Single-domain DMARC is a tractable engineering project. Multi-domain DMARC — where an organization owns ten or twenty or fifty sending domains, half of which go through third-party vendors, some of which handle customer communication and others handle marketing, all of which need to stay aligned simultaneously — is an operational discipline that most organizations discover they have not been doing well right around the time someone starts asking why their brand is being spoofed. This article is the practical guide to authentication alignment at the scale where it actually gets hard. Last week's DHS directive requiring all US federal agencies to reach DMARC p=reject within a year has crystallized a conversation that has been building for a while: authentication is no longer optional, and the organizations whose multi-domain programs aren't already moving toward enforcement are going to be explaining why within the next twelve months.
Key takeaways
- Multi-domain DMARC is a different problem than single-domain DMARC. The complexity grows non-linearly with domain count because each new third-party sender introduces alignment edge cases that the existing policy has to handle correctly.
- Alignment requires that the domain that authenticates (SPF Return-Path or DKIM d=) matches or is a subdomain of the From header domain. "Passing SPF" and "passing DMARC" are different things; many senders pass SPF but fail DMARC because the domains don't align.
- The SPF 10-DNS-lookup limit is the single most common technical failure in multi-domain programs. Adding every vendor's SPF include to your organizational record guarantees you'll exceed the limit within a few integrations.
- Delegating a subdomain to each third-party vendor is the pattern that scales. marketing.example.com for the marketing platform, transactional.example.com for the transactional provider, support.example.com for the support tool — each with independent SPF and DKIM, all inheriting the organizational DMARC policy via
sp=. - The policy progression from
p=nonetop=rejecttakes most organizations six to twelve months. The elapsed time is not the issue; the discipline of actually reviewing aggregate reports weekly and progressing only when the reports are clean is the issue. Teams that review monthly or quarterly get stuck atp=noneindefinitely.
Why multi-domain alignment is hard
A single-domain DMARC deployment has a manageable configuration surface: one SPF record, a small number of DKIM selectors, one DMARC record. The organization knows who sends mail, the vendors are few, and the alignment problem is contained. If something breaks, there is one record to investigate. The foundational DMARC story — what the protocol is, how early adopters rolled it out, and the lessons from the first wave — is documented in DMARC in practice: early lessons from the first wave of adopters.
A multi-domain deployment has none of those simplifications. The organization owns an organizational domain (example.com) and probably a dozen related domains — country-specific variants, acquired brands, product-line identities, legacy domains from prior campaigns. Each of those domains has its own sending pattern, its own set of third-party vendors, and its own DNS zone. A change that benefits one domain can silently break alignment on another. A vendor added to support the marketing team can introduce an SPF record that fails alignment for transactional mail on the same domain. Nobody notices until Gmail's aggregate reports start showing the failure pattern, by which point it has been affecting inbox placement for weeks.
The fundamental difficulty is that alignment is a per-message property evaluated by receivers. The sender's view of whether everything is configured correctly is incomplete. Only the DMARC aggregate reports, aggregated across the major receivers, show the truth of what is actually happening to your mail. Teams that don't read those reports regularly cannot know whether their multi-domain program is healthy.
What alignment actually requires
DMARC alignment is the property that ties authentication results (SPF or DKIM pass) to the From header domain the recipient sees. A message can pass SPF and still fail DMARC if the SPF-authenticated domain doesn't align with the From header. This is the single most common source of confusion when teams first investigate their own DMARC data.
The two alignment modes
| Mode | Requirement | Example: From = user@example.com | When to use |
|---|---|---|---|
| Relaxed (default) | Authenticated domain must share organizational domain with From | SPF/DKIM domain can be mail.example.com, marketing.example.com, or example.com | Most production deployments; allows subdomain flexibility |
| Strict | Authenticated domain must exactly match From | SPF/DKIM domain must be example.com exactly | High-security domains, financial/legal senders wanting tighter control |
Relaxed alignment is the default when the DMARC record omits the aspf and adkim tags. For most multi-domain programs this is correct; you almost always want the flexibility to sign from subdomains that share the organizational domain. Strict mode should be a deliberate choice for specific domains where the extra tightness is justified and the operational implications are understood.
What the DMARC check actually does
- Evaluate SPF. Perform the SPF check against the envelope Return-Path (also called MAIL FROM). Record the result.
- Evaluate SPF alignment. Compare the Return-Path domain to the From header domain. Pass if they share the organizational domain (relaxed) or match exactly (strict).
- Evaluate DKIM. Verify each DKIM signature in the message. Record which ones validate.
- Evaluate DKIM alignment. For each valid DKIM signature, compare the
d=domain to the From header domain. Pass if they align. - DMARC pass. If either SPF passed AND aligned, OR any DKIM signature was valid AND aligned, DMARC passes.
- DMARC fail. If neither SPF nor DKIM produced an aligned pass, apply the DMARC policy (
p=) from the record.
SPF across many domains and the 10-lookup ceiling
RFC 7208 sets a hard limit of ten DNS lookups per SPF evaluation. Every include:, a, mx, exists, and redirect= mechanism counts against this limit. Exceeding it causes a permerror — SPF returns neither pass nor fail, and DMARC treats it as a fail. Multi-domain programs hit this ceiling faster than they expect because each third-party vendor typically requires at least one include.
How the limit is consumed
example.com SPF — lookups accumulate quickly# An organization using multiple common vendors:
example.com. IN TXT "v=spf1
include:_spf.google.com # 1 lookup (+ nested lookups inside)
include:servers.mcsv.net # 1 lookup (Mailchimp)
include:sendgrid.net # 1 lookup
include:_spf.salesforce.com # 1 lookup
include:spf.mandrillapp.com # 1 lookup
include:mail.zendesk.com # 1 lookup
include:_spf.intuit.com # 1 lookup
~all"
# Total direct lookups: 7
# But each include may itself trigger nested lookups.
# _spf.google.com, for example, includes multiple nested includes.
# Real-world count: often 12-15 lookups, over the limit.
The strategies that actually work
| Strategy | How it works | Trade-offs |
|---|---|---|
| Subdomain delegation | Each vendor gets its own subdomain with its own SPF record; vendor's sends use the subdomain | Requires vendors to support using subdomains; usually they do |
| SPF flattening | Replace include: with literal IP ranges; maintained by a service that rewrites the record periodically | Static records that need maintenance; risk of stale IPs when vendors change infrastructure |
| Vendor consolidation | Reduce the number of third-party services that need SPF includes | Usually non-starter operationally, but worth considering for vendors that overlap |
| Rely on DKIM alignment | Accept that some vendors won't align via SPF and depend on DKIM alignment for DMARC pass | Works; requires vendor to sign with a selector on your domain |
The dominant strategy at serious scale is subdomain delegation. Each high-volume third-party sender gets its own subdomain (marketing.example.com for the marketing platform, tickets.example.com for Zendesk, billing.example.com for invoicing). Each subdomain has its own SPF record containing only that vendor's include. The organizational domain's SPF stays small and focused. The trade-off is DNS setup complexity, which is modest and one-time.
subdomain-delegated SPF records# Organizational domain: only in-house sending
example.com. IN TXT "v=spf1 mx include:_spf.google.com ~all"
# 2 direct lookups; plenty of headroom.
# Each vendor gets its own subdomain
marketing.example.com. IN TXT "v=spf1 include:servers.mcsv.net ~all"
tickets.example.com. IN TXT "v=spf1 include:mail.zendesk.com ~all"
billing.example.com. IN TXT "v=spf1 include:_spf.intuit.com ~all"
notifications.example.com. IN TXT "v=spf1 include:sendgrid.net ~all"
# The vendor sends From: marketing@marketing.example.com
# SPF check passes against the subdomain
# DMARC alignment passes because marketing.example.com is a subdomain of example.com
# (relaxed alignment; default)
DKIM signing for third-party senders
DKIM alignment works by having the third-party vendor sign outbound mail with a key published under your domain. The signing domain (d= in the DKIM header) must match or be a subdomain of the From header for alignment. Most major vendors support this pattern; the setup is one of the more valuable pieces of DMARC preparation work. The underlying DKIM signing mechanics, which most vendors abstract away but which you need to understand when troubleshooting, are covered in DKIM signing for transactional email.
The vendor-signing pattern
CNAME-based DKIM delegation# Vendor provides you with CNAME records to publish.
# They generate and manage the actual key; you point to it via DNS.
# Example: SendGrid DKIM setup
s1._domainkey.example.com. IN CNAME s1.domainkey.u12345.wl.sendgrid.net.
s2._domainkey.example.com. IN CNAME s2.domainkey.u12345.wl.sendgrid.net.
# Example: Mailchimp (Mandrill)
k1._domainkey.example.com. IN CNAME dkim.mandrillapp.com.
# The vendor signs outbound mail with:
# From: newsletter@example.com
# DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=s1; ...
# The selector s1 is looked up at s1._domainkey.example.com
# DNS resolves to the CNAME, which resolves to the vendor's key
# DKIM validates; the d= domain is example.com (your org domain)
# DKIM alignment with From header: pass
# DMARC: pass
When the vendor won't support DKIM with your domain
A handful of less-mature vendors still sign with their own domain by default and don't support signing on your behalf. For these, your options are: push the vendor to add support, accept that DMARC won't pass for mail through this vendor, or replace the vendor. The third option is increasingly practical because DMARC-compliant vendors have become the norm over the past two years; a vendor that can't align DKIM in 2017 is behind the market.
s1 and s2) and rotate which one is primary. When you rotate, you update the vendor to sign with the new selector while keeping the old one valid. After a few days of overlap, retire the old selector. Vendors that don't support at least two active selectors make rotation painful; prefer ones that do.
DMARC policies per organizational domain
The DMARC record at _dmarc.example.com governs policy for the organizational domain and, via the sp= tag, inherits policy for subdomains. Multi-domain programs need one DMARC record per organizational domain. A program with three distinct organizational domains (example.com, example.co.uk, example.de) needs three DMARC records.
DMARC record anatomy_dmarc.example.com. IN TXT
"v=DMARC1;
p=quarantine; # policy for example.com itself
sp=reject; # policy for subdomains (marketing.example.com, etc.)
adkim=r; # DKIM alignment: relaxed
aspf=r; # SPF alignment: relaxed
pct=100; # apply to 100% of failing mail
rua=mailto:dmarc-agg@example.com; # aggregate reports
ruf=mailto:dmarc-forensic@example.com; # forensic reports (less common)
fo=1; # generate forensic report on any failure
ri=86400" # aggregate report interval: 1 day
Tag by tag — what to set and why
p=- Policy for the organizational domain. Start at
noneto collect data; progress toquarantine; finally toreject. The progression is the point of DMARC; staying atnoneforever provides no protection. sp=- Subdomain policy. Defaults to the same value as
p=if omitted, but worth setting explicitly. A common pattern:sp=rejectfrom day one, because subdomains for vendors are created specifically to satisfy alignment and should never have unauthenticated mail. adkim=,aspf=- Alignment mode. Default (relaxed) for most programs. Strict for specific high-security domains.
pct=- Percentage of failing mail the policy applies to. Can be used as an intermediate enforcement step:
p=quarantine; pct=10quarantines only 10% of failing mail, letting you observe effects before full enforcement. rua=- Aggregate report destination. One or more mailto addresses. The single most important tag; this is where receivers send the XML reports you need to evaluate the program.
ruf=- Forensic report destination. Rarely emitted by receivers (Gmail in particular doesn't send them for privacy reasons), so setup is optional and of limited value.
fo=- Forensic options.
fo=1requests forensic reports for any failure;fo=dfor DKIM failures only;fo=sfor SPF failures only. Ifruf=is set,fo=1is the typical choice. ri=- Report interval in seconds. Defaults to 86400 (daily). Most receivers ignore this and send daily regardless.
Subdomain policies and the sp tag
The sp= tag is the mechanism that makes multi-domain programs tractable. Without it, every subdomain needs its own DMARC record to specify policy; with it, subdomains inherit from the organizational domain automatically.
The inheritance pattern
A DMARC record at _dmarc.example.com applies to:
- example.com itself — policy governed by
p= - Every subdomain of example.com that does not have its own DMARC record — policy governed by
sp= - Subdomains that do have their own DMARC record — their own record takes precedence
Hierarchical DMARC policy# Organizational domain
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-agg@example.com"
# All subdomains without their own record → p=reject
# Subdomain with its own relaxed policy (override)
_dmarc.marketing.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-agg@example.com"
# marketing.example.com → p=quarantine (override)
# subdomains of marketing.example.com (e.g., newsletter.marketing.example.com)
# without their own record → inherit marketing.example.com's policy via its own sp=
# (if sp= omitted, defaults to match the subdomain's p= value)
# Subdomain explicitly set to none during transition
_dmarc.legacy.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-agg@example.com"
# legacy.example.com → p=none (monitoring only, while legacy senders are identified)
The common mistake: forgetting sp
Many organizations publish a DMARC record with p=reject and omit sp=. The default behavior is for sp to match p, which means every subdomain inherits p=reject. If a forgotten legacy subdomain is still sending unauthenticated mail, that mail starts getting rejected globally. Teams discover this when internal systems or archived applications stop sending.
The safer pattern for multi-domain programs: during the enforcement transition, set sp= explicitly. Start with p=reject; sp=none, then move subdomains individually as you verify each one is aligned. Once all subdomains are verified, tighten to sp=reject. This prevents the "switched to reject and broke forgotten systems" incident.
sp= to quarantine or reject: enumerate every subdomain of your organizational domain, identify which ones send mail, verify alignment on each, and document ownership. The subdomains that surprise you during this audit are the ones that would have broken when sp= tightened. Catching them at audit time is cheap; catching them at enforcement time is expensive.
Delegating to vendors without losing alignment
Every major email vendor in 2017 supports DMARC alignment if configured correctly. The configuration differs per vendor, but the principles are consistent: either the vendor sends from a subdomain you delegate to them (SPF alignment via the subdomain's SPF record) or the vendor signs DKIM with a key published under your domain (DKIM alignment via CNAME). Usually both.
The vendor-by-vendor pattern
| Vendor category | SPF approach | DKIM approach | Alignment strategy |
|---|---|---|---|
| Marketing (Mailchimp, Marketo, HubSpot) | Send from dedicated subdomain | CNAME DKIM selector under your domain | Both SPF and DKIM align via subdomain |
| Transactional (SendGrid, Mailgun, SparkPost) | Send from dedicated subdomain | CNAME DKIM selector under your domain | Both SPF and DKIM align via subdomain |
| Sales engagement (Outreach, SalesLoft) | Send from main domain via integration to Google/Microsoft | Inherits Google/Microsoft DKIM | Alignment via the underlying mail host |
| CRM (Salesforce) | Use SPF include or dedicated subdomain | Configurable DKIM | Subdomain preferred; main domain works if SPF has headroom |
| Support (Zendesk, Freshdesk) | Dedicated subdomain (e.g., support.example.com) | CNAME DKIM under subdomain | Both align via subdomain |
| Billing (Intuit, FreshBooks) | Include required in SPF, or dedicated subdomain | Varies by platform | Subdomain preferred when supported |
The pattern is consistent: subdomain delegation is the scalable strategy. Vendors that require their own includes in your organizational SPF are increasingly exceptions rather than the rule. When evaluating new email-sending vendors, DMARC compliance should be in the procurement checklist alongside the usual feature requirements.
Aggregate reports and what they actually tell you
DMARC aggregate reports (the XML files sent to the rua= address) are the single most valuable data source for understanding a multi-domain program's health. They contain per-receiver summaries of every message the receiver processed from your domain: how many, from which sending IPs, SPF/DKIM/alignment results, and what action the receiver took.
What aggregate reports catch that nothing else does
- Unauthorized senders. If someone is spoofing your domain, their IPs appear in aggregate reports as failed-authentication sources. This is the single most important security benefit of reading reports.
- Forgotten legitimate senders. Services the IT team lost track of — an old CRM, a legacy billing system, a forgotten vendor integration — show up in aggregate reports. Each one needs to be either authorized (updated SPF, DKIM, or subdomain delegation) or decommissioned.
- Alignment failures on authorized senders. Vendors that are supposed to be configured correctly sometimes aren't. Aggregate reports reveal when alignment is broken even though the team thinks everything is set up.
- Forwarding patterns. Forwarded mail often breaks SPF but preserves DKIM. Aggregate reports show which forwarding patterns are healthy (DKIM alignment survives) and which are not.
- Receiver-specific behavior. Different receivers handle the same configuration slightly differently. Reports let you see how Gmail, Microsoft, and others are interpreting your mail.
Processing raw aggregate reports at scale
Raw DMARC XML is unreadable by hand. Every serious multi-domain program uses a processing service to ingest, parse, and visualize the aggregate data:
| Option | Model | Positioning |
|---|---|---|
| Dmarcian | SaaS with free tier | Popular mid-market choice; founded by original DMARC standards contributors |
| Agari | Enterprise SaaS | Enterprise focus; integrated with broader email security platform |
| ValiMail | Enterprise SaaS | Automated DMARC enforcement; focus on large programs |
| Return Path (Fraudguard) | Enterprise SaaS | Part of the Return Path deliverability suite; comprehensive but expensive |
| dmarcanalyzer.com | SaaS | Cost-effective for small/medium programs |
| Self-hosted (e.g., parsedmarc) | Open source | For teams comfortable running the parsing pipeline themselves |
The right choice depends on program scale and organizational appetite for operational work. For multi-domain programs of any material size, a commercial DMARC service is usually the right call — the time saved on parsing, visualization, and alerting outweighs the license cost. Self-hosting parsedmarc works fine for smaller programs but becomes operational overhead at scale. The broader ecosystem of complaint handling and feedback loops that complements DMARC reporting is covered in feedback loops and complaint handling for bulk senders.
The policy progression from none to reject
The purpose of DMARC is to move from monitoring (p=none) to enforcement (p=reject). Teams that stop at monitoring get the reporting benefits but not the protection benefits. The progression is the point.
p=none, set up aggregate reporting, and then never progress. Six months later they still have p=none, their domain is still spoofable, and the DMARC deployment is providing reporting without protection. The diagnostic: nobody on the team has a specific responsibility for progressing the policy. Assign that responsibility explicitly; progression happens on schedule.
The DHS BOD 18-01 moment
Last week, the US Department of Homeland Security issued Binding Operational Directive 18-01, requiring all US federal civilian executive branch agencies to adopt DMARC and progress to p=reject within twelve months. The directive is narrow in scope — it applies to federal agencies, not private enterprises — but it is moving the broader conversation about email authentication in ways that will affect every multi-domain program over the next year.
Three observations about the directive's significance:
- It establishes DMARC as an official security standard
- DMARC has been an IETF-published standard (RFC 7489) since 2015, but the DHS directive is the first time a major government is requiring its members to adopt it with hard deadlines. That shifts DMARC from "security best practice" to "regulatory expectation." Enterprise security teams will see it on audit checklists sooner than they expected.
- The twelve-month timeline is aggressive but achievable
- Agencies that already have DMARC monitoring in place can realistically reach
p=rejectwithin a year if they have operational discipline. Agencies starting from nothing will have a harder time, and some will miss the deadline. The timeline creates pressure that benefits DMARC tooling vendors; expect the tooling market to become more competitive over the coming year. - The ripple effect reaches private enterprises
- Any private company that sells to the federal government is implicitly on notice that DMARC is now part of the compliance landscape. Banks, healthcare, and regulated industries typically adopt government standards within eighteen months. Enterprises that haven't been prioritizing DMARC will find themselves behind in 2018.
For multi-domain programs specifically, the BOD 18-01 directive is useful ammunition when making the internal case for investment. "We should do this because it's a security best practice" is a softer argument than "we should do this because US federal agencies are being required to and the standard will land on us next." Both are true; the second one gets budget faster.
Auditing a multi-domain program quarterly
A multi-domain DMARC program needs quarterly maintenance. Configurations drift, vendors change, subdomains get added, and aggregate reports accumulate. Without a structured audit, programs decay even when they started healthy.
The quarterly checklist
| Area | Check | Why |
|---|---|---|
| SPF record count | Every sending domain still under 10 lookups | New vendors inflate lookup count; audit catches overruns |
| DKIM selectors | All active selectors resolve; stale selectors removed | Prevents DKIM validation failures when vendors rotate keys |
| DMARC policy | Policy hasn't silently regressed; alignment flags unchanged | Records get edited; audit verifies integrity |
| Subdomain inventory | Every subdomain sending mail is accounted for | Catches forgotten subdomains before they become incidents |
| Vendor compliance | Every vendor sending on your behalf still aligns | Vendors change infrastructure; alignment breaks without notice |
| Aggregate report volume | Reports are still flowing from all major receivers | If Gmail stops sending reports, something changed; investigate |
| Failed-authentication sources | No new unauthorized IPs appearing in reports | Catches spoofing attempts and forgotten services |
| Progression readiness | Any domain ready to move up a policy tier | Keeps the program progressing rather than stalling |
The audit takes a couple of hours per quarter for a program with ten or twenty domains. That time pays for itself many times over in prevented incidents — a program without the audit drifts into a state where nobody quite knows the current configuration, and the first sign of trouble is aggregate reports showing unauthenticated sending that should have been caught months earlier.
Frequently asked questions
Should every subdomain have its own DMARC record?
Usually no. The organizational domain's DMARC record, with a correctly-set sp= tag, covers most subdomains. Individual subdomain records are warranted only when a subdomain needs a different policy than the organizational default — typically during the progression, when some subdomains are ready for p=reject while others are still at p=none.
What if a vendor can't support DKIM alignment?
Two options. Use a subdomain for that vendor so SPF alignment handles the DMARC pass. Or, if the vendor is low-volume and both SPF and DKIM alignment will fail, accept that DMARC will fail for mail through this vendor and decide whether the impact matters. A vendor that can't do either is a vendor that should be replaced; this was true as of a year or two ago and is even more true now.
How do we handle mailing lists that break authentication?
Mailing lists often modify messages in ways that break both SPF (source IP changes) and DKIM (body modifications invalidate the signature). The practical workaround is that most list software rewrites the From header to the list's own domain, so DMARC is evaluated against the list's domain rather than the original sender. Modern list management tools handle this correctly; older or misconfigured ones produce DMARC failures for every list message.
What about forwarding?
Forwarding also breaks SPF because the forwarder's IP isn't authorized. DKIM usually survives forwarding if the forwarder doesn't modify the message. This is one reason DKIM alignment is more important than SPF alignment in practice — DKIM works in more real-world scenarios.
Is it worth setting up ruf= for forensic reports?
Usually not. Gmail and several other major receivers don't send forensic reports at all (privacy policy reasons). The reports that do arrive are limited. Skip ruf= unless you have a specific forensic need; focus on rua= aggregate reports.
How do we prove DMARC compliance to auditors?
Provide the DMARC records (publicly visible via DNS), aggregate report summaries from your DMARC processor showing authentication pass rates, and documentation of the progression journey (policy history, subdomain inventory, vendor alignments). Most DMARC processors export compliance-friendly reports; that's usually sufficient for audit purposes.
What happens if our aggregate report destination stops working?
Receivers keep trying for a while, then give up. If the receiving server sends bounces, some receivers may reduce reporting frequency. If aggregate reports stop arriving, first check the report destination's health, then verify the DMARC record is still published correctly, then investigate whether the receiver is having its own issues.
Closing perspective
Multi-domain DMARC is solvable. The specification is clear, the tooling is mature, and the organizations that have successfully reached p=reject across multiple domains are not exotic — they applied the discipline over six to twelve months, read their aggregate reports consistently, and progressed the policy when the reports justified advancing. Nothing in the path is secret; what's scarce is the organizational attention to actually do the work through to completion.
The BOD 18-01 announcement last week is the nudge that will move this from "something the security team has been advocating" to "something the business has to prioritize" for many organizations. Federal agencies have a year to reach p=reject. The private-sector mirror of that pressure — from auditors, insurers, procurement teams — will land within eighteen months. Teams that start the work now will be ahead when the pressure arrives. Teams that start when the pressure arrives will be behind.
The other pattern worth internalizing: the discipline is reading aggregate reports, not configuring records. Records are one-time work. Reports are ongoing work. The programs that reach p=reject successfully are the ones that built the habit of weekly report review early and kept it as the program expanded. The programs that stall at p=none built the records and never built the review habit. Technically, both are "doing DMARC." Operationally, only one is protecting the domain.
For organizations starting this work today, the honest sequencing: inventory your sending domains and vendors first. Publish DMARC records at p=none across all organizational domains. Set up a DMARC processor and start reading reports. Fix alignment issues one by one as they surface. Begin the progression on the domains that show clean reports the soonest; leave the complicated ones for later in the journey. And plan for twelve months; the timeline is what it is. The reason the work matters at all — the underlying sender-reputation model that filters use to decide who to trust — is covered in sender reputation fundamentals.