Evidence-Led IT Services Outbound, Run Through Lemlist
The hardest part of MSP cold email isn't reaching the prospect — it's being believed. Every business owner has deleted a hundred "is your network secure?" emails, because a claim costs the sender nothing. What they haven't deleted is an email that points at something they can check themselves in thirty seconds: the SSL certificate on their site that expired last Tuesday, the remote-desktop port answering on their office IP, the server banner announcing an operating system that left support two years ago. Visible, verifiable, and slightly embarrassing — that's an opener that converts skeptics.
Lemlist is unusually well suited to this play. Its liquid syntax variables let you carry a unique risk observation for every prospect, and its personalized images and per-prospect landing pages let you show the evidence instead of describing it. ColdRelay is the layer underneath: the secondary domains, dedicated mailboxes, and dedicated IPs those evidence emails actually send from. This guide covers wiring the two together and running campaigns where the proof does the persuading.
Why Run Lemlist on ColdRelay Infrastructure
Lemlist's signature strength is depth of personalization — liquid variables that branch copy per prospect, images generated with the prospect's own details baked in, landing pages built for an audience of one. None of that includes the infrastructure layer: Lemlist sends from whatever mailboxes you connect, and it doesn't provision domains or guarantee those mailboxes deliver.
That's where ColdRelay fits. Instead of buying workspace seats and configuring DNS by hand, you order dedicated mailboxes on isolated Azure tenants with dedicated IPs, fully DNS-configured (SPF, DKIM, DMARC) and ready in about an hour. Connect them to Lemlist and every evidence email sends from infrastructure built to land.
For this particular play, the pairing is non-negotiable. An evidence-led email lives or dies on credibility — and nothing torches credibility faster than a security warning that arrives in the spam folder. A message that says "your certificate expired" filed next to actual phishing reads like phishing. At 95%+ inbox placement, ColdRelay puts the observation where a real advisor's note would land: the inbox. ColdRelay is the infrastructure, Lemlist is the personalization and sending layer on top — additive, not competitive.
Visit Lemlist →Connecting ColdRelay Mailboxes to Lemlist
Provision mailboxes on ColdRelay
Pick secondary domains related to but separate from your primary firm domain — clients open tickets on the main one, so it never touches outbound. ColdRelay supports 100-150 mailboxes per domain, but evidence-led campaigns run narrow and deep: most firms start with 15-30 mailboxes on one or two domains, because every prospect on the list takes research time. Everything provisions on isolated Azure tenants with dedicated IPs in about an hour, with SPF, DKIM, and DMARC already configured.
Connect the mailboxes in Lemlist and set limits to the ColdRelay budget
In Lemlist, go to Settings → Email accounts and connect each ColdRelay mailbox via SMTP/IMAP using the credentials exported from the ColdRelay dashboard. Cap each account at 2 outbound emails per day to mirror ColdRelay's per-mailbox budget — 4 sends/day total per mailbox, split 2 outbound + 2 warmup. ColdRelay's warmup runs continuously inside that budget, so leave lemwarm switched off for these mailboxes rather than double-warming.
Build the evidence column before you build the campaign
This is the step that defines the play. For each company on your list, check what's externally visible: certificate expiry and grade on their public site, remote-access ports answering on their published IP range, mail security records, server headers advertising end-of-life software. Write each finding as one plain-English sentence — "the certificate on yourdomain.com expired on May 14" — and load it into your prospect CSV as a custom field. That column becomes a liquid variable in Lemlist; a prospect with no checkable finding doesn't make the list.
Write the sequence with liquid variables and personalized evidence
Build the campaign in Lemlist with the observation carried in a liquid variable like {{riskObservation}}, and use liquid conditions to branch the surrounding copy by finding type — expired-certificate prospects get different framing than exposed-remote-access prospects. Then add Lemlist's show-don't-tell layer: a personalized image of the browser warning on the prospect's own site, or a per-prospect landing page laid out as a one-page external risk summary for their domain. Evidence they can see outperforms evidence they're told about.
Add a LinkedIn step to humanize the messenger, then launch
A stranger pointing out your security gap triggers one question first: who is this person? Use Lemlist's multichannel sequence steps to answer it before it's asked — a LinkedIn profile visit before the first email, a connection request after it — so the prospect who checks finds a real engineer at a real local firm, not an anonymous address. Launch, then watch Lemlist's campaign reports segmented by finding type to learn which class of evidence opens the most doors in your market.
The Evidence-Led Lemlist Playbook for IT Services
Only point at what they can verify in thirty seconds
The power of the evidence opener is that the prospect doesn't have to trust you — they can check. That sets the bar for what qualifies: an expired certificate they can see by visiting their own site, a browser security warning, a publicly visible end-of-life version banner. If verifying your claim requires tooling or expertise the owner doesn't have, it reads as an unverifiable scare tactic and lands with the other hundred deleted security pitches. The thirty-second check is the whole mechanism; protect it ruthlessly.
Stay strictly on the public side of the fence
There's a bright line between observing what a company broadcasts to the entire internet and probing what it doesn't. Everything in your evidence column must come from passive, external observation — the certificate any visitor's browser inspects, the DNS records any mail server reads, the service banner any connection sees. Never scan deeper to strengthen the finding, and write the observation so that's obvious: "visible to anyone who visits your site" reassures; anything that sounds like you went looking inside alarms. The same evidence, framed wrong, turns a helpful note into a threat.
Attach the fix to the finding, never fear to the gap
Security cold email fails in two directions: vague fear ("hackers are targeting businesses like yours") and naked findings with no path forward, which just leave the reader anxious and resentful. The evidence email earns the reply by completing the thought: here's what's visible, here's what fixing it involves, here's a 15-minute call where we'll walk through it whether or not you hire us. Pair every {{riskObservation}} with a one-line remediation in the same liquid block, and keep the CTA at walkthrough weight — the contract conversation comes after you've been useful once for free.
Let the finding pick the audience, and refresh the list on a cycle
Most MSP lists start from firmographics and hope relevance follows. This play inverts it: run the external checks across every business in your service area first, and let the companies with findings become the list. The result is smaller — often 100-200 companies out of a few thousand checked — but every send opens with something true about that specific recipient, which is why a 20-mailbox pool at 2 outbound sends/day each is genuine coverage, not a constraint. Then re-run the checks quarterly: certificates expire, patches lapse, and new findings replenish the list on their own schedule.
Typical Evidence-Led IT Services Benchmarks (Lemlist + ColdRelay)
| Metric | Benchmark | Notes |
|---|---|---|
| Inbox placement rate | 95%+ | Dedicated IPs and isolated tenants outperform shared Google/Microsoft pools — critical when the email itself discusses security |
| Reply rate on verifiable-finding openers | 5-9% | A claim the prospect can confirm in thirty seconds runs well above generic security pitches |
| Reply lift from personalized images / landing pages | 1.3-1.6x | Showing the browser warning on the prospect's own site vs. describing it in text |
| Outbound capacity per mailbox | 2/day | 4 sends/day total per mailbox — 2 outbound + 2 warmup |
| Time to first campaign | 1-2 days | Infrastructure is ready in ~60 minutes; building the evidence column is the real lead time |
What It Costs: Lemlist + ColdRelay
You pay per mailbox per month for the infrastructure, with volume tiers that drop as you scale (see the table below). DNS, dedicated IPs, and isolated Azure tenants are included — and because evidence-led lists are deliberately small, a 15-30 mailbox footprint covers most of this motion.
Lemlist is billed separately on its own subscription for sequences, liquid variables, personalized images and landing pages, multichannel steps, and campaign reports — priced per its current plans, typically per user.
Infrastructure cost scales with mailbox count; Lemlist's cost scales with seats. The two stack cleanly — one bill for sending capacity, one for the personalization engine — and the narrow, research-heavy list keeps the infrastructure line item among the smallest in the play.
| Mailboxes | ColdRelay price / mailbox / month |
|---|---|
| 1–199 | $1.00 |
| 200–999 | $0.85 |
| 1,000–4,999 | $0.70 |
| 5,000+ | $0.55 |
Each mailbox sends 4 emails per day — 2 outbound to prospects + 2 warmup. ColdRelay provisions mailboxes on isolated Azure tenants with dedicated IPs; Lemlist handles the sending, sequencing, and inbox rotation on top.
Frequently Asked Questions
Does ColdRelay replace Lemlist?
No — they're complementary layers of one stack. Lemlist is the personalization and sending software: liquid variables, personalized images and landing pages, multichannel sequences with LinkedIn steps, and campaign reports. ColdRelay is the infrastructure underneath: the secondary domains, dedicated mailboxes, and dedicated IPs that Lemlist's emails actually send from. You connect ColdRelay mailboxes in Lemlist's email account settings and run both together.
Should I run lemwarm on ColdRelay mailboxes?
No. ColdRelay mailboxes warm continuously as part of their standing budget — 2 warmup sends/day per mailbox alongside 2 outbound, 4 sends/day total — so there's no separate warmup period before your first campaign and nothing for lemwarm to add. Leave lemwarm off for these accounts and point Lemlist at outbound sending only; double-warming just spends budget without improving placement.
Is it okay to email a prospect about their exposed port or expired certificate?
Yes, when the finding comes from passive observation of what the company already broadcasts publicly — the certificate every browser inspects, DNS records every mail server reads, a service answering on a published address. That's the same information any visitor or customer encounters. The lines to hold: never probe beyond what's publicly visible, present the finding as a helpful observation with a fix attached rather than a pressure tactic, and make clear it's visible to anyone. Done that way, you're the person who mentioned the headlight is out — not a threat.
How do I build per-prospect risk observations without it taking forever?
Run the external checks in bulk across your whole service-area list first — certificate status, mail security records, visible service banners — then keep only the companies with a real finding and write each one as a single plain-English sentence in a CSV column. That column imports into Lemlist as a liquid variable like {{riskObservation}}, so one campaign carries hundreds of unique openers. The pace math works in your favor: at 2 outbound sends/day per mailbox (half of the 4/day total budget), a 20-mailbox pool sends 40 evidence emails a day — and a researched list of 150-200 findings sustains that for weeks.