Cold Email Infrastructure for India

India is the world's second-largest email market by user count and one of the most active for cold outbound, both inbound to India and outbound from Indian teams reaching global buyers. The legal framework changed meaningfully in 2023 with the passage of the Digital Personal Data Protection Act 2023 (DPDP Act), which began phased enforcement in 2025 and is now the primary law for personal data processing in India. Layered on top are the Information Technology Act 2000 with its amendments, the CERT-In directions of April 2022 on cybersecurity logging, and sector-specific rules from SEBI, TRAI, and the RBI for regulated industries.

What this means for cold email senders in 2026:

1. 1The DPDP Act governs the personal data side. Email addresses are personal data. Processing them for commercial prospection requires a lawful basis. The DPDP Act recognizes consent and 'legitimate uses' (a specific list in Section 7) as lawful bases. Cold marketing email does not fit any of the Section 7 legitimate uses, which means Indian senders and senders targeting Indian recipients need consent, with an exception for B2B contact where the recipient has voluntarily shared professional details.

1. 2The IT Act and TRAI rules govern commercial messages in aggregate. TRAI's Telecom Commercial Communications Customer Preference Regulations (TCCCPR) apply primarily to SMS and voice, but their spirit extends to email via IT Act rules against sending offensive or unsolicited messages. In practice, Indian email enforcement is much lower than CASL or GDPR enforcement, but that is changing.

1. 3CERT-In logging applies to the sending infrastructure. Any service provider in India, including email sending services and SMTP operators, must retain ICT system logs for 180 days and report cybersecurity incidents within 6 hours. This affects Indian-based infrastructure operators more than senders, but it affects how Indian cold-email tools must be built.

Current enforcement reality: India's cold email enforcement is significantly lighter than the US, EU, UK, Canada, or Australia as of 2026. The DPDP Act's Data Protection Board (DPB) is still ramping up. There are not yet published fines targeting cold email senders. This creates a 'compliance honeymoon' that smart senders are using to build proper practices before the DPB starts actively prosecuting because the DPDP Act penalties are high (up to ₹250 crore per violation) once the board is fully operational.

InboxKit USD pricing. A 2,000/day Indian cold outreach operation typically lands at around ₹17,500-₹20,000 per month (~$215/mo).

The DPDP Act is India's first comprehensive data protection law. Its core obligations for cold email senders, whether the sender is Indian or foreign, are:

Lawful basis. Section 6 requires consent or one of the Section 7 legitimate uses. For B2B cold email, consent is the primary path. The DPDP Act does not recognize 'legitimate interest' as a standalone basis the way GDPR does. This makes India stricter on paper than the UK, Netherlands, or France, and closer to Germany.

Consent must be free, specific, informed, unconditional, and unambiguous. Section 6(1) lists these criteria. A pre-ticked box is not unambiguous. Consent buried in terms of service is not specific. Consent conditioned on service access is not free. Indian senders running opt-in lists must build consent flows that meet all five tests.

Notice at the time of consent. Section 5 requires a notice in English or one of 22 Indian languages listed in the Eighth Schedule, covering: the purpose of processing, the rights of the data principal (Indian term for data subject), and the manner in which the principal can file a complaint with the DPB.

Data principal rights. Sections 11-15 establish the right to access, correct, update, erase, and nominate a representative. These rights apply to email addresses held for cold outreach. Senders need a workflow for responding to DPIIT requests.

The B2B carve-out, and its limits. DPDP Act Section 17(1)(c) exempts personal data 'made available by a data principal to whom it relates, for a specified purpose that was reasonably ascertainable'. Some Indian lawyers read this as allowing cold email to a conspicuously-published professional address, similar to Australia's inferred consent. This is a reasonable interpretation but untested. Until the DPB issues clear guidance, conservative senders should not rely on Section 17(1)(c) for cold prospection.

• Consent tracking system with timestamp, source, purpose, and version
• Privacy notice in English and at least one Indian language for Indian audiences
• DPB complaint workflow (an email inbox, responsive within 30 days)
• Suppression list with indefinite retention
• Breach notification plan (72 hours to DPB under DPDP Act Section 8(6))

India's inbox mix is more Gmail-dominated than any other major market. Microsoft 365 is the second player, but distant, and Indian ISP-branded mail has largely disappeared.

Gmail dominance has practical consequences. The 2024 Google bulk sender rules apply directly, a cold sender reaching 5,000 Indian Gmail recipients per day is immediately inside the bulk threshold and needs DMARC alignment, one-click unsubscribe, and 0.3%-max complaint rate. Because Indian B2B skews Gmail even more than the US or UK, this is unavoidable.

Zoho Mail is the one Indian-origin player worth knowing. Zoho Corporation is headquartered in Chennai and runs a Google Workspace alternative used by many Indian SMBs. Zoho Mail follows close-to-Gmail filtering rules but maintains its own postmaster practices. Senders reaching Zoho-hosted recipients should register for Zoho Postmaster Tools if volume warrants it.

Latency is a real concern. Sending from US IPs to Indian Gmail recipients crosses Pacific or Atlantic + Europe paths with 200-280ms round-trip times. SMTP handshake reliability drops slightly, and Google's inbound MTAs in Mumbai and Bangalore treat trans-Pacific connections with marginally more scrutiny. Indian senders often pair US-IP mailboxes with warmup from servers in India or Singapore to improve the SMTP success rate.

CERT-In's April 28, 2022 directions apply to service providers, intermediaries, data centres, body corporates, and government organizations operating in India. Cold email senders and mailbox operators in India are affected in several ways:

180-day log retention. All ICT system logs must be retained in India for 180 days. This includes email sending logs, authentication logs, and access logs. Indian-based SMTP operators and sequencing tools need log storage that meets this rule.

6-hour incident reporting. Any cybersecurity incident, including unauthorized access to email accounts, credential leaks, phishing hosted on the sender's infrastructure, must be reported to CERT-In within 6 hours of discovery.

Known customer identification. Service providers must maintain KYC records of their Indian customers. This matters if you're using an Indian email infrastructure provider. They will need your KYC docs.

• If you are an Indian entity using InboxKit (or similar US-based tools): CERT-In directions primarily cover your local logs and any incident affecting your own systems. InboxKit retains activity logs by default and Indian customers can export them for CERT-In reporting if needed.
• If you are building your own SMTP infrastructure in India: you're a 'service provider' and the full set of CERT-In obligations applies, including 180-day log retention, incident reporting, and KYC.
• If you are a foreign entity emailing Indian recipients: CERT-In does not directly regulate you, but any incident affecting Indian recipients (credential leak, phishing) may still require a coordinated response with Indian authorities.

The Data Protection Board is the new primary enforcer for the DPDP Act, but CERT-In still handles the cybersecurity side. Sensible Indian cold email programs loop both into their compliance planning.

• 1-3 .in or .co.in domains for India-native outreach (recipients open .in addresses at ~3-5% higher rates than .com)
• 3-5 .com or .io domains for outbound to global buyers
• Register .in through a NIXI accredited registrar
• 301 redirect secondary domains to the primary brand
• Publish a privacy notice on every redirect target

• Google Workspace is the default for reaching Indian recipients. Gmail dominance makes this obvious
• Microsoft 365 at 20-30% to cover the enterprise minority
• Consider adding Zoho Mail mailboxes if targeting Indian SMB
• Per-mailbox volumes ramp: 20/day week 1 → 40/day week 2 → 60/day week 3 → 80+/day after week 4
• Isolated warmup for 14-28 days

• SPF: v=spf1 include:_spf.google.com ~all
• DKIM: two selectors
• DMARC: p=none to start, p=quarantine after 30 days
• MX: matches mailbox provider

• Clear sender identification (legal entity name, address)
• Privacy notice link in every message, the English version is usually sufficient, but a Hindi version improves compliance optics
• One-click unsubscribe
• Mention of the DPB complaint pathway
• Optional: bilingual subject lines for consumer or regional outreach (English + Hindi, or English + Tamil/Telugu/Bengali/Marathi depending on region)

Indian cold email volume planning runs on Gmail's rules. The 2024 bulk sender requirements are the binding constraint. DMARC alignment, 0.3% complaint ceiling, one-click unsubscribe.

The latency gap. US-IP mailboxes reach Indian Gmail recipients with 200-280ms round-trip times. This doesn't break delivery but does amplify SMTP retry behavior, which shows up as a higher soft-bounce rate (1-2%) compared to same-region sending. Indian senders running volume above 5,000/day benefit from a mix of US-IP mailboxes and warmup traffic originating closer to India, which helps the receiving MTAs see consistent connection patterns.

• Week 1: 10-20/day per mailbox, warmup only
• Week 2: 20-40/day per mailbox, 5-10 real cold touches
• Week 3: 40-60/day per mailbox, 70/30 warmup-to-cold
• Week 4+: 60-100/day per mailbox, 30/70 warmup-to-cold

• ~50 active mailboxes at 60/day each
• ~15 domains at 3-4 mailboxes each
• InboxKit Agency ($99/mo, 30 slots) + 20 extras at $3.25 = $164/mo
• Warmup: 50 × $3 = $150/mo
• InfraGuard: ~$15/mo for 15 domains
• Total: ~$329/month (~₹27,500/month) for 3,000 Indian cold emails/day: about ₹0.30 per sent message.

A lot of InboxKit's Indian customers aren't sending to Indian recipients. They're Indian SaaS companies, agencies, and freelancers sending from India to US, UK, and European buyers. This is the more common pattern, and the infrastructure needs are slightly different.

The operational challenge: an Indian team using Indian infrastructure to send to US recipients sees US-recipient inbox placement trail US-origin senders by 5-15%. The reason is the same IP geolocation signal that hurts trans-continental sending in every direction. The fix is to use mailboxes on US-based IPs, which is InboxKit's default for Indian customers targeting US markets.

• Google Workspace mailboxes on InboxKit US IPs (matches recipient geography)
• Domains .com or .io, not .in (US recipients are less likely to open .in domains)
• English-language content optimized for US or UK audiences
• Warmup from US-based engaged recipients
• InfraGuard running on the global DNSBL set (Spamhaus, Barracuda, SORBS)

This setup costs the same as any other InboxKit deployment but delivers 5-15% better US inbox placement than sending from Indian IPs. For an Indian agency running 5,000 messages per day to US recipients, that's 250-750 extra Primary-tab placements per day.

• [ ] Register 5-10 domains (mix of .in, .co.in, .com, .io)
• [ ] Publish English privacy notice; add Hindi version if targeting Hindi-speaking audiences
• [ ] Provision Google Workspace (70%) + Microsoft 365 (25%) + optional Zoho Mail (5%)
• [ ] Automated DNS via InboxKit
• [ ] Enable isolated warmup and InfraGuard

• [ ] Document DPDP Act consent and processing methodology
• [ ] Build consent capture flow for opt-in paths
• [ ] Test unsubscribe workflow
• [ ] Establish DPB complaint handling inbox
• [ ] Ensure CERT-In log retention is meeting 180 days if operating Indian infrastructure

• [ ] Start sequences at 40-60/day per mailbox
• [ ] First-touch plain text, clear sender identity, simple unsubscribe
• [ ] Daily opt-out processing
• [ ] Weekly deliverability review across Gmail, Microsoft 365, Zoho Mail
• [ ] Quarterly DPDP Act compliance review

• Any DPB correspondence
• Google Postmaster domain reputation drops to Medium
• Complaint rate above 0.2%
• Any CERT-In incident reporting trigger