Live Direct Marketing logo
Inbox Placement Test
Cold Email9 min read

Why B2B decision-makers never see your email

The bigger the company, the more layers of filtering between you and the person you're trying to reach. Cold outbound to enterprise is 80% infrastructure and 20% everything else.

A founder trying to sell into the Fortune 2000 recently told us: “Our ICP is VPs of Engineering at 5,000-person companies. We send 200 emails a week, get 30 opens, zero replies.” His copy was genuinely good. His targeting was tight. His infrastructure was clean. The problem was structural: his prospects sit behind stacked filters designed explicitly to stop cold outbound, and his sequences never reached them. Not in Junk, not in Focused-Other — quarantined, sandboxed, dropped.

If you sell to mid-market and enterprise, this is your actual operating environment. Consumer-Gmail playbooks don't transfer.

TL;DR

Enterprise inboxes run 3–5 filtering layers: edge gateway (Proofpoint/Mimecast/Barracuda), Microsoft 365 EOP, tenant-level rules, per-user rules, and the client itself. Each layer drops some percentage. Cold outbound that works at consumer Gmail often doesn't survive layer one at enterprise.

The enterprise filter stack

Before a cold email from you reaches a VP of Engineering at a 5,000-person company, it passes through some or all of:

  1. Edge secure email gateway (SEG). Proofpoint, Mimecast, Barracuda, Cisco IronPort. Connection-level filtering, URL rewriting, attachment sandboxing, bot-level interaction.
  2. Microsoft 365 Exchange Online Protection (EOP). First-party Microsoft filter. Looks at sender reputation, SPF/DKIM/DMARC, content fingerprints.
  3. Microsoft Defender for Office 365 (MDO). If licensed. Safe Links rewriting, Safe Attachments, anti-phishing, impersonation protection.
  4. Tenant-level rules. IT admin's custom quarantine policies. Any “external warning” banners. Connector rules.
  5. Per-user rules. The recipient's own Outlook rules. Focused-Other routing. Clutter.
  6. The client. Apple Mail's BIMI rendering, Outlook's External tagging, preview-pane rendering.

Each layer can block, quarantine, rewrite, or downrank. None of them are visible to you. Your ESP's “delivered” counter ticks up at the edge accepting the message — everything else is black box.

Microsoft 365 is the hardest problem

Roughly two-thirds of mid-market and enterprise B2B lives on Microsoft 365. Its filters are more aggressive than consumer Gmail and its tooling is worse. The combination of EOP's opacity and per-tenant admin rules means you can have perfect deliverability on Gmail and 20% reach on Outlook.

What specifically trips Microsoft

  • DMARC misalignment, even partial — Microsoft is strict.
  • Spoofing-adjacent patterns. If you signal being “from” a known brand (even accidentally via lookalike domain), impersonation protection triggers.
  • Low-reputation sender IPs. Microsoft weighs their own SNDS data heavily.
  • Links through flagged wrappers. Cheap tracking-domain hosts get blacklisted fast.
  • Bulk-send fingerprints. Templates that look like newsletters go to Junk from corporate mailboxes that never accept newsletters.

SEG layer: Proofpoint, Mimecast, Barracuda

A secure email gateway sits in front of Microsoft or Google Workspace and applies a second, stricter policy. If your prospect's company has one of these, your email gets evaluated before Microsoft or Google even sees it.

What a SEG does to your message:

  • Rewrites every URL through its click-time scanner. Your tracking pixels and link domains are now behind a gateway.
  • Fetches every URL automatically to check safety. This inflates your click-rate with bot traffic.
  • Sandboxes attachments. PDFs and docs open in a sandbox before delivery, often delayed by hours.
  • Blocks categorically. Anything matching known cold-outreach patterns can be refused at SMTP.

How to know if your emails are reaching enterprise

You need real mailboxes inside the providers your ICP uses, including Microsoft 365 and ideally a SEG-protected one. Without that, you are guessing. Four checks:

  1. Microsoft 365 seed. A test tenant you control, with and without MDO enabled.
  2. SEG-protected seed. A test inbox behind Proofpoint or Mimecast.
  3. Gmail Workspace seed. The Google Workspace policy is stricter than consumer Gmail.
  4. Authentication verification. SPF, DKIM, DMARC aligned for every sending source.
Reach your enterprise ICP, verified

Inbox Check includes Microsoft 365, Google Workspace, Gmail, Outlook, Yahoo, ProtonMail and more — so you can see enterprise-realistic placement, not consumer-only. Free, no signup. For automated weekly checks across your sending domains, hit the API.

Tactics that actually work for enterprise cold

  1. Dedicated sending IP with a warmed reputation. Shared pools are a non-starter for enterprise.
  2. Rigorous DMARC. p=reject on the root domain, aligned on every child sending domain. Microsoft respects this.
  3. Plain, non-marketing HTML. No image headers, no heavy footers, no social icons, minimal inline styles. Looks like a real person wrote it in Outlook.
  4. Short, one-link messages. Calendly or a single document URL. Multiple URLs multiply SEG suspicion.
  5. Own tracking domain on a clean TLD. Brandable, not .xyz, and aged.
  6. Low volume per domain. 30–80/day per enterprise-focused domain, across several domains if needed.
  7. Thread-aware follow-ups. Replying in-thread inherits reputation; new threads restart filter scoring.

BIMI and brand signals

BIMI — the logo standard that puts your brand logo next to the sender name in Gmail and Apple Mail — is a trust signal Microsoft has begun respecting in 2026. Setting it up requires a Verified Mark Certificate and strict DMARC, but the visual authority in the inbox list pays back on enterprise email where external-sender banners otherwise undermine you.

What the numbers look like when it's working

  • Gmail primary: 85%+
  • Outlook Focused (consumer): 70%+
  • Microsoft 365 tenant (clean): 70%+
  • Microsoft 365 tenant (MDO + SEG): 40–60%
  • Reply rate on inboxed enterprise sends: 1.5–4% (lower than SMB, but with larger deal size)

FAQ

Is SEG placement even achievable for cold outbound?

Achievable, but lower than unprotected inboxes. 40–60% is realistic with clean infrastructure, aligned auth, and a dedicated IP. Zero is common for teams with shared IPs and sloppy content.

Do External tags in Outlook kill cold outreach?

They reduce trust but don't kill it. Leading enterprise vendors tolerate the tag. Reps who acknowledge the tag in copy (‘we've never met, but…’) sometimes outperform those who pretend it's not there.

Is LinkedIn a better channel for enterprise then?

Complementary, not a replacement. LinkedIn has its own throttling. Multi-channel (email + LinkedIn + call) with consistent identity converts measurably better than single-channel.

Should I use my personal Google Workspace or Microsoft 365 account for cold?

No. Never burn the primary domain on cold outbound. Use a lookalike domain with its own Workspace/M365 tenant, warmed separately, for cold sequences. Keep the primary domain for transactional and warm conversations.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required