Domain age and WHOIS — the cold-start curve receivers don't document.

The cold-start problem

A freshly-registered domain has no reputation history. From the receiver's perspective, this is not a neutral signal — it is a negative one. Receiving mail servers maintain reputation models that score sending identities along three axes: the IP address, the organizational domain (RFC 7489 §3.2), and the alignment of the authenticated identity with the visible From:header. For a domain registered three days ago, two of those three axes have no historical signal at all, and the classifier's prior on "newly-observed identity sending bulk mail" is the prior on spam.

The operational consequence is measurable. A freshly-registered domain on a clean TLD, with SPF, DKIM, and DMARC correctly configured and a properly executed warmup, lands roughly 40 to 55% of seed-list mail in Gmail primary during week one. The same authentication posture on a 3-year-old domain with clean WHOIS history lands roughly 75 to 85%. The differential is not content. It is not authentication. It is reputation prior, and the prior on a domain younger than 90 days is "guilty until proven innocent."

Outlook is more punitive. Microsoft's reputation system treats new-domain mail with elevated scrutiny for longer, and the placement penalty is harsher — a typical newly-registered domain sees 20 to 35% inbox placement on Microsoft tenants during the first 30 days, with the remainder routed to Junk regardless of content. Yahoo and Apple iCloud sit between the two, closer to Gmail's curve. Enterprise Exchange tenants are essentially binary: a new domain either passes the tenant's anti-spam connector or it does not, and there is no soft middle ground.

The 90-day burn-in window

The empirically observed reputation curve at Gmail follows a roughly logarithmic shape over the first 90 days. The first 30 days produce the steepest discount — a domain at day 7 with perfect authentication is treated worse than the same domain at day 30 with identical sending behavior. Between day 30 and day 60, the curve flattens and the differential against an aged domain narrows by roughly half. Between day 60 and day 90, the curve reaches its asymptote — the domain is no longer "new" from the classifier's perspective, and further reputation gains are governed by sending behavior rather than tenure.

The implication for warmup methodology (Chapter 9) is direct: the standard 21- to 28-day warmup runway is calibrated against a domain that has already cleared at least 30 days of registration. Compressing both — registering a domain and beginning a warmup ramp on the same day — pushes the live-campaign launch into the steepest portion of the cold-start curve, where the classifier is most likely to misread early sending volume as spam-onset behavior. The standard mitigation is to register the domain 30 days before the warmup begins, configure DNS and authentication immediately, and allow the domain to accumulate passive reputation signal during the registration-only period.

This is undocumented. There is no Gmail support article that describes the 90-day curve, no Microsoft technical paper that quantifies the Outlook penalty. The shape of the curve is inferred from seed-list testing across thousands of sending estates, and from the Postmaster Tools (Chapter 11) reputation graphs that show the same arc on every new domain.

WHOIS as a reputation signal

The WHOIS record exposed by the domain's registrar contains, at minimum: the registration date, the registrar of record, the registrant entity name (or a privacy-proxy substitute), the registrant contact information, the nameservers, and the most recent update timestamp. Receivers query WHOIS — directly or via cached data brokered through reputation vendors — and derive a small set of signals from it.

The registration date is the most weighted of these. A domain registered within the last 30 days produces a signal that the receiver's classifier reads as elevated risk, independent of any authentication configuration. The registrar of record carries a smaller weight: certain registrars are over-represented in spam infrastructure, and a domain registered through one of those registrars carries a marginally worse prior than the same domain registered through a registrar associated primarily with legitimate corporate use.

Privacy posture matters. A WHOIS record showing a privacy-proxy substitute (a registrant entity like "Domains By Proxy" or any of the dozens of equivalents that mask the actual registrant) is read as a slight negative signal in classifier models trained on legacy data, where transparent WHOIS correlated with established business use and private WHOIS correlated with spam infrastructure. That correlation has weakened substantially since GDPR took effect in 2018, after which European registrars defaulted virtually all WHOIS records to private. The classifier signal from privacy posture has, in our observation, decayed by approximately half over the last five years, and most major receivers have explicitly de-weighted it.

What remains: registration date as a strong signal, registrar as a moderate signal, and registrant-entity transparency as a weak and decaying signal. The composite weight of WHOIS in a 2026 receiver's reputation model is materially smaller than it was in 2018.

The privacy-vs-transparency tradeoff

A B2B sender choosing between transparent WHOIS and a privacy proxy is making a small-positive-signal vs operational-security tradeoff. Transparent WHOIS — registrant entity listed as the actual operating company, with a real contact address — produces a small positive reputation signal in B2B contexts, where the receiver can correlate the registrant entity against the sending claim. A domain registered to Acme Inc. sending from acmeinc.com with a From: name matching Acme Inc. employees is a coherent identity from the classifier's perspective.

The cost: exposed registrant data is scraped at scale within hours of the WHOIS update. Cold-outbound operators who publish transparent WHOIS on their sending domains receive their own outbound campaigns within the first week, often more aggressively than they sent. The contact address becomes a target for prospecting databases, dispute servers, and the long tail of registrar-adjacent scam mail that exists specifically to monetize WHOIS extraction.

The math for cold-outbound senders typically favors privacy. The reputation signal from transparent WHOIS is small and decaying. The operational cost of exposed contact data is constant and increasing. Most production sending estates published in 2025 and 2026 use privacy-proxy WHOIS by default, and the placement differential against transparent WHOIS is, in our seed-list testing, within the noise floor at major mailbox providers.

TLD reputation differential

The top-level domain carries its own reputation prior, derived from the historical spam-to-legitimate ratio observed across all domains under that TLD. The differential is measurable in seed-list testing and ranges from roughly 5 to 15% inbox-placement variance, all other variables held constant.

The approximate observed hierarchy, from most favorable to least, across Gmail and Microsoft placement during the cold-start window:

The operational implication: a sending estate provisioned on .com alternates of the corporate root costs more in registration fees and requires more creativity in available name space, but reaches inbox parity 20 to 40% faster than the same estate provisioned on a discount gTLD. The setup-cost-to-placement-outcome ratio strongly favors .com for cold-sending domains, with .co as the standard fallback when desirable .com alternates are unavailable.

Aged-domain acquisition

A 3-year-old domain on a clean TLD reaches reputation parity with an established corporate domain in roughly 30 to 45 days. A freshly-registered domain on the same TLD takes 90 to 120 days. The differential — roughly two months of cold-start runway — is the entire economic basis of the aged-domain market.

Aged-domain marketplaces operate on a tiered pricing model. Low-end aged domains — 2 to 5 years of registration history, no significant prior use, an unremarkable name — typically clear in the $50 to $500 range. Premium aged domains — 10+ years of registration history, prior legitimate business use, a brandable name on .com — range from $500 to $5,000 and occasionally higher for category-defining names. The pricing reflects two variables: registration tenure and prior-use signal. A 12-year-old domain previously used as the homepage of a defunct small business carries materially more reputation signal than a 12-year-old domain that has parked unused for its entire life.

The due diligence required before acquiring an aged domain is non-trivial. A prior-use audit involves three independent checks: blocklist enumeration across the major DNSBLs and URIBLs, archive review to identify the historical use case, and inbound-link audit to identify residual brand association. A domain that previously hosted a phishing operation, a payday-loan affiliate program, or a defunct multi-level marketing scheme carries reputation debt that does not surface immediately and surfaces hardest during week three or four of warmup, when sending volume has grown enough to cross the threshold of the legacy reputation classifier.

The blocklist risk in aged domains

Domains previously used for spam carry residual blocklist entries that may not surface until weeks into warmup. The major DNSBLs and URIBLs maintain historical entries with varying decay characteristics — some auto-expire after 30 days of inactivity, some persist indefinitely until manually delisted. The standard audit pattern checks the domain and its previous hosting infrastructure against:

• Spamhaus DBL (Domain Block List) — the primary domain-reputation blocklist; entries persist until explicitly delisted and the appeal process requires documentation of ownership change
• SURBL — message-body URI blocklist; an aged domain appearing here was historically linked from spam content and will fail content-classifier checks even when the new sender is legitimate
• URIBL — second major URI blocklist with overlapping but non-identical coverage to SURBL
• Barracuda Reputation Block List — Microsoft-adjacent reputation system, particularly relevant for Outlook and enterprise Exchange placement
• Invaluement — paid reputation feed used by some enterprise filters; harder to audit but worth checking on premium acquisitions

A blocklist hit on any of these is not necessarily disqualifying — a delisting request, with documentation of ownership change and the intended use case, often clears entries that pre-date the acquisition. But the delisting process takes one to four weeks at the slower listings, and a sender who discovers the blocklist entry during week two of warmup has already begun building a reputation deficit that will compound until the listing clears. The audit is performed before purchase, not after.

Drop-catching and expired-domain auctions

Most TLD registries operate a grace period between registration expiry and public re-availability, typically 30 days of registrant grace plus a 30-day redemption period — roughly 60 days total during which the original registrant can recover the domain. After the redemption period closes, the domain enters a pending-delete state and re-enters the public registration pool within a few days. Drop-catching services bid for these domains the moment they become available, using high-frequency registration queries that retail registrars cannot match.

The operational pattern: identify domains that have recently expired but have a clean prior history, monitor their progression through the redemption-and-delete pipeline, and acquire them at the moment they re-enter the registration pool. The dynamic-pricing model — fixed auction floors, ascending bids on contested names, fixed-price acquisition on uncontested ones — produces a wide distribution of effective acquisition costs, but the median price for a clean 5-to-10-year-old .com from a drop-catch is comparable to the lower end of the aged-domain marketplace tier.

The reputation arbitrage available here is real: a domain that was actively used by a legitimate small business for eight years, expired because the owner closed the business, and was acquired via drop-catch the week it became publicly available, carries substantially more positive reputation signal than its acquisition cost would suggest. The constraint is operational — drop-catching requires either direct registry access through a specialized service or a relationship with one of the small number of operators that maintain such access.

Registrant entity considerations

Where transparent WHOIS is used, the registrant entity name carries a small positive reputation signal when it aligns with the sending claim. A domain acmeinc.com registered to Acme Inc. with a corporate address in a major metro produces a coherent identity prior. A domain acmeinc.com registered to an individual with a residential address in a different country produces an incoherent prior — the classifier reads the misalignment as elevated risk, particularly when the domain is freshly registered.

For cold-sending estates specifically, the registrant entity is typically a holding entity associated with the operator — frequently a single LLC formed to hold the sending infrastructure, separate from the operating company. This separation is intentional: the corporate root remains registered under the operating entity, with corporate counsel as the registrant contact; the sending estate is held under a separate entity, which provides legal isolation in the event of a domain burn or a registrar dispute. The reputation cost of this separation is negligible — the classifier signal is from registrant-entity coherence, not from registrant-entity identity to a specific operating company.

Nameserver choice

The nameservers listed in WHOIS are themselves a reputation signal. Receivers maintain implicit reputation models of DNS providers based on the spam-to-legitimate ratio observed across domains hosted on each provider. A domain pointing at a major cloud DNS provider with broad legitimate use produces a neutral-to-slightly-positive signal. A domain pointing at a low-trust DNS provider — one with historical concentration in spam infrastructure, a permissive customer-vetting posture, or a pattern of hosting domains that immediately blocklist after registration — produces a small negative signal.

The standard operational pattern is to use the registrar's default DNS for the first 90 days of a new domain's life. The registrar's nameservers are well-known infrastructure with broad legitimate use, and they avoid introducing a second reputation variable during the cold-start window. After day 90, migration to a dedicated DNS provider with better record-management tooling becomes a defensible choice; before day 90, the migration introduces a discontinuity in the WHOIS history that receivers occasionally read as a configuration churn signal.

A specific failure mode: senders who, on registration day, immediately migrate the new domain to a DNS provider that has itself been blocklisted at the IP level. The DNS provider's IPs appear in some reputation feeds, and the new domain inherits a reputation discount that the operator did not intend to absorb. The fix is to audit the prospective DNS provider against the standard blocklists before migration, the same way the domain itself is audited.

The compounded effect

The variables compose. The reputation prior on a sending domain is not the worst individual factor but the cumulative weight of all of them. The empirical pattern across thousands of observed cold-start runways:

The economic case for the aged-domain acquisition path is, in most production scenarios, decisive. A $300 to $1,500 acquisition cost per domain compresses 60 days of warmup runway into 30, halves the placement penalty during the cold-start window, and produces measurably better revenue outcomes during the first quarter of campaign operation. Operators sending from freshly-registered low-tier-TLD domains are, in our observation, optimizing for the wrong variable.

Common deployment failures observed in production

• Buying aged domains without auditing prior use. The operator purchases a 6-year-old domain from a marketplace, deploys authentication, and begins warmup. Three weeks in, placement collapses — the domain was previously used in a phishing campaign and is listed on Spamhaus DBL with an entry that did not surface in the marketplace's due-diligence summary. The audit is the operator's responsibility, not the marketplace's.
• Registering bulk domains under the same registrant entity. An operator provisions twenty cold-sending domains, all registered to the same holding LLC, all on the same registration day. The pattern is trivially detectable by receivers' classifiers, which read it as bulk-sender infrastructure and apply a reputation discount across the entire portfolio simultaneously. Staggered registration dates and rotated registrant entities mitigate this.
• Using a DNS provider that has itself been blocklisted. A new domain inherits the reputation discount of its nameservers. Operators who migrate to a dedicated DNS provider without auditing the provider's IP reputation absorb a placement penalty they did not introduce through their own behavior.
• Registering and warming on the same day. The warmup runway is calibrated against a domain that has cleared at least 30 days of registration. Compressing both into a single timeline pushes live-campaign launch into the steepest portion of the cold-start curve.
• Transparent WHOIS on a cold-sending estate. The registrant entity becomes a target for aggressive prospecting within the first week. The reputation signal from transparency is small and decaying; the operational cost of exposed contact data is constant and increasing. The math favors privacy.
• Discount-gTLD provisioning at corporate scale. The operator selects a new gTLD because the desirable name is available at a low registration cost. The placement penalty across the first 90 days produces a worse revenue outcome than would have been achieved on a less elegant .com alternate at twenty times the registration fee. The TLD economics are dwarfed by the placement economics.

Pre-deployment checklist

• Domain selection prioritizes .com, with .co as the standard fallback; new gTLDs disqualified for cold-sending use
• For aged-domain acquisitions: blocklist audit across Spamhaus DBL, SURBL, URIBL, Barracuda BRBL completed before purchase
• Archive review of the domain's prior use cases, with disqualification on any historical association with phishing, malware, or affiliate-spam operations
• Domain registered at least 30 days before warmup begins; authentication records published on registration day to begin accumulating passive signal
• WHOIS posture set to private by default; transparent registrant used only when the sender deliberately wants the small B2B-context signal and accepts the prospecting exposure
• Registrant entity separated from the operating company — a dedicated holding LLC for the sending estate
• Bulk domain registrations staggered across registration dates and rotated across registrant entities to avoid trivial bulk-sender pattern matching
• Nameservers set to the registrar's default for the first 90 days; any migration to a dedicated DNS provider preceded by a reputation audit of the provider's IP space
• Cold-start runway budgeted realistically: 30 to 45 days for aged-domain acquisitions, 60 to 90 days for freshly-registered .com, with warmup methodology (Chapter 9) calibrated to the curve

Where domain age fits in the broader infrastructure

Domain age is the variable that constrains every downstream decision in the sending estate. The authentication record set (Chapters 1–4) is necessary but not sufficient — a freshly-registered domain with perfect SPF, DKIM, and DMARC still lands worse than an aged domain with adequate authentication, because the receiver's classifier weights tenure independently of authentication quality. The subdomain architecture (Chapter 7) determines reputation isolation between the corporate root and the sending tier, but does not change the cold-start curve of either domain. The warmup runway (Chapter 9) is the operational response to the cold-start curve, not a substitute for tenure.

The sequencing matters. Domain selection happens first because it constrains the timeline for everything else. An operator who acquires a clean 5-year-old .com on day one is configuring authentication and beginning warmup against a 30-to-45-day path to placement parity. An operator who registers a fresh discount-gTLD on day one is configuring the same authentication against a 90-to-120-day path, with a meaningfully higher probability of non-convergence. The two estates may look identical in DNS — same SPF, same DKIM, same DMARC at p=reject — but the underlying reputation prior is different by a factor that no downstream optimization can close.

The receivers do not document this. There is no RFC. The cold-start curve is observable, consistent across providers, and ignored at the operator's cost.