Back to the auditor
CS·01Case study: Authentication & infrastructure buildout

The authority layer

Records parsed. Nothing passed. We rebuilt them.

A multi-state regulated CPG retailer with 1.8 million contacts was carrying active reputation damage across a domain that couldn't reliably deliver. Before any campaign strategy mattered, the infrastructure underneath had to be made correct. This is what that rebuild looked like, and what got built on top of it once the foundation could hold.

Sector: Multi-state regulated CPG Scale: 1.8M → 2M+ contacts Role: Email Mgr → Sr. Digital Mktg Mgr Identity: Anonymized · metrics verified
~1%
Bounce rate after cleanup, down from 9.9%
30days
To clear the reputation issues
2M+
Contacts, grown from 1.8M in six months
35X
ROI on acquisition campaigns
01The situation

A list this size shouldn't have been this quiet. The domain was why.

A multi-state regulated CPG retailer: 1.8 million email contacts, physical storefronts across six states, owned eCommerce, and third-party marketplace presence. The product category carried federal restrictions that excluded the brand from mainstream marketing platforms.

Standard tools like HubSpot, Mailchimp, and most major ESPs either blocked accounts outright or imposed terms that made compliant messaging impossible. Every campaign required specialized infrastructure: industry-specific CRM and SMS platforms with vetted carrier routing, state-by-state copy and offer adjustments, and compliance formatting that shifted with each market's regulatory window.

I came on as Email Marketing Manager and was promoted to Sr. Digital Marketing Manager as the scope expanded. The operation ran email, SMS, display, out-of-home, eCommerce, and social simultaneously. B2B and B2C email programs shared the same domain. The loyalty program ran through an industry-specific CRM; SMS deployed daily through a specialized compliant messaging platform. A headless CMS handled content across brand properties.

The core problem was twofold. First, the domain had active reputation issues that needed triage before anything else could be built. Second, the marketing operation was underbuilt: segmentation was limited to state and engagement level, and lifecycle automation was nonexistent. The list was 1.8 million contacts large and underworked. But none of the optimization mattered until the domain could reliably reach the inbox.

02Day one: Domain reputation

The first priority wasn't strategy. It was deliverability.

The domain had reputation issues that were actively degrading inbox placement. At 1.8 million contacts across six states, with B2B and B2C sharing the same sending domain, reputation damage on any single stream affected every message the organization sent.

This was not a problem that could wait for a ramp period. It was the problem that determined whether anything else I built would land. The root causes were operational, not exotic:

The multi-pronged approach cleared the issues within the first 30 days.

Bounce rate, before cleanup
9.9%
Infrastructure neglect, not disengagement
Bounce rate, after 30 days
~1%
Clean reputation posture restored

Complaint rates ran at 0.1%. The audience wanted the mail, so complaints were never the driver; the damage was caused by infrastructure neglect. Once the domain's reputation posture was clean, everything built on that foundation could actually deliver: the welcome and onboarding series, the segmentation rebuild, the loyalty program, the geo-targeted campaigns.

03The operation

Six parallel programs under one marketing calendar

1.8 million contacts, sent Monday through Thursday between 7:00 and 7:30 AM, with Friday held for reminder nudges. The schedule looks simple until you account for what varied inside it: every send was state-specific, with offers, compliance language, and product availability shifting by market. This was not a national blast on a fixed cadence. It was six state-level programs run in parallel, coordinated on a single calendar.

SMS · daily

Compliant messaging under carrier constraints

Because the category is federally restricted, major carriers treat it as prohibited content. Unregistered sending faces immediate, permanent network suspension. Compliant SMS required A2P 10DLC registration through specialized platforms with vetted routing and structured formatting that satisfied per-carrier traffic thresholds. One-to-one disclosures and prior express written consent were baseline, not optional.

Segmentation

Granular and behavioral, not demographic

Purchase recency and frequency, product category and format preference, brand affinity, loyalty tier and point status, geographic market down to city and neighborhood level, and VIP / high-value customer flags.

Loyalty

Managed through the CRM platform

Points accrual, tier movement, behavioral triggers on purchase patterns, double and triple point promotions, referral incentives, birthday offers, and automated lifecycle flows that moved members through the program without manual sends.

Re-engagement

Winback on 60/90-day cadences

Separate from the main promotional calendar. Abandoned-cart flows were rebuilt after GA4 audits surfaced leaky conversion paths and buyer-intent signals the existing automation wasn't capturing.

Reporting ran on monthly GA4 audits and KPI reviews alongside an external analytics partner. I presented performance to leadership including C-level: open rate, click rate, CTR, CTOR, conversion rate, opt-in/opt-out rates, promo and points redemption, and spam/bounce rates on the engagement side; AOV, ROAS, first-time basket size, and customer acquisition cost on the revenue side.

04The growth engine

1.8M to 2M+ contacts in six months

The growth wasn't a signup-form exercise. It was a multi-channel acquisition and retention system built on behavioral automation.

200K+
New opt-ins in under three months
+25%
Loyalty list growth (+40K net-new members) over six months
35X
ROI on acquisition campaigns

Acquisition. 200K+ new opt-ins came from landing-page form captures, in-store promotional incentive campaigns with point-of-sale enrollment, in-store third-party digital signage (retail media networks), eCommerce checkout opt-in, and display. The 35X ROI came from channel-specific targeting, not blanket spend.

Retention and loyalty. The loyalty list grew 25% (+40K net-new members) over six months. The mechanism was lifecycle automation built on behavioral segmentation: purchase recency, frequency, category affinity, and loyalty tier determined which offers a member received and when. Double and triple point promotions, referral incentives, and birthday offers were triggered by behavior, not scheduled on a calendar. The 40K members weren't collected; they were earned through campaigns that rewarded repeat engagement.

Performance lifts. Email CTR increased 20% in one quarter through geo-targeted A/B testing tied to store-level promotional positioning. eCommerce conversions lifted 2.5% in the same quarter. The gains came from relevance, matching the offer to the customer's purchase history and local market, not from subject-line testing or send-time optimization alone.

05The flagship

A high-profile launch, targeted instead of blasted

A high-profile culinary collaboration launched across email, web, and social. The campaign segmented by five axes: geographic market, purchase history, brand preference, category preference, and loyalty status.

A product launch with a recognizable name attached could have been blasted to the full 1.8M-contact list. Instead, it was targeted so the highest-intent audience in the relevant markets saw it first.

15%+
In-store sales lift
60%+
eCommerce conversion spike (month-over-month)
24 hrs
Full product sellout

The sellout validated the targeting model, not the celebrity attachment.

The same segmentation architecture that ran the weekly promotional calendar was applied at its sharpest to a single high-visibility moment, and the returns proved the system worked under pressure. See the campaign creative and segmentation detail →

06The infrastructure layer

The layer the auditor checks, at enterprise scale

At 1.8 million sends a week across six states and multiple platforms, authentication is not a set-and-forget DNS record. It is an operational surface, and it grows with every platform that sends as the domain.

Every platform that sends as the domain needs its own entry in the authentication stack: the CRM, the SMS platform's email component, the eCommerce transactional system, the third-party marketplaces. Each is a sending source, and each needs SPF authorization, a DKIM signing key, and DMARC alignment. Miss one and that stream fails authentication. At this volume the cost compounds: a single misconfigured platform doesn't lose a few messages, it degrades reputation across every stream, because B2B and B2C share one domain and one reputation score.

SPF

Every include: mechanism counts toward the 10-DNS-lookup limit (RFC 7208). Three or four platforms can approach the ceiling before adding monitoring or transactional services. Exceed it and SPF returns a PermError: every message from every platform fails, silently, with no inbox-side notice.

DKIM

A signed selector per sending platform. Each generates its own key pair, published in DNS and actively signing. A missing selector means that platform can't achieve alignment. Key strength matters: 1024-bit passes, but 2048-bit is the current recommendation, and rotating across a multi-platform operation means coordinating every vendor.

DMARC

At enforcement (p=quarantine or p=reject) the domain is protected from spoofing, which matters more in a regulated industry, where impersonation creates compliance exposure, not just brand damage.

Reporting

Enforcement without aggregate reporting (rua=) is a blind policy: rejecting mail with no visibility into which legitimate senders are failing alignment. In a multi-platform operation, that's how a forgotten vendor silently loses mail for months.

Why this tool exists

None of the segmentation, the behavioral automation, or the loyalty mechanics matter if the domain can't pass basic authentication. A 2M-contact list sending 1.8M messages a week through multiple platforms only works when the infrastructure underneath is correct. The auditor exists to verify that foundation, in plain language, for the people responsible for what gets built on top of it.

Run the authentication audit
07The enforcement playbook

Getting to p=reject without losing real mail

Enforcement is where authentication earns its keep — and where most senders stall. Flipping DMARC to p=reject without a ramp is how legitimate mail disappears. This is the sequence practitioners converge on, and the one I run.

  1. Publish at p=none with rua= first

    Monitoring mode. No mail is affected, and aggregate reports start arriving — the first honest inventory of everything sending as the domain, including platforms nobody remembered.

  2. Fix alignment at the source before touching policy

    Every legitimate platform failing in the reports gets its SPF include: or DKIM selector corrected. One nuance separates pros from checklists: forwarded mail always breaks SPF — DKIM survives forwarding, which is why enforcement can never rest on SPF alone.

  3. Ramp with pct= at quarantine

    p=quarantine with pct=25, then 50, then 100. Failures land in spam instead of vanishing, and the stragglers surface while the blast radius stays small.

  4. Enforce — and keep the reports on

    p=reject with rua= still live. The report stream is how you catch the next vendor migration before it silently costs a quarter of your sends.

Beyond the big three

MTA-STS + TLS-RPT

Forces inbound mail over encrypted TLS and reports delivery-time failures. Without it, transport can be silently downgraded to plaintext. Hosted policy services have turned deployment from a web-server project into minutes of DNS work.

BIMI

Your verified logo beside the sender name at Gmail and Yahoo. It requires DMARC at enforcement first — BIMI is the reward for finishing the ramp, and a visible trust signal to every recipient before they open.

DNS change monitoring

Authentication records drift with every vendor swap and migration. Continuous monitoring turns drift into a same-day alert instead of an unexplained placement drop three weeks later.

TXT record hygiene

DNS hosts split long TXT records into 255-character chunks — every 2048-bit DKIM key ships that way. Some validators misread the split and report a working record as broken. The auditor reassembles chunks correctly; not every tool does.

Receiving systems treat each standard as a compounding trust signal: the more of the stack that verifies, the more benefit of the doubt the domain earns at send time. The auditor this page accompanies checks all five layers in one pass.

08The limits of the layer

Authentication is the floor. It was never the finish.

Everything above earns a domain the right to be delivered. It does not earn the right to be believed. SPF, DKIM, and DMARC authenticate the source of a message — the domain it left from — never the intent of what's inside it. Get the stack right and mail reaches the door. Nothing in a DNS record walks it through.

Identity, not intent

A signature proves origin, not safety

An aligned message is one that provably left your domain. It is not, by that fact, a message that is wanted, relevant, or safe. The protocols verify where mail came from; content, list health, and engagement decide what happens after. A domain can pass every check and still sink because recipients stopped opening.

The look-alike gap

Attackers authenticate too

A freshly registered look-alike domain can publish flawless SPF, DKIM, and DMARC and clear every filter. Authentication defends your domain from being spoofed. It does nothing about the domain beside yours that a human reads as you — a threat that lives in the recipient's eye, not the DNS.

The trusted source

A valid account can send bad mail

Authentication trusts the source. When the source itself is compromised — a hijacked mailbox, a breached sending platform — the mail it sends is fully aligned and fully authenticated. The check passes because it was never built to ask whether the sender should be trusted, only whether the sender is who it claims.

Placement, not engagement

The inbox is earned, then kept

Passing authentication is the price of admission to the inbox, not tenure there. Sustained placement is a function of opens, complaints, and list hygiene — signals the DNS layer cannot generate. Authentication gets mail to the door; engagement and list health are what walk it through.

Authentication earns a domain the right to be judged on its merits. It is not the merit.

None of this diminishes the layer — it locates it. Infrastructure is the work no recipient ever sees and every message depends on. Done right, it doesn't win attention; it removes the reasons to be ignored. That principle outlasts any single engagement or stack: the invisible layer has to be correct before the visible work can be judged at all. Records that parse tell you a domain is configured. Records that pass tell you it is trusted. Whether the mail was worth sending is the discipline that begins where the DNS record ends.