Most deliverability problems are diagnosed too late. The open rate slides, the replies dry up, and only then does anyone go looking for the cause — by which point the domain is already burned and the reputation is already gone. The shops that stay in the inbox flip that order: they treat deliverability as something you verify before you send, not something you investigate after it breaks.
This is that pre-send checklist. Fifteen concrete things to confirm — grouped into authentication, domains and IPs, list hygiene, content, volume and warming, and monitoring — before a single cold email leaves the building. Our deliverability pillar explains why MCA mail goes to spam in the first place; this piece is the practical audit you run on top of that understanding. Where the pillar is the theory, this is the pre-flight checklist.
A note on stakes. In most industries you can skip a few of these and survive. In merchant cash advance — the most spam-complained-about industry online — you cannot. Every item below is mandatory, because MCA senders have almost no margin for error. Run the list. Then send.
Authentication: prove you are who you say you are
Authentication is the price of admission. It doesn't get you liked, but skipping it gets you blocked — and since 2024, Gmail and Yahoo treat the three core records as mandatory rather than optional for anyone sending at volume. Before you send, confirm all three are present and passing on every cousin domain, not just your main one.
1. SPF is published and aligned
Check that each sending domain has an SPF record in DNS that names every server allowed to send for it. SPF is what tells the receiver 'this server is authorized.' Missing or misconfigured SPF makes your mail look forged, and forged mail is the easiest thing in the world for a provider to reject. Verify it actually covers the infrastructure you're sending from — a record that doesn't include your real sending servers is worse than none, because it actively fails.
2. DKIM is signing every message
DKIM attaches a cryptographic signature proving the email genuinely came from your domain and wasn't tampered with in transit. Confirm the key is published in DNS and that outgoing mail is actually being signed — not just configured. A DKIM record that exists but isn't signing real sends gives you a false sense of safety. Send a test to a checking tool and confirm the signature passes.
3. DMARC has a policy and reporting
DMARC tells receivers what to do when SPF or DKIM fails, and just as importantly, it sends you reports on who's authenticating as you. Confirm you have a published DMARC record with at least a monitoring policy and a reporting address you actually read. Without DMARC you're flying blind — you won't know your authentication is breaking until your reputation already has.
Domains & IPs: isolate the risk before you take it
Cold sending carries real attrition — in MCA, losing a throwaway domain now and then is normal. The whole game is making sure that when a domain goes down, it takes nothing important with it, and that your reputation is yours alone rather than entangled with strangers'.
4. You're sending from cousin domains, not your main one
This is the single most important check on the list, and the one shops skip most. Never cold email from your primary operational domain. If a cold-sending domain gets blacklisted, you do not want the email you run your actual business on going down with it. Send from lookalike 'cousin' domains (think getyourbrand.net or yourbrandpartners.com) that mirror your brand without risking it. Confirm every campaign is pointed at a cousin domain before it goes out.
5. Your reputation is isolated, not shared
Confirm you're not sending through a shared pool where another sender's bad behavior can drag you into a blacklist you didn't earn. On most generic tools and shared-IP ESPs, your deliverability is tangled up with everyone else's. The check: do you own — or does your provider isolate — the domains and IPs you send from, so the upside you build and the reputation you protect are genuinely yours? In a complaint-heavy industry, shared reputation is borrowed risk.
6. Every cousin domain has been warmed
A cold domain blasting MCA offers on day one is dead on arrival. Before any domain touches a cold lead, confirm it's been warmed — reputation built deliberately over time by emulating real positive engagement so the providers learn to trust the sender. The check is simple: has this domain been through warming, or are you about to scale a sender the inbox has never seen before?
List hygiene: clean inputs mean fewer complaints
Deliverability compounds — for you or against you — and it starts with what you feed it. The cleaner the list, the lower the complaint and bounce rate, the healthier the reputation, the more of every future send reaches the inbox. Garbage in is reputation out.
7. The list is validated and de-duplicated
Run the list through validation before you send. Invalid addresses bounce, and high bounce rates are a direct signal to the providers that you don't know who you're emailing — which reads as spam behavior. De-duplicate while you're at it, so the same merchant isn't hit twice from different rows. A validated, deduped list is the cheapest deliverability insurance you can buy.
8. You're only sending to Gmail and business domains
Not all inbox providers behave the same. Gmail and business @domain.com addresses convert and complain at acceptable rates; Yahoo, Hotmail, AOL, and Outlook addresses tend to complain more and deliver worse. Disciplined MCA programs simply don't send to them. Confirm your list has been filtered to Gmail and business domains before it goes out — it's the difference between earning headroom and burning it.
9. The list is segmented for relevance
Relevance lowers complaints, and complaints are the thing that kills you. Before sending, confirm the list has been analyzed for natural segments — by industry, by state, by behavior — so each batch gets a message that actually fits. A merchant who receives something relevant is far less likely to hit 'report spam' than one blasted with a generic offer that clearly wasn't meant for them.
Content: don't hand the filter a fingerprint
Spam filters are pattern-matchers, and they read both the look of your email and its structure. The goal before you send is to make sure there's no consistent pattern for them to catch and nothing in the message that screams 'bulk promotion.'
10. Every email is unique, not a copy-paste blast
Send the same email to a thousand merchants and you've handed the filter a fingerprint it can block in one move. Confirm your sends are randomized — words and phrases swapped per message so every recipient receives a genuinely unique email and there's no repeated pattern to flag. This is the single biggest content lever in high-volume MCA sending, and the one generic tools handle worst.
11. The email reads plain-text and personal
Cold email should look like a quick note from a person, not a designed newsletter. Heavy graphics, logos, and image-only emails read as bulk promotion and get routed to the Promotions tab or spam. Confirm your message looks plain-text and 1-to-1 — the kind of thing a CEO would tap out on their phone. The luxury storefront is your website; the email should feel personal.
12. A working one-click unsubscribe is in place
Gmail and Yahoo now expect easy, honest opt-out, and CAN-SPAM requires it. Confirm every send includes a working one-click unsubscribe and a real physical address, and that opt-outs are actually honored and suppressed from future sends. Beyond compliance, a visible unsubscribe is a deliverability asset: a merchant who can opt out quietly won't hit 'report spam' instead — and that spared complaint protects your reputation.
Volume & warming: stay human-looking at scale
No single inbox should ever blast. The arithmetic of safe sending is unglamorous but non-negotiable: keep every individual sender small and human-looking, and reach volume by spreading the load across many of them rather than pushing any one of them hard.
13. No inbox exceeds 30–50 sends per day
The safe ceiling is roughly 30–50 emails per inbox per day. That means 1,000 emails a day requires 20+ inboxes, and serious MCA volume requires hundreds of domains, IPs, and sending accounts working in concert. Before you send, confirm your per-inbox volume is under that ceiling. A single account pushing thousands of emails trips a volume alarm instantly — spreading the same load across many keeps each footprint small enough to look like a person.
14. Warming is active and ongoing — not a one-time step
Warming isn't something you do once and forget. Confirm your domains and inboxes are being kept warm continuously — engagement signals maintained even while you scale — so reputation keeps building rather than decaying the moment you stop. The check before a big push: is the warming network still running underneath these senders, or are you scaling on borrowed reputation that's already cooling?
Monitoring: watch placement, not just opens
The last check is the one that protects all the others: you can't defend what you don't measure. Most shops watch open rate and call it deliverability, but open rate is a lagging, noisy signal — privacy features inflate it, and it can look healthy while your reputation quietly collapses underneath it.
15. Complaint rate stays under 0.3% and inbox placement is tracked
Confirm two numbers are being watched continuously. First, your spam-complaint rate against the 0.3% Gmail/Yahoo threshold — three complaints per thousand sends — because crossing it throttles your mail and can take weeks to recover from, if it recovers at all. Second, inbox placement: the share of sends landing in the primary inbox rather than spam or Promotions. Watch for the slow fade — strong week one, gentle decline through weeks two and three, then a cliff — and quarantine any sender that stops hitting the inbox before it drags the rest of the pool down. By the time the open rate visibly drops, it's already too late.
Why MCA Rocket runs all 15 for you
Fifteen checks is a lot to run before every campaign — and in MCA, getting any one of them wrong can take the whole sending operation down with it. That's the entire reason MCA Rocket exists: we built the infrastructure to run this checklist as a managed system, in-house, specifically for the most spam-complained-about industry online, so you don't have to audit it by hand before every send.
Authentication is configured correctly on every cousin domain. Cold sending happens only from isolated, warmed cousin domains — never your primary — so your real business email stays untouchable. Lists are validated, filtered to Gmail and business addresses, and segmented for relevance. Copy is randomized into hundreds of trillions of combinations so every merchant gets a 100% unique, plain-text email with compliant one-click opt-out. Volume is split across hundreds of rotating inboxes capped at human-looking levels, warming runs continuously underneath them, and placement and complaint rates are monitored every day, with any slipping sender quarantined fast.
That's what lets us put a number behind it: a 90%+ inbox guarantee, backed by money. If Gmail and Google Workspace inbox placement drops below 90%, you're refunded for the reduced-rate period. We can promise that because we control every layer this checklist covers — across $1.3B+ funded, 180K+ applications, and 5+ years of doing nothing but this for MCA. You bring the leads; we run the checklist and make sure they land.
