The authority layer
A multi-state regulated CPG retailer with 1.8 million contacts was carrying active reputation damage across a domain that couldn't reliably deliver. Before any campaign strategy mattered, the infrastructure underneath had to be made correct. This is what that rebuild looked like, and what got built on top of it once the foundation could hold.
A multi-state regulated CPG retailer: 1.8 million email contacts, physical storefronts across six states, owned eCommerce, and third-party marketplace presence. The product category carried federal restrictions that excluded the brand from mainstream marketing platforms.
Standard tools like HubSpot, Mailchimp, and most major ESPs either blocked accounts outright or imposed terms that made compliant messaging impossible. Every campaign required specialized infrastructure: industry-specific CRM and SMS platforms with vetted carrier routing, state-by-state copy and offer adjustments, and compliance formatting that shifted with each market's regulatory window.
I came on as Email Marketing Manager and was promoted to Sr. Digital Marketing Manager as the scope expanded. The operation ran email, SMS, display, out-of-home, eCommerce, and social simultaneously. B2B and B2C email programs shared the same domain. The loyalty program ran through an industry-specific CRM; SMS deployed daily through a specialized compliant messaging platform. A headless CMS handled content across brand properties.
The core problem was twofold. First, the domain had active reputation issues that needed triage before anything else could be built. Second, the marketing operation was underbuilt: segmentation was limited to state and engagement level, and lifecycle automation was nonexistent. The list was 1.8 million contacts large and underworked. But none of the optimization mattered until the domain could reliably reach the inbox.
The domain had reputation issues that were actively degrading inbox placement. At 1.8 million contacts across six states, with B2B and B2C sharing the same sending domain, reputation damage on any single stream affected every message the organization sent.
This was not a problem that could wait for a ramp period. It was the problem that determined whether anything else I built would land. The root causes were operational, not exotic:
A 1.8M-contact list without streamlined hygiene was carrying invalid addresses, disengaged contacts, and potential spam-trap exposure. Bounce rates were running at 9.9%. At Gmail and Microsoft, engagement-based filtering means a dirty list poisons the sender score regardless of content quality.
Sending practice around IP handling had lapsed, and the domain had accumulated entries across multiple blacklists. I used MXToolbox to identify which lists it was on, corrected the underlying causes, then contacted each list operator directly to request removal. Delisting follows the fix, not the request.
DMARC was present but hadn't been updated since the last ESP/CRM migration. The organization was mid-transition between two industry-specific CRMs, a slow and complicated migration that left the authentication records pointing at infrastructure that was no longer the primary sending path. SPF and DKIM alignment gaps across old and new platforms meant a portion of legitimate mail was failing authentication silently.
Authentication and reputation posture had no ongoing visibility. I implemented EasyDMARC for continuous DMARC, SPF, and DKIM monitoring, so configuration drift and alignment failures surfaced in real time rather than showing up as unexplained placement drops weeks later.
The multi-pronged approach cleared the issues within the first 30 days.
Complaint rates ran at 0.1%. The audience wanted the mail, so complaints were never the driver; the damage was caused by infrastructure neglect. Once the domain's reputation posture was clean, everything built on that foundation could actually deliver: the welcome and onboarding series, the segmentation rebuild, the loyalty program, the geo-targeted campaigns.
1.8 million contacts, sent Monday through Thursday between 7:00 and 7:30 AM, with Friday held for reminder nudges. The schedule looks simple until you account for what varied inside it: every send was state-specific, with offers, compliance language, and product availability shifting by market. This was not a national blast on a fixed cadence. It was six state-level programs run in parallel, coordinated on a single calendar.
Because the category is federally restricted, major carriers treat it as prohibited content. Unregistered sending faces immediate, permanent network suspension. Compliant SMS required A2P 10DLC registration through specialized platforms with vetted routing and structured formatting that satisfied per-carrier traffic thresholds. One-to-one disclosures and prior express written consent were baseline, not optional.
Purchase recency and frequency, product category and format preference, brand affinity, loyalty tier and point status, geographic market down to city and neighborhood level, and VIP / high-value customer flags.
Points accrual, tier movement, behavioral triggers on purchase patterns, double and triple point promotions, referral incentives, birthday offers, and automated lifecycle flows that moved members through the program without manual sends.
Separate from the main promotional calendar. Abandoned-cart flows were rebuilt after GA4 audits surfaced leaky conversion paths and buyer-intent signals the existing automation wasn't capturing.
Reporting ran on monthly GA4 audits and KPI reviews alongside an external analytics partner. I presented performance to leadership including C-level: open rate, click rate, CTR, CTOR, conversion rate, opt-in/opt-out rates, promo and points redemption, and spam/bounce rates on the engagement side; AOV, ROAS, first-time basket size, and customer acquisition cost on the revenue side.
The growth wasn't a signup-form exercise. It was a multi-channel acquisition and retention system built on behavioral automation.
Acquisition. 200K+ new opt-ins came from landing-page form captures, in-store promotional incentive campaigns with point-of-sale enrollment, in-store third-party digital signage (retail media networks), eCommerce checkout opt-in, and display. The 35X ROI came from channel-specific targeting, not blanket spend.
Retention and loyalty. The loyalty list grew 25% (+40K net-new members) over six months. The mechanism was lifecycle automation built on behavioral segmentation: purchase recency, frequency, category affinity, and loyalty tier determined which offers a member received and when. Double and triple point promotions, referral incentives, and birthday offers were triggered by behavior, not scheduled on a calendar. The 40K members weren't collected; they were earned through campaigns that rewarded repeat engagement.
Performance lifts. Email CTR increased 20% in one quarter through geo-targeted A/B testing tied to store-level promotional positioning. eCommerce conversions lifted 2.5% in the same quarter. The gains came from relevance, matching the offer to the customer's purchase history and local market, not from subject-line testing or send-time optimization alone.
A high-profile culinary collaboration launched across email, web, and social. The campaign segmented by five axes: geographic market, purchase history, brand preference, category preference, and loyalty status.
A product launch with a recognizable name attached could have been blasted to the full 1.8M-contact list. Instead, it was targeted so the highest-intent audience in the relevant markets saw it first.
The sellout validated the targeting model, not the celebrity attachment.
The same segmentation architecture that ran the weekly promotional calendar was applied at its sharpest to a single high-visibility moment, and the returns proved the system worked under pressure. See the campaign creative and segmentation detail →
At 1.8 million sends a week across six states and multiple platforms, authentication is not a set-and-forget DNS record. It is an operational surface, and it grows with every platform that sends as the domain.
Every platform that sends as the domain needs its own entry in the authentication stack: the CRM, the SMS platform's email component, the eCommerce transactional system, the third-party marketplaces. Each is a sending source, and each needs SPF authorization, a DKIM signing key, and DMARC alignment. Miss one and that stream fails authentication. At this volume the cost compounds: a single misconfigured platform doesn't lose a few messages, it degrades reputation across every stream, because B2B and B2C share one domain and one reputation score.
Every include: mechanism counts toward the 10-DNS-lookup limit (RFC 7208). Three or four platforms can approach the ceiling before adding monitoring or transactional services. Exceed it and SPF returns a PermError: every message from every platform fails, silently, with no inbox-side notice.
A signed selector per sending platform. Each generates its own key pair, published in DNS and actively signing. A missing selector means that platform can't achieve alignment. Key strength matters: 1024-bit passes, but 2048-bit is the current recommendation, and rotating across a multi-platform operation means coordinating every vendor.
At enforcement (p=quarantine or p=reject) the domain is protected from spoofing, which matters more in a regulated industry, where impersonation creates compliance exposure, not just brand damage.
Enforcement without aggregate reporting (rua=) is a blind policy: rejecting mail with no visibility into which legitimate senders are failing alignment. In a multi-platform operation, that's how a forgotten vendor silently loses mail for months.
None of the segmentation, the behavioral automation, or the loyalty mechanics matter if the domain can't pass basic authentication. A 2M-contact list sending 1.8M messages a week through multiple platforms only works when the infrastructure underneath is correct. The auditor exists to verify that foundation, in plain language, for the people responsible for what gets built on top of it.
Run the authentication auditEnforcement is where authentication earns its keep — and where most senders stall. Flipping DMARC to p=reject without a ramp is how legitimate mail disappears. This is the sequence practitioners converge on, and the one I run.
p=none with rua= firstMonitoring mode. No mail is affected, and aggregate reports start arriving — the first honest inventory of everything sending as the domain, including platforms nobody remembered.
Every legitimate platform failing in the reports gets its SPF include: or DKIM selector corrected. One nuance separates pros from checklists: forwarded mail always breaks SPF — DKIM survives forwarding, which is why enforcement can never rest on SPF alone.
pct= at quarantinep=quarantine with pct=25, then 50, then 100. Failures land in spam instead of vanishing, and the stragglers surface while the blast radius stays small.
p=reject with rua= still live. The report stream is how you catch the next vendor migration before it silently costs a quarter of your sends.
Beyond the big three
Forces inbound mail over encrypted TLS and reports delivery-time failures. Without it, transport can be silently downgraded to plaintext. Hosted policy services have turned deployment from a web-server project into minutes of DNS work.
Your verified logo beside the sender name at Gmail and Yahoo. It requires DMARC at enforcement first — BIMI is the reward for finishing the ramp, and a visible trust signal to every recipient before they open.
Authentication records drift with every vendor swap and migration. Continuous monitoring turns drift into a same-day alert instead of an unexplained placement drop three weeks later.
DNS hosts split long TXT records into 255-character chunks — every 2048-bit DKIM key ships that way. Some validators misread the split and report a working record as broken. The auditor reassembles chunks correctly; not every tool does.
Receiving systems treat each standard as a compounding trust signal: the more of the stack that verifies, the more benefit of the doubt the domain earns at send time. The auditor this page accompanies checks all five layers in one pass.
Everything above earns a domain the right to be delivered. It does not earn the right to be believed. SPF, DKIM, and DMARC authenticate the source of a message — the domain it left from — never the intent of what's inside it. Get the stack right and mail reaches the door. Nothing in a DNS record walks it through.
An aligned message is one that provably left your domain. It is not, by that fact, a message that is wanted, relevant, or safe. The protocols verify where mail came from; content, list health, and engagement decide what happens after. A domain can pass every check and still sink because recipients stopped opening.
A freshly registered look-alike domain can publish flawless SPF, DKIM, and DMARC and clear every filter. Authentication defends your domain from being spoofed. It does nothing about the domain beside yours that a human reads as you — a threat that lives in the recipient's eye, not the DNS.
Authentication trusts the source. When the source itself is compromised — a hijacked mailbox, a breached sending platform — the mail it sends is fully aligned and fully authenticated. The check passes because it was never built to ask whether the sender should be trusted, only whether the sender is who it claims.
Passing authentication is the price of admission to the inbox, not tenure there. Sustained placement is a function of opens, complaints, and list hygiene — signals the DNS layer cannot generate. Authentication gets mail to the door; engagement and list health are what walk it through.
Authentication earns a domain the right to be judged on its merits. It is not the merit.
None of this diminishes the layer — it locates it. Infrastructure is the work no recipient ever sees and every message depends on. Done right, it doesn't win attention; it removes the reasons to be ignored. That principle outlasts any single engagement or stack: the invisible layer has to be correct before the visible work can be judged at all. Records that parse tell you a domain is configured. Records that pass tell you it is trusted. Whether the mail was worth sending is the discipline that begins where the DNS record ends.