailreach"]
duration_weeks: 4
day_1_daily_volume: 15
weekly_increase_pct: 20
target_post_warmup_daily_cap: 40
per_mailbox_daily_cap:
google_workspace: 40
microsoft_365: 40
note: "scale by adding mailboxes, not by increasing per-mailbox volume"
scaling_rule: "add a mailbox before you raise the cap"The scaling rule matters. When you need to send more, you add another mailbox on another secondary domain. You do not raise the cap on the mailbox you already have. This is how agencies that do this properly run sequences at scale without triggering spam filters.
Under the Privacy and Electronic Communications Regulations, the UK takes a softer posture on B2B cold email than on consumer email. Sending to a corporate subscriber (a limited company, LLP, or other corporate body) does not require prior consent in the same way that sending to an individual consumer does. You need a legitimate interest basis, the email must be relevant to the recipient's professional role, and you must provide a clear and easy opt-out mechanism in every message.
That opt-out is not a courtesy. It is a legal requirement. The processing of that opt-out needs to happen the same day it is received. Not in the next sequence run. Not when someone checks the suppression list at the end of the week. The same day.
This is where the workflow falls apart in most agencies. The opt-out comes in, it sits in an inbox or a tool, and the person who manages the sequence does not see it until Tuesday. Meanwhile, the sequence fires another email on Monday morning. That is a PECR breach and a deliverability problem at the same time: the recipient flags the second email as spam, and your domain takes the hit.
The fix is an automated suppression workflow. Opt-out received, contact suppressed in your CRM and your sending tool, sequence paused, within the hour. This is a one-hour automation build in any decent workflow tool. It is not done often enough.
If you are sending into EU markets, the posture shifts. Germany, Austria, and several other EU member states treat B2B cold email much closer to B2C, requiring prior consent in most circumstances. GDPR Article 6 legitimate interest is available in principle but harder to rely on in practice for cold prospecting. Get specific advice before you run sequences into those markets from the same infrastructure you use for UK outbound.
The AML workflow post covers a different compliance domain, but the same principle applies here: the legal requirement is the easy part to understand. The process that makes you compliant at volume is the thing that actually needs building.
The deliverability problem is usually upstream of the send. Agencies build sequences on contact data that has not been validated, send to role-based addresses (info@, hello@, contact@), and use subject lines that pattern-match to what spam filters are trained to catch.
Role-based addresses are a deliverability problem because they are often monitored by multiple people, flagged more aggressively, and less likely to generate the positive engagement signals (opens, replies, clicks) that build domain reputation. Strip them from your lists before sequences run, not after you have already sent to them.
Data validation before sending is not optional at any meaningful volume. A hard bounce rate above two percent will get your sending domain flagged. Tools like NeverBounce or ZeroBounce run verification passes before a sequence starts. This is a five-minute integration and it prevents a problem that takes months to recover from.
Subject line hygiene is its own topic, but the short version is this: avoid anything that reads like a promotional email, avoid excessive personalisation tokens that look obviously templated, and test your emails through a tool like Mail-Tester or GlockApps before you run a sequence at volume. What feels like a good subject line to a human often pattern-matches to spam at the filter level.
The brief bottleneck post makes the point that AI does not fix a broken intake process. The same logic applies here. A sequence automation running on top of unvalidated data and a misconfigured domain does not become a good outbound programme. It becomes a faster way to burn your reputation.
If you are running outbound from your primary domain right now, the priority order is straightforward.
Register a secondary sending domain this week. Configure SPF, DKIM, and DMARC before anything else. Start a warmup run immediately, because the four weeks start now.
While the warmup runs, audit your current contact data. Remove role-based addresses, run a verification pass, and build your suppression list from any previous opt-outs you have received. If those opt-outs are sitting in a spreadsheet somewhere, that is the first automation to build.
Set your daily cap at 40 per mailbox and do not move it. If you need more volume, add a mailbox.
Build the opt-out suppression workflow before the first sequence goes live. Not after.
If you are selling into EU markets, get legal advice on your posture before you send a single email into Germany or Austria. The PECR framework does not travel.
Deliverability is not a technical problem you solve once. It is an operational discipline you maintain. The agencies that run consistent, high-performing outbound email have boring, well-maintained infrastructure and tight suppression workflows. The ones that burn domains have the same tools and none of the process underneath.
If you want to audit the workflow design behind your outbound programme, the AI Workflow Audit is where to start. We look at the process first, then the tooling.
Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426 (full text). Regulations 6 and 22 cited (requirements for unsolicited electronic mail and opt-out).
UK GDPR, as retained in UK law by the European Union (Withdrawal) Act 2018 (ICO guidance on legitimate interests). Article 6(1)(f) legitimate interest basis cited.
Regulation (EU) 2016/679 (GDPR) (EUR-Lex). Article 6 cited in context of EU member state cold email posture.
Sources verified on 2026-07-13. This post does not constitute legal advice.