GTM Fleet · SD-7 Phase 3 — gated

The Cold-Send Engine

The "email pinging" system from the EIE plan, as-built in requirements: send cold email across a pool of warmed inboxes spread over separate .com domains, to the addresses the inference engine gathered — with every send cleared through a fail-closed compliance gate first. Script-heavy, ~0 LLM in the send path.

merged PR #3664 sha 784be2c4d docs/plans/gtm-fleet/requirements/ engine SD-7 · feeder SD-4/EIE · gate SD-8
The one thing that matters most

The domain firewall

Cold outbound and your real, transactional mail must live on structurally separate infrastructure. This is the single load-bearing decision — get it wrong and one spam complaint on a cold campaign can burn the reputation of the domain your product's real email depends on.

Transactional — protected

aaas.select

Product mail: receipts, auth, notifications. High trust, must never be put at reputational risk.

registrar · production Resend account email-sender.ts production DNS zone
Firewall
Cold outbound — isolated

secondary .com domains

Disposable-by-design sending domains. If one gets torched, it never touches the product's mail.

separate registrar separate DNS zones + SPF/DKIM keys separate IP reputation own tracking subdomain

CI-enforced Not just a rule in a doc — a build-breaking grep-guard (extending the existing email-sender-guard.yml pattern) fails CI if any cold-campaign config references the transactional Resend credentials or the aaas.select domain. Zero shared code paths.

How a lead becomes a send

Gather → Gate → Send

Three sub-deliveries in series. Only deliverable-bucket addresses that also clear the live gate are ever handed to a mailbox.

SD-4 · EIE

Gather & verify

the email-inference engine

  • $0 MX + syntax pre-filter before any paid call
  • EIE first-pass inference → Prospeo fallback (<0.85 conf)
  • Bouncer SMTP verify — SOC2, EU, 60-day delete
  • Sorts into 4 buckets; only deliverable proceeds
SD-8 · gate

Clear compliance

fail-closed, per recipient

  • Suppression lookup (unsub / bounce / complaint / DNC)
  • country_gate — allow / consent / block
  • cold_legit = true or the send is inert
  • domain_status active? auto-pause on bad rates
SD-7 · send

Ping & listen

warmed inbox pool

  • scheduler.py cron — spintax, caps, rotation
  • Send via warmed mailbox on a cold .com
  • Reply webhook → activation queue (<200ms)
  • Every row logs its compliance_gate_id
The part you asked about

Requirements for the .com sending domains

What it takes to stand up and safely run the fleet of sending domains — the deliverability core of the pinging system.

01 · scale

Domain & mailbox math

ratio1 domain per 2–3 mailboxes — never crowd a domain
per-inbox cap30–50 sends/day safe ceiling
floor10–15/day permanent, to stay warm between campaigns
enforcementcapped natively and re-checked against send_log (defense in depth)
02 · dns

Per-domain DNS records

SPF-all, scoped to the sequencer's infra only
DKIMauto-generated per domain; written via Cloudflare API to a distinct zone
DMARCstart p=nonep=quarantine after 2–4 clean weeks
trackingdedicated track.<colddomain>.com — never the transactional one
03 · deliverability

Compliance headers & auto-pause

unsubRFC-8058 one-click List-Unsubscribe, DKIM-signed, honored ≤48h
bounce>2–5% → domain under review
complaint>0.1% review · >0.3–0.5% auto-pause
GET /unsubrenders only — a prefetch bot must never suppress a live prospect
04 · pipeline

Send & log (0-LLM)

schedulercron Cloud Run: pull batch → gate per recipient → enqueue
variancespintax resolved client-side, not in the vendor template
reply hookHMAC-verified, dedupes into activation_queue, returns 200 <200ms
auditno send_log row without a compliance_gate_id — that's a bug, not an edge case

Warmup ramp — the longest-lead item

Sending domains can't ping cold on day one. Reputation is built slowly; this 4–6 week curve is why procurement must start first, before any code is gated.

50 33 16 0 wk 1–2 wk 3 wk 4 wk 6+
wk 1–2 0 real sends · warmup-network traffic only wk 4 ramp to 40–50/day wk 6+ settle to 10–15/day floor
What to buy, and what to avoid

Provisioning stack

Recommended default: Mailreef grows the domain/mailbox fleet programmatically; Smartlead Pro runs sequencing, warmup and native reply-webhooks once they exist. A clean separation of concerns no all-in-one product matches.

ToolRoleCost / mo (2026)Why
Smartlead Pro Sequencer · warmup · unified inbox $94 Most API-complete option surveyed; reply/bounce/unsub webhooks unlock at the cheapest tier that has them at all.
Mailreef Domain + mailbox provisioning API · dedicated IP $240 + $0.001/send Fastest programmatic domain-fleet growth; purpose-built to feed a sequencer like Smartlead.
EmailBison White-label, dedicated server + IP $599 flat Held in reserve — wins on unit economics only past ~150–300K sends/mo.
Amazon SES / Workspace Fully self-built stack ~$0.10/1k Avoid initially — SES's acceptable-use policy actively restricts cold outbound; suspension is a business-continuity hazard, not a technical inconvenience.
Base infra $334 /mo
Per send $0.001
LLM in send path ~0 deterministic
Longest lead time 4–6 wk warmup
What can be built now vs what is locked

Build status & the hard gate

The infrastructure is buildable today. The moment a real cold email leaves a mailbox is deliberately locked behind two independent conditions.

build now

Procure cold-domain infra (SD-7 · T1–T2)

Stand up Mailreef, register the first .com, configure SPF/DKIM/DMARC + tracking subdomain, connect mailboxes, start warmup. Start first — the 4–6wk warmup is the critical path and blocks nothing else.

build now

Compliance gate & feeder (SD-8 full · SD-4 full)

The fail-closed gate, suppression store, country_gate, auto-pause, RFC-8058 unsub — plus the whole gather/verify pipeline — carry no send risk and are fully buildable today.

code-complete only

Scheduler & webhooks (SD-7 · T3–T4)

Buildable as code and dry-run-testable against a sink mailbox, but can't be verified end-to-end until SD-8 exposes a callable gate. Hard-blocked on SD-8 for anything beyond code-complete.

locked

Live cold send (SD-7 · T5)

Flipping the scheduler to live requires (1) SD-8 fully built & verified in front of every send, and (2) an explicit operator + legal sign-off recorded — never inferred from an unblocked pipeline.

allowNL / FR / US — legit-interest or opt-out consent_requiredDE — UWG §7, stricter than EU default blockcold-email-ban jurisdictions, per legal