Email infrastructure from scratch: what to configure before your first send

There is a common confusion among people starting with email marketing: thinking the ESP handles infrastructure. It does not. The ESP is the engine. Infrastructure is the chassis, the fuel, and the license plate. You are responsible for it.

This text is an execution path, in order, of what needs to be in place before the first serious send happens. It does not cover copy strategy or segmentation. It covers what providers like Gmail and Outlook look at to decide whether you are someone they can trust.

1. Dedicated marketing subdomain

First technical decision: you do not send marketing from the same domain that sends important transactional email.

If your company is acme.com, the product team uses acme.com for invoices, password recovery, critical notifications. Marketing should operate on news.acme.com, email.acme.com, or mkt.acme.com. The reason is simple: each subdomain's reputation is evaluated relatively independently by providers. If a marketing send goes wrong, you do not want to drag product login into spam with it.

Configure the subdomain before configuring the ESP. Not after.

2. SPF (Sender Policy Framework)

SPF is a TXT record on your subdomain's DNS that lists which servers are authorized to send email on its behalf.

Example SPF for someone using a typical ESP:

v=spf1 include:_spf.example-esp.com -all

Three things to get right:

• The record goes on the sending subdomain (news.acme.com), not on the root domain.
• Use -all (hardfail) when you know exactly who sends. Use ~all (softfail) only during migrations.
• SPF has a 10 DNS lookup limit. Exceeding it invalidates the entire record. Large ESPs may include multiple include:. If you accumulated many senders over time, do flattening.

SPF alone is not enough. It fails when email is forwarded (because the intermediate server is not on the list). That is why DKIM exists.

3. DKIM (DomainKeys Identified Mail)

DKIM signs each message with a private key your ESP holds. The recipient verifies that signature with a public key you publish in DNS, also as TXT.

The ESP generates the keys. You publish the records. Use keys of at least 2048 bits. 1024-bit keys are still accepted but are being deprecated progressively.

DKIM survives the forwarding that SPF does not survive. That is why the practical recommendation is to configure both. It is not a choice between one or the other.

4. DMARC, in three phases

DMARC is the protocol that ties SPF and DKIM together and tells the provider what to do when either fails. It is also the only way the recipient can warn you that someone is trying to impersonate your domain.

DMARC is published in three phases, and most companies skip straight to phase three and break things.

Phase 1: monitoring (p=none).

v=DMARC1; p=none; rua=mailto:dmarc@acme.com; ruf=mailto:dmarc@acme.com; fo=1; pct=100

You are not blocking anything. You are asking providers to send you daily reports about who is sending email on behalf of your domain. This step lasts between 4 and 8 weeks. The goal is to find every legitimate sender you forgot (CRM, support tool, digital signature system, agency sending newsletters on your behalf).

Phase 2: quarantine (p=quarantine).

When reports show that 99%+ of sends pass aligned SPF or DKIM, you move up to quarantine. Messages that fail go to the recipient's spam folder instead of being rejected.

v=DMARC1; p=quarantine; rua=mailto:dmarc@acme.com; pct=10

Note pct=10. You are applying the policy to 10% of the messages that fail. Increase progressively.

Phase 3: rejection (p=reject).

Full policy. Messages that fail SPF and DKIM are rejected by the receiving server before reaching the recipient's mailbox. This is the posture Gmail and Yahoo started requiring of bulk senders in 2024.

v=DMARC1; p=reject; rua=mailto:dmarc@acme.com

If you stay at p=none forever, BIMI does not work, and bulk senders remain exposed to spoofing.

5. BIMI (Brand Indicators for Message Identification)

BIMI displays your brand logo in the inbox, next to the sender name, on providers that support the standard (Gmail, Yahoo, Apple Mail, among others).

Requirements:

• DMARC at p=quarantine or p=reject (does not work at p=none).
• Logo in SVG Tiny PS format, hosted on a public HTTPS URL.
• For Gmail and Apple Mail, a VMC (Verified Mark Certificate) issued by a recognized certificate authority. Annual cost, and requires that your brand be registered.

BIMI does not improve deliverability directly. It improves visual recognition in the inbox and indirectly reduces complaints from identity confusion.

6. Warm-up: patience over volume

Spinning up new infra and blasting 200,000 emails on day one is a quick way to burn down IP and domain.

Providers evaluate sending patterns. Consistent, growing volume from a new sender is read as a legitimate sender building an audience. Sudden volume is read as a spammer.

Warm-up pattern that works, week by week:

• Week 1. 500 to 1,000 sends per day to the most engaged subscribers (opened in the last 30 days).
• Week 2. Double the daily volume. Keep focus on those who engage.
• Week 3 onward. Keep doubling every few days, gradually expanding to less engaged subscribers.
• Stop signals. If bounce rate goes above 2% or complaint rate goes above 0.1% at any point, stop increasing volume and investigate.

Typical warm-up for corporate volumes (millions of sends/month) takes between 4 and 8 weeks until the IP/domain operates at full capacity.

7. Monitoring, from day 1 to day 365

You will not know if the infrastructure is healthy unless you are measuring. The three free dashboards worth configuring:

• Google Postmaster Tools. Shows spam rate, IP reputation, domain reputation, authentication rate, and encryption rate for Gmail sends. Configure once, drop a verification TXT in DNS, forget about it.
• Microsoft SNDS (Smart Network Data Services). The Outlook/Hotmail equivalent. Rougher, IP-focused. Useful when you operate a dedicated IP.
• Yahoo Sender Hub. Launched in 2024 when Yahoo tightened requirements. Tracks equivalent metrics for sends to Yahoo, AOL, and other group properties.

Metrics to watch daily:

• Complaint rate. Below 0.3%. Ideally below 0.1%. Above 0.3% is the red zone, and Gmail actively filters.
• Hard bounce rate. Below 2%. Above that indicates a bad list or poorly configured infrastructure.
• Domain reputation. In Postmaster Tools, should be "High" or "Medium". "Low" or "Bad" are maximum alerts.
• Blocklist status. Checkers like MXToolbox or MultiRBL monitor lists like Spamhaus, SORBS, and Barracuda. Being on a blocklist kills deliverability to millions of inboxes at once.

8. What is not in this text, but exists

We covered the technical sending infrastructure. We did not cover: feedback loops with providers (useful for unsubscribe automation), suppression lists (critical for LGPD/GDPR), CSPs for dynamic content in email, AMP for Email (still partial support), and the shared versus dedicated IP strategy (depends on volume).

Each of these topics deserves its own text. What matters here is closing the minimum set: subdomain + SPF + DKIM + DMARC + warm-up + monitoring. Without this, any copy optimization is working on a floor that shakes.

How Email Intelligence helps

Email Intelligence operates on the layer above this infrastructure. Once you have configured the technical setup, the question remains open: "how do I know, per subscriber, whether this person is engaging, whether the address is disposable, whether the domain is trap risk, whether engagement is dropping?". Email Intelligence connects to your ActiveCampaign account and materializes those answers as automatic fields, ready for automation and segmentation.

We are opening access to the free beta.

I want beta access →