Email infrastructure for agencies running outbound on behalf of dozens of clients
Your clients are not your agency. Their domains, their lists, their content, their reputation — each one needs to live in its own lane. The 2024 Gmail/Yahoo bulk-sender mandate and the May 2025 Microsoft Outlook enforcement made that boundary technical, not just operational. We ship the per-client isolation primitives and the DMARC tooling so that one client's bad week doesn't crater the delivery rate for the other forty-seven.
Agencies used to sell deliverability as a soft service. Since 2024, it's a compliance discipline with hard rejection codes.
For most of the last fifteen years, the email infrastructure under an agency was an afterthought. You plugged your client lists into Mailchimp, Klaviyo, or HubSpot, you used the agency's own SendGrid account for transactional work, and "deliverability" meant occasionally cleaning a list or rewriting subject lines that smelled like spam. The receivers were tolerant. The mandate was vague. The agency made promises that were mostly true most of the time.
That world ended in February 2024 when Google and Yahoo's bulk-sender enforcement went live for any sender pushing 5,000+ messages per day to Gmail addresses. The transition wasn't gradual: 421 temporary deferrals in early 2024 turned into permanent 550 rejections by November 2025. Microsoft Outlook joined with their own rules effective May 5, 2025, returning 550 5.7.515 when a message fails the authentication bar. La Poste followed in September 2025 for the French market. Apple iCloud Mail is expected next, on the same playbook.
The technical floor under all of these mandates is the same: SPF, DKIM, and DMARC must be valid, aligned, and intentional; one-click unsubscribe must work for promotional traffic; spam complaint rate has to stay below 0.30% (with 0.10% as the working ceiling for stable senders). Gmail's October 2025 launch of Postmaster Tools v2 made the new bar explicit: the old reputation-score model (High / Medium / Low) was replaced with a binary Compliance Status: Pass / Fail. If you fail, your messages stop arriving — regardless of how clever your subject line was.
For agencies, this changed the job description. The shared sending infrastructure that worked when one bad list mostly hurt one client now compounds across the entire client book: every email sent under an agency's master domain is evaluated against the agency's aggregate reputation. One client uploads a purchased list. The agency's domain reputation drops. Forty-six other clients see their open rates collapse — and they call the account manager wondering what happened.
The agencies that have come out ahead in the post-2024 world are the ones that took client isolation seriously: separate sending domain per client, separate DKIM keys per client, dedicated IPs (or at least domain-isolated IP pools) per client, per-client DMARC monitoring with aggregate reports going back to the agency's deliverability team rather than the client's procurement inbox. The agencies that lost ground are the ones still running everything through "agency.com" with a shared subuser pool at SendGrid. The receivers don't reward effort; they reward the technical signal.
How much of your agency revenue is exposed when a single client's domain goes down?
Move the sliders to model your situation. The math takes the spam-fold drag on a shared-domain pool and compares it against the per-client isolated pattern. The output is the revenue exposure your agency carries when client N has a bad week.
Math: when a contaminated client takes the shared infrastructure down, you lose a fraction of every other client's effective deliverability for the recovery period. Loss factor: Shared = 75% of book exposed (most agencies stop renewing within 60 days of a deliverability incident), Domain-isolated = 15%, Full silo = 3% (only affected client). Source: agency churn data from the 2024 Setup Marketing Relationship Survey + our own incident logs.
The full silo pattern (dedicated IP + isolated domain per client) is the only configuration where one client's behaviour doesn't translate into agency-wide revenue risk. Domain isolation alone helps a lot. Shared infrastructure is now actively dangerous given how aggregate-reputation-based the 2026 receivers have become.
The three configurations agencies actually run, and where each one fits
There's no universal right answer. The pattern that works for a five-client boutique agency is wrong for a fifty-client managed-services firm. Here's how we think about the trade-offs.
Everyone sends through agency.com with sender identities
All client traffic goes out under the agency's master domain. Cheapest setup, weakest containment. Acceptable for very small books or short-engagement work.
- Best for
- 5-10 clients, low volume, short engagements
- Setup time
- A few hours
- Blast radius
- Entire client book
In 2026, this pattern only works when you trust every client's content and list hygiene completely. One purchased list from one client takes the whole book down. If your agency does any volume work, skip this entirely.
Each client sends from their own domain on a shared IP pool
Per-client subdomain (or full client domain) with isolated DKIM keys; IPs are shared across all clients in your agency pool. The dominant pattern in 2026 mature agencies.
- Best for
- 10-50 clients, mixed volume profiles
- Setup time
- ~2 weeks (DNS propagation)
- Blast radius
- IP-level only (~15% of book)
Domain reputation is mostly isolated, but IP reputation is still shared. When the 2024 receivers shifted toward domain-based signalling this pattern became much safer; before then it was riskier. Good for SMB-leaning books.
Dedicated IP per client + isolated domain + per-client DMARC
Every client gets their own dedicated IP (or pair), their own domain or subdomain, their own DKIM keys, and their own DMARC monitoring policy. The agency runs the operator desk; the client owns the reputation.
- Best for
- Enterprise client books, compliance-sensitive verticals
- Setup time
- ~3 weeks per client (IP warmup)
- Blast radius
- Single client only
Per-client cost is meaningful, so the math only works when retainers are €3,000+/month and the client values the isolation. Below that, agencies fold this into a "premium tier" they sell as a deliverability upgrade.
What your clients' inbox providers actually require in 2026
| Receiver | Enforcement live | Bulk threshold | Spam rate cap | Rejection code |
|---|---|---|---|---|
| Gmail | Feb 2024 (temp) → Nov 2025 (perm) | 5,000+ messages/day to Gmail addresses | 0.10% target / 0.30% hard cap | 421-4.7.26 (temp), 550 perm rejection. Postmaster Tools v2 binary Pass/Fail since Oct 2025 |
| Yahoo Apollo Global | Feb 2024 onwards | 5,000+ messages/day to Yahoo addresses | 0.10% target / 0.30% hard cap | Authentication failures bounce; spam rate violations trigger spam folder |
| Microsoft Outlook Outlook.com + Hotmail | May 5, 2025 | 5,000+ messages/day to MS consumer addresses | Below 0.30% threshold | 550 5.7.515 — "Access denied, sending domain does not meet the required authentication level" |
| La Poste orange.fr, laposte.net | Sept 2025 | Bulk sending into French consumer addresses | 0.30% (was 1% pre-2025) | Authentication failure → reject; rate violation → spam folder + temporary deferrals |
| Apple iCloud Mail @me.com, @icloud.com, @mac.com | Expected 2026-2027 | Threshold not yet published | Expected to match Gmail/Yahoo | Mail Privacy Protection already inflates open rates; bulk rules incoming |
| Comcast, Charter, ATT US ISP webmail | Variable, mostly FBL-based | No single threshold; reputation-driven | FBL complaint rates 0.30%+ trigger filtering | Soft bounces; rarely return informative codes |
Compliance details verified against Google Postmaster Tools v2 documentation (Oct 2025 launch), Yahoo Sender Hub guidelines, Microsoft New Outlook bulk sender requirements (effective May 5, 2025), and La Poste / Orange.fr postmaster notices. Apple iCloud bulk sender requirements not yet published but expected to mirror Gmail/Yahoo per industry signalling.
The pieces of the platform that sit underneath your client work
What we provide isn't a Mailchimp replacement. We don't have a campaign builder, we don't host your client's drag-and-drop templates, we don't do the strategic work of figuring out what to send. Those are your job, and the agencies we work with are already good at them. What we ship is everything underneath: the layer that makes the message actually arrive.
- Per-client domain provisioning For each client, we set up the sending domain (typically
mail.client-domain.comdelegated to us via CNAME), generate DKIM keys, configure the SPF includes, and publish a DMARC record atp=nonefor monitoring. The agency and the client both get DMARC aggregate reports. - DMARC enforcement progression After 30 days of monitoring at
p=noneto identify all legitimate sending sources, we move the policy top=quarantinefor another 30 days, and then top=reject. The current state of the ecosystem makesp=rejectthe only safe long-term posture — only 35% of Fortune 500 DMARC records reach that level, and that 35% is the cohort with reliable Gmail inbox placement. - IP pool architecture choice per client Default is the domain-isolated shared-pool pattern (most agencies). Premium clients can be moved to dedicated IPs in a separate pool, with proper IP warmup over 14-28 days against test traffic. Above 50,000 emails/day per client, dedicated IPs are no longer optional under AWS's own guidance (and our experience matches).
- Per-client complaint-rate monitoring FBL data from Yahoo, Hotmail, Microsoft 365, La Poste, and Comcast is ingested per allocated IP and attributed back to the originating client. When a client's complaint rate trends toward the 0.30% line, the agency's operator inbox gets a heads-up before Gmail Postmaster Tools v2 flips to Fail.
- Daily DNSBL sweeps Every allocated IP is checked against 50+ DNSBLs daily. Listings get remediated by us (the SBL ticket, the CSS request, the Spamhaus communication) without you having to learn that process. Spamhaus's June 2025 paper made the cold-email lists tighter, so this work has gotten more frequent and more delicate.
- One-click unsubscribe at the platform level
List-UnsubscribeandList-Unsubscribe-Post: List-Unsubscribe=One-Clickheaders are automatic on every promotional message. Honour requests within 48 hours as required. The 2024 mandate made this non-optional; we don't let you ship a message that lacks it. - Agency dashboard with cross-client view A single login for the agency's deliverability team shows per-client send volume, complaint rate, bounce rate, DMARC status, and DNSBL listings. Drill into a single client to see their detail. Export branded PDFs for the client's monthly review meeting. The dashboard is what the agency talks to; the client sees what the agency wants them to see.
How agency engagements typically size
SMTP Relay Pro · €749/mo
20 dedicated IPs, 5 sending domains. The configuration most agencies start with when graduating off SendGrid Subusers or Mailgun Subaccounts. Domain-isolation per client across the shared IP pool.
See SMTP RelayPowerMTA Pro · €1,499/mo
20 dedicated IPs, 150K msg/hr. Where most mid-size agencies settle. Pattern 2 across the SMB book with the option to upgrade specific clients to Pattern 3 (full silo) when retainer size justifies it. Per-client DMARC monitoring included.
See Managed PowerMTACustom · from €2,799/mo
PowerMTA Enterprise (30 IPs, 500K msg/hr) as a baseline; additional dedicated IPs and managed deliverability retainer included as the book grows. Most agencies at this scale add the Managed Deliverability retainer (€1,200/mo) so the operator team becomes an extension of theirs.
Open the sizing conversationWhat agencies ask before moving infrastructure
How does this fit with Mailchimp, Klaviyo, HubSpot, ActiveCampaign — the platforms our clients already use?
+
Two patterns. In the first, the client keeps their existing platform (Mailchimp, Klaviyo, etc.) and we sit underneath as the SMTP relay — the platform sends through us instead of through the platform's built-in shared infrastructure. The platform UI stays the same; what changes is which IPs and which domain the mail actually leaves on. This is the most common pattern when an existing client doesn't want to rebuild their campaign workflows.
In the second pattern, the agency builds their own thin layer on top of us (often using MailWizz, Mautic, or a custom React admin) and the client logs into the agency's branded platform instead of Mailchimp. Pricing favours this pattern past a certain scale because the platform fees compound, but it's a bigger build.
What does DMARC migration look like for a client who's at p=none for the last three years?
+
30 days of monitoring at p=none with aggregate reports collected and parsed (we run the parser, you get the readable summary) to identify every legitimate sending source for that client. Most clients have 2-4 sources that no one in the agency knew about: a forgotten Mailchimp instance from a previous agency, a CRM doing transactional sends, a HubSpot landing-page confirmation flow, the office 365 tenant. All of those need DKIM-aligned authentication before the policy can move forward.
Then 30 days at p=quarantine to confirm nothing legitimate is getting caught. Then p=reject. Total time: ~90 days for a clean migration. Faster if the client's infrastructure was already simple; sometimes 4-6 months if there are vendors who need to be replaced because they can't authenticate properly.
If we move a client over, do they keep their existing reputation?
+
Domain reputation moves with the domain (it's a property of the sending domain, not the infrastructure). IP reputation does not — moving to new IPs means going through the 14-28 day warmup. We typically run dual-send during the warmup: the existing platform handles maybe 80% of traffic while the new IPs ramp from 10% on day one to full capacity by day 21. By week 4, traffic is fully on our infrastructure and the old contract can be cancelled.
If the client's previous deliverability was poor (DMARC was at p=none with lots of failures, or they were on a shared IP pool with bad neighbours), the move often improves reputation rather than maintaining it. We've seen first-month inbox placement gains of 8-15 percentage points for clients who were on the worst of the shared-pool platforms.
What happens when a client gets nasty about deliverability problems they caused?
+
This is the conversation our reports are built to support. Per-client send logs, complaint rates by recipient domain, DMARC failure reports, FBL data, and DNSBL listings are all attributed back to the originating client. When a client claims "your deliverability is bad," you can show them their own complaint rate climbed past 0.30% three weeks ago because they uploaded a list from a conference badge scan. The data is yours; we just make sure it's collected and presentable.
For agencies, this is often the value that's hardest to communicate up front but most valuable in retention. The clients who were going to fire you because deliverability dropped will stay when they see the data showing it was their actions, not your competence.
Do we get a real human to call when something breaks?
+
Stockholm phone number, a Slack channel for the agency's deliverability lead, and a CC on the operator inbox. On critical incidents (multiple clients affected, Microsoft block, /24 listing), the on-call rotation responds within an hour during EU business hours; off-hours response is typically 2-3 hours for critical, longer for non-urgent. For agencies on the Managed Deliverability retainer (+€1,200/mo), the response and the relationship are tighter — there's a named deliverability engineer who's on your account.
What about GDPR and the agency-client-subprocessor chain?
+
Standard chain: the client is the controller, you (the agency) are the processor, we're the sub-processor. Our DPA is built for this pattern and includes the standard contractual clauses for any data movement (which is rare anyway — Stockholm primary, Frankfurt secondary, no transfer outside EU by default). For French and Spanish agencies, the chain works under the equivalent RGPD framing. For German agencies, the AVV per Art. 28 DSGVO is the canonical form.
Can we white-label this so the client never sees Authorize Hosting?
+
Yes. The sending hostnames, HELO, Received headers, FBL configuration, and rDNS PTRs all use your agency's branded hostname. The dashboard can be served on a subdomain you own (e.g. mail.your-agency.com) with your branding. The only places we appear are inside the legal documents at the bottom of the chain — typically not visible to the end client. Most agencies present us internally as "our deliverability infrastructure partner" and never name us to clients.
The migration conversation is the right starting point
Tell us how many clients, your current sending stack, how the volume distributes across the book, and what specifically broke in the last six months. We'll come back with an architecture proposal and a phased migration plan, not a contact-sales placeholder.