Cold email deliverability for Instagram-sourced lists: the operator's playbook
How to keep your sending reputation intact when emailing leads extracted from Instagram — domain setup, warmup curves, bounce handling, and ramp schedules.
Every cold outbound team that starts emailing Instagram-extracted leads runs into the same wall around the third campaign. Open rates that were 45% on the first send drift to 18%. Bounce rates climb from 2% to 9%. A handful of bot-only Gmail filters start auto-binning the domain. By the time anyone notices, the domain reputation is already in the basement, and the only honest fix is to retire it and rebuild on a new sending identity from scratch.
This post is the playbook we hand to agencies and in-house teams running Scraphex-delivered lists. It is not theory. It is the set of decisions that, applied in order, keeps a sending domain healthy across multiple campaigns to lead lists sourced from Instagram public profiles. The principles transfer to any cold list, but Instagram-extracted lists have a specific deliverability profile — a higher proportion of business contact emails, more international addresses, and more info@-style inboxes — that rewards a tighter approach than a typical B2B opt-in list does.
Why Instagram-sourced lists punish sloppy deliverability harder
A list pulled from public Instagram profiles is, by construction, a list that has not asked to hear from you. The contact is public — the email was put on a business profile or in a bio — but the recipient has no relationship with the sender. That is normal for cold outreach. What makes Instagram lists more demanding than typical purchased lists is a mix of three properties.
First, the address mix is wider than B2B databases. A typical Instagram extraction yields a long tail of country code domains (.es, .de, .com.mx, .it), a high share of business contact info@ and hola@ aliases, and a smattering of personal Gmail and Outlook addresses that the account holder used to claim the profile. Each of these address types has its own filtering behaviour. Sending the same message to all of them at the same volume will train mailbox providers to learn the pattern of unsolicited bulk before they have any reason to trust the domain.
Second, the recipient’s expectation is asymmetric. Someone whose info@ is on a public storefront page expects the occasional outreach. Someone whose personal Gmail is in their personal-account bio because it is also their freelance contact does not. Both technically opted in by publishing the address. Neither welcomes the email. Mailbox providers know this, and Gmail in particular weighs engagement signals from personal accounts much more heavily than from role-based aliases.
Third, bounce rates on Instagram lists are usually higher than on opt-in lists — typically 4–9% raw, even after validation. Bios change, businesses close, addresses get retired. If you cannot get your bounce rate below 2% across an entire send window, mailbox providers will downgrade the domain regardless of how compelling the email is.
The good news is all three problems are operational, not structural. The lists are usable. The discipline below is how you keep them usable past send three.
Step 1 — Infrastructure before the first send
Every campaign that breaks deliverability does so because something at the infrastructure layer was wrong before the first email went out. Audit the following before a single message is queued.
Use a secondary sending domain, never the primary. Cold outreach belongs on a domain that is similar to your brand but not your brand. If your main domain is scraphex.com, your outbound domain is something like tryscraphex.com or scraphex.io. The reason is not cosmetic. If outbound activity damages reputation, the damage stays on the outbound domain and your transactional, sales, and marketing mail from the main domain stays clean.
Configure SPF, DKIM, and DMARC correctly. SPF lists the IPs allowed to send for the domain. DKIM signs each message with a cryptographic key the recipient can verify. DMARC tells mailbox providers what to do when SPF or DKIM fails, and where to send aggregate reports. All three are required for modern deliverability — Gmail and Yahoo enforce DMARC for bulk senders since 2024, and Microsoft is tightening in 2025–2026. Start with p=quarantine; rua=mailto:dmarc@yourdomain and graduate to p=reject once aggregate reports show zero unauthorised sends.
Warm up the IP and the domain separately. If you are sending through a shared IP (common with most cold email tools), the IP is already warm but the domain is not. If you are on a dedicated IP, both need warming. The biggest single deliverability mistake is treating “the tool is warmed up” as “I am warmed up.” It is not.
Set up a feedback loop. Subscribe to Google Postmaster Tools and Microsoft SNDS. Both are free. Both give you the only honest view you will have of your domain’s reputation curve over the campaign. Without them, you are flying blind until bounces tell you something is wrong, by which point recovery is much harder.
Validate the list before the first send. Run the entire file through an SMTP-level validator. Mark risky and unknown addresses for a later, smaller test send; remove invalid outright. Even a well-extracted Instagram list will have 5–12% invalid addresses after validation. Sending to them is the fastest way to break a new domain.
Step 2 — Warmup curves that match the list
The standard advice — “two weeks of warmup” — is not wrong, but it is incomplete for scraped lists. Warmup is not just about volume. It is about training mailbox providers that mail from this domain produces engagement. That requires both volume ramping and engagement signal generation.
A practical schedule for a brand-new outbound domain looks like this, assuming a Monday start:
| Week | Daily volume per inbox | Warmup tool engagement | Real-list volume |
|---|---|---|---|
| 1 | 0 cold | 20–40 inbox-to-inbox replies/day | 0 |
| 2 | 0 cold | 40–60 replies/day | 0 |
| 3 | 20–30 | 60 replies/day | 20–30 to the most engaged segment |
| 4 | 50–80 | 60 replies/day | 50–80, segmented |
| 5 | 100–150 | 50 replies/day | Full ramp begins |
| 6+ | 200–300 per inbox | Maintenance: 30/day | Steady state |
Two details matter more than the table itself.
Send only to your highest-quality segment for the first two weeks of cold volume. That means addresses with a named owner in the bio, a working profile URL, and a non-generic email. These are the rows most likely to open, most likely to read, and least likely to bounce. Reserve info@ and bulk-looking rows for week five and onward, when the domain has a track record.
Spread sends across the working day in the recipient’s timezone. A 100-message blast at 09:00 GMT looks more like spam than the same 100 messages dripped at 8–12 per hour across the working day. Most modern cold email tools handle this automatically; make sure it is enabled.
Step 3 — The first three campaigns: signal management
The first three real campaigns are where the domain’s long-term reputation is set. Bias every decision toward signal generation, not volume.
Segment by likelihood to reply, not by list size. A list of 6,000 Instagram leads is not “one campaign.” It is at least three: a top tier of 600–1,000 with named contacts and a high-fit notes field, a middle tier of 2,500 with bio matches but role-based emails, and a tail of 2,500 with weaker signals. Send the top tier first, in the lowest volume per day, with the most personalised opener. Their replies — even negative ones — train the domain that this is a sender humans engage with.
Personalise the first line at minimum. Mailbox providers do not read your prose, but they read the fingerprint of the message. If 1,000 messages contain the same opening 60 characters, that pattern looks like a template even before content filters fire. Use the notes field from the extraction to generate a first line that is genuinely different per row. The cost is one extra preprocessing step; the deliverability difference is significant.
Reply to every reply, even the negative ones. Replies are the highest-value engagement signal Gmail and Outlook can see. A “not interested, please remove me” reply, processed correctly (more on suppression below), still counts as a thread. Sequences that generate threads — even short ones — survive much longer than sequences that produce only opens.
Cap the sequence at three emails per recipient, not five or seven. Multi-touch sequences are a holdover from the days when deliverability was less aggressive. In 2026, every additional unanswered email to the same recipient depresses domain reputation more than it lifts reply rate. Three emails, with the third explicitly inviting an opt-out, is the current best ratio.
Step 4 — Bounce handling as a real-time discipline
A bounce rate that exceeds 5% over a 24-hour rolling window is the single fastest way to ruin a domain. Most cold email tools surface bounces after the fact, which is too late. Treat bounce handling as a real-time discipline.
Hard bounces are immediate suppression. Add the address to the master suppression list within the hour, not at the end of the day. Most tools support webhook-based suppression — wire it up.
Soft bounces get one retry, then suppress. “Mailbox full” or “temporary failure” once is normal. The same address bouncing twice is suspended. Three times and the address is dead — suppress it.
Watch the bounce-by-domain curve. A 1% bounce rate spread evenly across 200 recipient domains is a different problem from a 1% bounce rate concentrated on three domains. Concentrated bounces usually mean a problem with one validator pass; investigate before the next send rather than after.
Cross-suppression matters. A contact that bounced from one client’s campaign should not be re-tried in another client’s campaign two weeks later from the same sending domain. Maintain one suppression list per sending domain, not per campaign. This is the single most overlooked piece of cold infrastructure and the most expensive to get wrong.
For more on how Scraphex structures the deliverable itself to make this easier — the columns that support cross-campaign suppression and the cadence at which lists are refreshed — see the agency competitor conquest playbook, which walks through the file structure end to end.
Step 5 — Reading the reputation curve
Once Google Postmaster and Microsoft SNDS are wired up, check them weekly. Three signals matter.
Domain reputation in Google Postmaster should be “High” within 30 days of regular sending. “Medium” is acceptable in the warmup window; “Low” or “Bad” means stop and diagnose. The most common causes of a Low rating on Instagram-sourced lists are over-sending to info@ aliases (Gmail filters these heavily) and a spike in user complaints in week three. Both are recoverable with a one-week pause and a quality-tightened resend.
Spam complaint rate should stay below 0.1%. Anything above 0.3% is a domain-killing trajectory. If complaints spike, the usual cause is sending to a segment with low intent — typically a high-info@ tail or a geography mismatch. Pull that segment out and resume.
Microsoft SNDS gives you a similar view for Outlook and Hotmail. Green is the only acceptable colour. Yellow once is a warning; yellow twice in a month is a problem. The same diagnostic logic applies.
The reputation curve is rarely linear. Expect oscillation, especially through the third and fourth campaigns. The question is the slope: a domain whose reputation drifts down across three consecutive weeks needs intervention; a domain that oscillates within a band is healthy.
Step 6 — When to pause and how to recover
Domains do not break cleanly. They drift. By the time bounce rate, complaint rate, and Postmaster all turn at once, recovery is a four-week project. The right move is to pause earlier.
The pause trigger that has saved more domains than any other rule: if domain reputation in Postmaster drops one level (e.g. from “High” to “Medium”) and bounce rate exceeds 4% in the same 7-day window, stop sending cold mail from that domain for ten days. Resume in week eleven at 30% of prior volume, with a fresh top-quality segment, and rebuild from there.
If the domain is already at “Low” reputation, do not try to recover it. Set up a new outbound domain on the same parent brand, warm it up properly this time, and retire the damaged one. Sending more clean traffic from a damaged domain rarely repairs the reputation; it just slows the bleed. The honest path is to start over on infrastructure you control.
Where the list itself helps or hurts deliverability
The cleanest sending discipline in the world cannot compensate for a list with structural problems. Instagram-sourced lists have a few specific failure modes worth flagging.
Spam traps in the long tail. A small percentage of public Instagram emails are addresses that have been deliberately retired and reused as spam traps by mailbox providers and blocklist operators. Validation catches most but not all. The defence is keeping per-domain volume modest and watching for sudden ISP-level blocks after week three.
International address handling. A Spanish list that includes 8% German .de addresses and 3% Italian .it addresses has different per-ISP behaviour than a mono-country list. United Internet (web.de, gmx.net) is notably stricter than Gmail; Libero and Virgilio in Italy have idiosyncratic filtering. Segment by ccTLD and ramp those segments separately rather than blending them.
The info@ tax. Role-based addresses are reachable but draw heavier filtering. They are worth including in the list, but they should not exceed 30% of any single send window. If your extraction yielded a list that is 60% role-based, split it and send the named contacts first.
The full architecture of how a usable list is produced — the filtering passes, the role-based handling, the enrichment notes that make personalisation possible — is covered in the no-login extraction architecture post. For the compliance basis under GDPR that makes cold outreach to these contacts defensible, the legal post on cold email and Instagram leads walks through legitimate interest and the LIA template.
A practical compliance note for EU sends
Every point above is operational. None of it removes the need for a documented legal basis when EU recipients are involved. The short version: legitimate interest, properly balanced, with a working unsubscribe link in every email, with a privacy notice one click away, and with cross-campaign suppression actually wired up. Do not send the first message until those four are in place.
The deliverability tactics in this post do double duty: a campaign with a working opt-out link, a clean suppression flow, and conservative volume ramping is also a campaign that is easier to defend if a Data Protection Authority ever asks. The two disciplines pull in the same direction.
What good looks like across a 90-day window
A team running the playbook above on a Scraphex-delivered list of 6,000 Instagram-sourced contacts usually sees the following shape across the first 90 days:
- Week 1–2: warmup only, no real sends
- Week 3–4: 600 messages to the highest-quality segment, 3.8% reply rate, 1.4% bounce rate
- Week 5–6: 1,400 messages across two segments, 2.6% reply rate, 1.9% bounce rate
- Week 7–8: 2,200 messages across three segments, 1.9% reply rate, 2.4% bounce rate
- Week 9–12: steady state at 600–800 messages per business day, Postmaster reputation “High”, complaint rate <0.05%
These are not promises. They are the range that careful operators report when the discipline above is applied to a well-filtered list. Teams that skip warmup, send to the whole file at once, or run five-email sequences see different numbers and shorter domain lifespans.
If you want this done right from the data side
Deliverability discipline cannot save a bad list, and a great list cannot survive bad deliverability. Both pieces have to be right. Scraphex handles the data side: the no-login extraction, the multi-pass filtering that removes the structural-deliverability landmines (dormant accounts, role-only rows above tolerance, ccTLD-mixed blends), and the enrichment that supports the per-row personalisation cold mail needs in 2026.
If you are about to start a cold campaign from Instagram-extracted contacts and want a sample list structured to support the workflow above, request a free sample. We will deliver a 50-row segment from a niche of your choice, with the columns and notes that the playbook above assumes — including the source signal, the role-based flag, and the country guess that lets you segment by ccTLD before the first send.