Three scenarios that cost small businesses real money, all caused by the same problem:
A customer signs up and the password-reset email never shows up. They email support. You spend an hour explaining that the reset link is in their spam folder. Half the time they give up before opening the ticket.
Your new newsletter ships to 1,800 subscribers. Gmail drops 40% into Promotions. Open rate looks fine because Promotions still counts; click-through is a third of what it was on your last list because nobody actually scrolls the Promotions tab.
You send a careful, specific intro email to a prospect you met at an event. They never reply. You assume they're not interested. A month later they ask why you never followed up — your original message was in their spam folder the whole time.
All three come from the same root cause: the mail you send isn't authenticated the way modern inboxes expect, or it's coming from an address that doesn't have enough reputation yet, or it's going through a platform that doesn't belong in that lane. None of them are unfixable. All three fix the same way.
Here's the playbook I use across my own properties and client engagements.
Step 1. Decide which lane you're actually in
There are three lanes, and each one uses different tooling. Mixing them up is the most common beginner mistake.
Transactional — password resets, order confirmations, receipts, two-factor codes. One person asked for this email. Tooling: Postmark, SendGrid, Resend, AWS SES, Mailgun. These are designed for triggered one-to-one mail and their IP reputation is exceptional for that use case.
Newsletter and marketing — someone opted into a list. Tooling: ConvertKit, Beehiiv, Substack, Mailchimp, Ghost with a built-in mailer. Their delivery infrastructure is tuned for bulk-to-subscribed mail.
Outreach — the first email to a specific person you haven't emailed before. Tooling: Instantly.ai, Smartlead.ai, Lemlist, Mailshake. These handle inbox rotation and warmup the way transactional platforms don't.
A transactional platform will close your account if you send a list from it. A newsletter platform will throttle or ban cold outreach. An outreach platform doesn't have the triggered-delivery latency you want for password resets. Pick the platform that matches the lane, not whichever one you already know.
How each platform actually fits
The name list above isn't a ranking — it's a map. Here's how each fits and when to pick one over another.
Transactional — triggered one-to-one mail
- Postmark ($15/mo for 10K emails; $1.25 per additional 1K). Separate IP pool for transactional vs broadcast. The highest median delivery time in the category (~1 second end-to-end). My default pick for anything time-sensitive (password resets, 2FA codes, checkout receipts) because late delivery = immediate user friction.
- Resend ($20/mo for 50K emails; free tier for 3K/mo, 100/day). Newer entrant, superb developer experience, React Email templating. Great for anyone shipping a Next.js / Remix app; the free tier covers most side projects.
- AWS SES ($0.10 per 1K emails — cheapest by a mile). Raw API only; you build the unsubscribe, list management, and reputation warm-up yourself. Right call at high volume (50K+/mo) when the per-email savings justify the integration work. Wrong call if you don't have an engineer.
- SendGrid ($19.95/mo for 50K emails on the Essentials tier). Most widely integrated; ubiquitous in SaaS. Deliverability can be variable because you share IP pools with thousands of other senders on the lower tiers. Step up to a dedicated IP once you pass ~50K/mo.
- Mailgun ($35/mo starter, generous analytics). Stronger EU presence than SendGrid if you have customers over there.
Decision rule: Postmark for time-sensitive triggered mail, Resend for developer-ergonomic app projects, SES when you're cost-optimizing at scale, SendGrid if your framework already integrates it, Mailgun for EU-heavy sending.
Newsletter — opt-in subscribers
- ConvertKit ($9/mo up to 300 subs, scales to $29/mo at 1K). Creator-focused, strong tagging + automation, best-in-class opt-in form UX. What I use for most client newsletters where the writer cares about audience segmentation.
- Beehiiv (free up to 2,500 subs, $39/mo at 10K). Built by Morning Brew alums for paid-subscription newsletters. Native referral tools, ad-network integration, and the cleanest default email styling in the category. Best pick for a newsletter you eventually want to monetize.
- Substack (free; 10% of paid subscriptions if you charge). Zero setup, built-in audience graph, every Substack reader is one click from subscribing to yours. The right call if you want distribution more than you want list ownership; the wrong call if you ever need to migrate off because the export is partial.
- Ghost ($11/mo hosted; free self-hosted). Newsletter + blog CMS in one. Best for operators who want a standalone publication site and full export rights.
- Mailchimp ($13/mo up to 500 contacts, scales fast). Ubiquitous. Heavy template editor. Fine if you already know it; avoidable otherwise — competitors above are cleaner for any specific use case.
Decision rule: ConvertKit for creator-style segmented lists, Beehiiv for monetized newsletters, Substack for distribution-first, Ghost for self-hosted publications.
Outreach — first-touch cold mail
This is the category that handles what no transactional or newsletter platform will: inbox rotation across multiple mailboxes, automated warmup, and the specific etiquette Gmail's algorithm expects of unsolicited-but-permitted mail.
- Instantly.ai ($37–97/mo, mailbox-tier pricing). Most popular 2025–2026 choice. Unlimited warmup included, AI-assisted inbox-rotation network, native unified inbox for replies across all mailboxes, campaign-level reporting. My default recommendation for solo operators sending 50–500/day. Setup takes about 20 minutes end to end.
- Smartlead.ai ($39–94/mo). Very similar feature set. Unlimited mailbox warmup on every tier (some Instantly tiers cap it). Slightly better deliverability reports with per-domain warmup trajectories. My pick if you're running multiple campaigns in parallel or agency-style for several clients, because the subaccount structure is cleaner.
- Lemlist ($59–99/mo). Older player, strongest personalization features — dynamic images per-recipient, video intros, LinkedIn multi-touch. Weaker raw deliverability than Instantly/Smartlead in side-by-side tests I've seen shared in deliverability communities. Right call if personalization is your wedge; wrong call if volume is.
- Mailshake ($49–99/mo). Solid, been around since 2018, clean UX. No longer the frontier player but stable and reliable; good when your team is older and wants less "AI" in the workflow.
- Apollo.io ($49–99/mo for the combined tier). Different category — lead database plus sending platform. If you don't already have a list, Apollo's B2B contact database is where you'd start. Deliverability is fine but not best-in-class; most high-performers I know pull lists from Apollo and send through Instantly or Smartlead.
Decision rule: Instantly for most small-business operators, Smartlead for agencies or multi-campaign runs, Lemlist when personalization is the wedge, Apollo when you need the list and the sender.
How the three lanes compose on one domain stack
For a typical small business shipping all three kinds of mail, here's how the pieces sit together:
acmewidgets.com (primary identity + customer-facing)
├─ MX, SPF, DKIM, DMARC on DNS host
├─ Transactional: Postmark (triggered from the app)
└─ Newsletter: ConvertKit (opted-in subscribers)
acmewidgets.co (cousin domain for outreach only)
├─ Separate MX, SPF, DKIM, DMARC records
├─ Google Workspace × 3 mailboxes (hello@, team@, josh@)
└─ Instantly.ai rotates sends across the three mailboxes
Primary domain holds its reputation because only transactional (high-permission) mail ships from it. Secondary domain is the lane that absorbs any cold-outreach reputation volatility. If the secondary gets burned (someone flags enough messages as spam), the primary is untouched and you register a new cousin.
For each platform on the stack, the work order is the same: add the authentication records the platform tells you to add to DNS, verify domain ownership in the platform's dashboard, run a send to mail-tester.com to confirm 9/10 or 10/10, then ramp real volume.
Platforms to skip for each lane
- Do not use transactional platforms for outreach. Postmark, SendGrid, Resend, and SES all ban unsolicited mail in their acceptable-use policies. An account suspension freezes your password resets alongside your outreach, which is a much worse outcome than a bounced campaign.
- Do not use newsletter platforms for outreach. Mailchimp and ConvertKit explicitly close accounts caught sending to lists the recipient didn't opt into.
- Do not use cold-outreach platforms for transactional. Instantly and Smartlead aren't built for the 1-second triggered-delivery path a password reset needs; they also aren't deeply integrated with the frameworks you're shipping your app on.
- Do not mix an ESP's "shared IP" tier with cold mail. Shared IPs on SendGrid / Mailgun / SES cheaper tiers mean you inherit the reputation of everyone else on that IP. If one of them spams, your delivery drops. For cold specifically, Google Workspace mailboxes (dedicated per-account reputation) beat any shared-IP transactional tier.
Step 2. Do not send from your primary domain
The most-ignored rule in small-business email is that your primary domain's sending reputation is load-bearing. If it tanks, your own customers stop getting your support emails. Serial-plaintiff scanners, Gmail's reputation system, and corporate spam filters all treat any kind of cold or bulk sending as higher-risk than transactional mail.
Buy a cousin domain for the outreach and marketing lanes. If your main site is acmewidgets.com, register acmewidgets.co, tryacmewidgets.com, or acme-outreach.com and send non-transactional mail from there. If the reputation of the secondary domain ever gets burned, you can throw it away and start over without touching the primary.
Transactional mail is fine to send from the primary domain because the recipient explicitly asked for it and it's high-reputation traffic.
Step 3. Google Workspace mailboxes cost $7 a month each and are the highest-delivering option
As of 2026, Google Workspace Business Starter is $7 per user per month on annual billing, $8.40 on monthly (Google Workspace pricing). You don't need the higher tiers for sending outreach — Starter gives you the mailbox, 30 GB, and the full Gmail + authentication stack.
Microsoft 365 Business Basic at around $7.20/user/month is the close second if you already live in Office. I'd avoid Zoho Mail, FastMail, Proton, and Namecheap Email for the outreach lane specifically — many outreach platforms throttle or refuse to attach them because their deliverability baseline is measurably lower.
For a 50–100/day outreach volume, buy 3–5 mailboxes on the secondary domain (hello@, team@, josh@, etc.). Each one sends comfortably at 20–30/day. Five × 25 = 125/day without triggering any volume alarms.
Step 4. Put the authentication stack on your DNS host
Your DNS host (Netlify, Cloudflare, Route 53, whatever you use — this works on all of them) needs four records added to the sending domain:
# SPF — authorize your mail provider as a legitimate sender
TXT @ v=spf1 include:_spf.google.com ~all
# DKIM — the cryptographic signature that proves mail is really from you
# Workspace generates this value in Admin → Apps → Gmail → Authenticate email
TXT google._domainkey v=DKIM1; k=rsa; p=<the-key-Workspace-generates>
# DMARC — tells receiving servers what to do when SPF/DKIM fail + gives you reports
TXT _dmarc v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
# MX — route inbound mail to Workspace
MX @ 1 smtp.google.com
Gmail and Yahoo now require all three (SPF, DKIM, DMARC) for any sender shipping 5,000+ messages per day to Gmail addresses, with spam-rate staying below 0.30% in Postmaster Tools (Google's email sender guidelines, Yahoo Sender Hub). You're almost certainly not at 5,000/day as a small business — but setting all four up now means you're future-proof and your 50–100/day outreach already gets treated as authenticated mail by every inbox provider.
Verify the stack before you send anything. Your own quick-check options:
- Run the domain through my DNS / Email Auth Audit — it pulls SPF, DKIM, DMARC, CAA, and MX records via DNS-over-HTTPS and flags any that are missing or malformed.
- Send a test email from each mailbox to mail-tester.com — free, no signup, scores 0–10. Aim for 9/10 or 10/10 before proceeding.
- If any DMARC aggregate reports surprise you, run dmarcian free trial for a week to see what's actually being reported against your domain.
Anything below 9/10 is a signal to stop, fix the auth stack, and try again.
Step 5. Warm up for 2–4 weeks before sending real volume
A brand-new Workspace mailbox with clean auth still has zero sending reputation. If you send 50 outreach emails from a fresh address on day one, Gmail drops most of them into spam to protect their users from what looks like new-domain attack traffic. That's not punishment — it's exactly what you'd want Gmail to do for your own inbox.
Instantly and Smartlead both include a "warmup" toggle that runs small, natural-looking two-way conversations across a network of other warmup accounts on your behalf. Turn it on the day you connect the mailboxes. Twenty days of warmup sits around $37/mo on Instantly or $39/mo on Smartlead (both have lower tiers if you're running fewer mailboxes), and it's the step most people skip that most determines whether the first real campaign lands.
Real rule of thumb I use: don't send a cold email from a new mailbox for 21 days. The warmup does the work for you. Ramp volume slowly after — 10/day in week 4, 20/day in week 5, cap around 30/mailbox/day ongoing.
Step 6. Mind the legal floor
Cold and marketing mail in the US is regulated by the CAN-SPAM Act (FTC compliance guide). The floor is deliberately low — hit all five and you're inside the law:
- Do not use false / misleading header information.
- Do not use deceptive subject lines.
- Tell recipients where you're located — a physical postal address in every send. PO Box is fine.
- Offer a clear opt-out. A one-click unsubscribe is ideal; Gmail and Yahoo now require it for marketing mail anyway.
- Honor opt-outs promptly. Statute gives you 10 business days; best practice is same-day.
State privacy law on top of federal:
- California (CCPA/CPRA) — cold-emailing California residents triggers data-rights obligations. Keep your sending list deletable on 45-day request.
- Virginia, Colorado, Connecticut, Utah, Texas, and several more 2024–2025 state laws — similar shape, each with its own quirks. IAPP's state law tracker is the clearest single reference.
- EU/UK if any recipients are there — GDPR and the UK equivalent require a lawful basis for processing their email address. Legitimate-interest basis for B2B is defensible but requires documentation.
First-touch hygiene that keeps you out of trouble: send to role-based addresses (info@, contact@, hello@) on the first contact, not to an individual's personal work email. Most state privacy-law obligations are lighter on role-based inboxes, and deliverability is usually better too.
Step 7. Baseline hygiene that earns you the rest of your score
- Skip tracking pixels on cold mail. They degrade Gmail deliverability measurably and many corporate filters now flag them as spam signals.
- Skip link shorteners on cold mail. Same reason. Use full URLs or branded short domains only.
- Plain text and simple HTML beat designed templates on cold. Designed templates read as marketing; plain text reads like a real person at a kitchen table. Transactional mail is the opposite — polished template with a clear header is what users expect.
- Start small and ramp. 20–30/day per mailbox for the first two weeks after warmup, double weekly, cap where your reply quality stops improving. Volume isn't the goal; response rate is.
- Clean your list. Run any cold list through ZeroBounce, NeverBounce, or Kickbox first. A 20% invalid-address list looks exactly like a spammer's list to Gmail.
- Treat bounces as information, not noise. 5%+ bounce rate = stop and investigate the list source.
Total monthly cost for a 50–100/day operation
| Item | Cost |
|---|---|
| Secondary domain registration | ~$12/year |
| Google Workspace × 3 mailboxes (Business Starter, annual) | $21/month |
| Instantly or Smartlead (3-mailbox tier) | $37–39/month |
| List verification (ZeroBounce pay-as-you-go) | ~$0.008/email × volume |
| Approx total | ~$60/month + list costs |
Set-up time: about two hours of real work plus a 21-day warmup clock. That's the whole mountain.
A quick note on the tool that helps here
The DNS / Email Auth Audit on this site pulls live SPF, DKIM, DMARC, CAA, and MX records via DNS-over-HTTPS and returns exact fix snippets for any missing or malformed ones. Use it before your first send, after any DNS change, and as a post-deploy regression check. The Mega Analyzer also runs basic DNS / security-headers checks alongside its SEO pass — useful when you're auditing someone else's site and want the signal without opening six tabs.
Fact-check notes and sources
Every specific number or rule cited above is verifiable. Where I made a claim that a small-business reader could reasonably ask "where'd you get that", here's the actual source:
- "February 1, 2024 — Google and Yahoo's bulk-sender threshold is 5,000/day to Gmail, requiring SPF + DKIM + DMARC and keeping spam rate below 0.30% in Postmaster Tools" — Google Workspace Admin Help: Email sender guidelines, Yahoo Sender Hub best practices, Valimail summary. The 5,000/day rule applies to mail going specifically to personal Gmail accounts, measured in any 24-hour window.
- "One-click unsubscribe required for marketing mail" — Google Workspace Admin Help FAQ. Same requirement applies to Yahoo.
- "Google Workspace Business Starter: $7/user/month annual, $8.40/user/month flexible" — Google Workspace pricing page. Price reflects the January 2025 change that bundled Gemini into Business and Enterprise SKUs.
- "CAN-SPAM five-requirement floor" — FTC CAN-SPAM Act Compliance Guide for Business.
- "State privacy law landscape" — IAPP US State Privacy Legislation Tracker. Laws change quarterly; the IAPP tracker is the cleanest single reference.
- DMARC and SPF standards — DMARC at dmarcian, RFC 7208 (SPF), RFC 6376 (DKIM).
Pricing and plan details can move quarterly. Always confirm against the source link before you commit to a contract.
This post is informational, not legal advice. Email marketing and cold outreach are regulated at the federal level (CAN-SPAM) and in many US states, plus GDPR / UK GDPR for international recipients. Consult counsel for your specific use case. Mentions of Google, Yahoo, Gmail, Google Workspace, Microsoft 365, Instantly, Smartlead, Postmark, SendGrid, ConvertKit, and other third parties are nominative fair use. No affiliation or sponsorship is implied.