23 years from Stockholm
Solutions · Marketing and digital agencies

Email infrastructure for agencies running outbound on behalf of dozens of clients

Your clients are not your agency. Their domains, their lists, their content, their reputation — each one needs to live in its own lane. The 2024 Gmail/Yahoo bulk-sender mandate and the May 2025 Microsoft Outlook enforcement made that boundary technical, not just operational. We ship the per-client isolation primitives and the DMARC tooling so that one client's bad week doesn't crater the delivery rate for the other forty-seven.

What changed for agencies

Agencies used to sell deliverability as a soft service. Since 2024, it's a compliance discipline with hard rejection codes.

For most of the last fifteen years, the email infrastructure under an agency was an afterthought. You plugged your client lists into Mailchimp, Klaviyo, or HubSpot, you used the agency's own SendGrid account for transactional work, and "deliverability" meant occasionally cleaning a list or rewriting subject lines that smelled like spam. The receivers were tolerant. The mandate was vague. The agency made promises that were mostly true most of the time.

That world ended in February 2024 when Google and Yahoo's bulk-sender enforcement went live for any sender pushing 5,000+ messages per day to Gmail addresses. The transition wasn't gradual: 421 temporary deferrals in early 2024 turned into permanent 550 rejections by November 2025. Microsoft Outlook joined with their own rules effective May 5, 2025, returning 550 5.7.515 when a message fails the authentication bar. La Poste followed in September 2025 for the French market. Apple iCloud Mail is expected next, on the same playbook.

The technical floor under all of these mandates is the same: SPF, DKIM, and DMARC must be valid, aligned, and intentional; one-click unsubscribe must work for promotional traffic; spam complaint rate has to stay below 0.30% (with 0.10% as the working ceiling for stable senders). Gmail's October 2025 launch of Postmaster Tools v2 made the new bar explicit: the old reputation-score model (High / Medium / Low) was replaced with a binary Compliance Status: Pass / Fail. If you fail, your messages stop arriving — regardless of how clever your subject line was.

For agencies, this changed the job description. The shared sending infrastructure that worked when one bad list mostly hurt one client now compounds across the entire client book: every email sent under an agency's master domain is evaluated against the agency's aggregate reputation. One client uploads a purchased list. The agency's domain reputation drops. Forty-six other clients see their open rates collapse — and they call the account manager wondering what happened.

The agencies that have come out ahead in the post-2024 world are the ones that took client isolation seriously: separate sending domain per client, separate DKIM keys per client, dedicated IPs (or at least domain-isolated IP pools) per client, per-client DMARC monitoring with aggregate reports going back to the agency's deliverability team rather than the client's procurement inbox. The agencies that lost ground are the ones still running everything through "agency.com" with a shared subuser pool at SendGrid. The receivers don't reward effort; they reward the technical signal.

Client-portfolio contagion

How much of your agency revenue is exposed when a single client's domain goes down?

Move the sliders to model your situation. The math takes the spam-fold drag on a shared-domain pool and compares it against the per-client isolated pattern. The output is the revenue exposure your agency carries when client N has a bad week.

5200
€800 (SMB)€25K (enterprise)
7 d (fast)90 d (worst case)
SharedDomain-isolatedFull silo

Math: when a contaminated client takes the shared infrastructure down, you lose a fraction of every other client's effective deliverability for the recovery period. Loss factor: Shared = 75% of book exposed (most agencies stop renewing within 60 days of a deliverability incident), Domain-isolated = 15%, Full silo = 3% (only affected client). Source: agency churn data from the 2024 Setup Marketing Relationship Survey + our own incident logs.

Revenue exposure
€110K
75% of monthly book at risk
Monthly book value €157,500
Clients exposed 35 of 35
Recovery window 28 days
Loss factor 75%

The full silo pattern (dedicated IP + isolated domain per client) is the only configuration where one client's behaviour doesn't translate into agency-wide revenue risk. Domain isolation alone helps a lot. Shared infrastructure is now actively dangerous given how aggregate-reputation-based the 2026 receivers have become.

Three isolation patterns

The three configurations agencies actually run, and where each one fits

There's no universal right answer. The pattern that works for a five-client boutique agency is wrong for a fifty-client managed-services firm. Here's how we think about the trade-offs.

Pattern 1 — Shared agency domain

Everyone sends through agency.com with sender identities

All client traffic goes out under the agency's master domain. Cheapest setup, weakest containment. Acceptable for very small books or short-engagement work.

Best for
5-10 clients, low volume, short engagements
Setup time
A few hours
Blast radius
Entire client book
Honest trade-off

In 2026, this pattern only works when you trust every client's content and list hygiene completely. One purchased list from one client takes the whole book down. If your agency does any volume work, skip this entirely.

Pattern 2 — Domain-isolated, shared IPs

Each client sends from their own domain on a shared IP pool

Per-client subdomain (or full client domain) with isolated DKIM keys; IPs are shared across all clients in your agency pool. The dominant pattern in 2026 mature agencies.

Best for
10-50 clients, mixed volume profiles
Setup time
~2 weeks (DNS propagation)
Blast radius
IP-level only (~15% of book)
Honest trade-off

Domain reputation is mostly isolated, but IP reputation is still shared. When the 2024 receivers shifted toward domain-based signalling this pattern became much safer; before then it was riskier. Good for SMB-leaning books.

Pattern 3 — Full silo

Dedicated IP per client + isolated domain + per-client DMARC

Every client gets their own dedicated IP (or pair), their own domain or subdomain, their own DKIM keys, and their own DMARC monitoring policy. The agency runs the operator desk; the client owns the reputation.

Best for
Enterprise client books, compliance-sensitive verticals
Setup time
~3 weeks per client (IP warmup)
Blast radius
Single client only
Honest trade-off

Per-client cost is meaningful, so the math only works when retainers are €3,000+/month and the client values the isolation. Below that, agencies fold this into a "premium tier" they sell as a deliverability upgrade.

The compliance bar by receiver

What your clients' inbox providers actually require in 2026

Receiver Enforcement live Bulk threshold Spam rate cap Rejection code
Gmail
Google
Feb 2024 (temp) → Nov 2025 (perm) 5,000+ messages/day to Gmail addresses 0.10% target / 0.30% hard cap 421-4.7.26 (temp), 550 perm rejection. Postmaster Tools v2 binary Pass/Fail since Oct 2025
Yahoo
Apollo Global
Feb 2024 onwards 5,000+ messages/day to Yahoo addresses 0.10% target / 0.30% hard cap Authentication failures bounce; spam rate violations trigger spam folder
Microsoft Outlook
Outlook.com + Hotmail
May 5, 2025 5,000+ messages/day to MS consumer addresses Below 0.30% threshold 550 5.7.515 — "Access denied, sending domain does not meet the required authentication level"
La Poste
orange.fr, laposte.net
Sept 2025 Bulk sending into French consumer addresses 0.30% (was 1% pre-2025) Authentication failure → reject; rate violation → spam folder + temporary deferrals
Apple iCloud Mail
@me.com, @icloud.com, @mac.com
Expected 2026-2027 Threshold not yet published Expected to match Gmail/Yahoo Mail Privacy Protection already inflates open rates; bulk rules incoming
Comcast, Charter, ATT
US ISP webmail
Variable, mostly FBL-based No single threshold; reputation-driven FBL complaint rates 0.30%+ trigger filtering Soft bounces; rarely return informative codes

Compliance details verified against Google Postmaster Tools v2 documentation (Oct 2025 launch), Yahoo Sender Hub guidelines, Microsoft New Outlook bulk sender requirements (effective May 5, 2025), and La Poste / Orange.fr postmaster notices. Apple iCloud bulk sender requirements not yet published but expected to mirror Gmail/Yahoo per industry signalling.

What we ship for an agency engagement

The pieces of the platform that sit underneath your client work

What we provide isn't a Mailchimp replacement. We don't have a campaign builder, we don't host your client's drag-and-drop templates, we don't do the strategic work of figuring out what to send. Those are your job, and the agencies we work with are already good at them. What we ship is everything underneath: the layer that makes the message actually arrive.

  • Per-client domain provisioning For each client, we set up the sending domain (typically mail.client-domain.com delegated to us via CNAME), generate DKIM keys, configure the SPF includes, and publish a DMARC record at p=none for monitoring. The agency and the client both get DMARC aggregate reports.
  • DMARC enforcement progression After 30 days of monitoring at p=none to identify all legitimate sending sources, we move the policy to p=quarantine for another 30 days, and then to p=reject. The current state of the ecosystem makes p=reject the only safe long-term posture — only 35% of Fortune 500 DMARC records reach that level, and that 35% is the cohort with reliable Gmail inbox placement.
  • IP pool architecture choice per client Default is the domain-isolated shared-pool pattern (most agencies). Premium clients can be moved to dedicated IPs in a separate pool, with proper IP warmup over 14-28 days against test traffic. Above 50,000 emails/day per client, dedicated IPs are no longer optional under AWS's own guidance (and our experience matches).
  • Per-client complaint-rate monitoring FBL data from Yahoo, Hotmail, Microsoft 365, La Poste, and Comcast is ingested per allocated IP and attributed back to the originating client. When a client's complaint rate trends toward the 0.30% line, the agency's operator inbox gets a heads-up before Gmail Postmaster Tools v2 flips to Fail.
  • Daily DNSBL sweeps Every allocated IP is checked against 50+ DNSBLs daily. Listings get remediated by us (the SBL ticket, the CSS request, the Spamhaus communication) without you having to learn that process. Spamhaus's June 2025 paper made the cold-email lists tighter, so this work has gotten more frequent and more delicate.
  • One-click unsubscribe at the platform level List-Unsubscribe and List-Unsubscribe-Post: List-Unsubscribe=One-Click headers are automatic on every promotional message. Honour requests within 48 hours as required. The 2024 mandate made this non-optional; we don't let you ship a message that lacks it.
  • Agency dashboard with cross-client view A single login for the agency's deliverability team shows per-client send volume, complaint rate, bounce rate, DMARC status, and DNSBL listings. Drill into a single client to see their detail. Export branded PDFs for the client's monthly review meeting. The dashboard is what the agency talks to; the client sees what the agency wants them to see.
Pricing scenarios

How agency engagements typically size

10-25 clients · SMB book

SMTP Relay Pro · €749/mo

20 dedicated IPs, 5 sending domains. The configuration most agencies start with when graduating off SendGrid Subusers or Mailgun Subaccounts. Domain-isolation per client across the shared IP pool.

See SMTP Relay
25-75 clients · mixed book · Most common

PowerMTA Pro · €1,499/mo

20 dedicated IPs, 150K msg/hr. Where most mid-size agencies settle. Pattern 2 across the SMB book with the option to upgrade specific clients to Pattern 3 (full silo) when retainer size justifies it. Per-client DMARC monitoring included.

See Managed PowerMTA
75+ clients · enterprise book

Custom · from €2,799/mo

PowerMTA Enterprise (30 IPs, 500K msg/hr) as a baseline; additional dedicated IPs and managed deliverability retainer included as the book grows. Most agencies at this scale add the Managed Deliverability retainer (€1,200/mo) so the operator team becomes an extension of theirs.

Open the sizing conversation
Common questions before signing

What agencies ask before moving infrastructure

How does this fit with Mailchimp, Klaviyo, HubSpot, ActiveCampaign — the platforms our clients already use?

+

Two patterns. In the first, the client keeps their existing platform (Mailchimp, Klaviyo, etc.) and we sit underneath as the SMTP relay — the platform sends through us instead of through the platform's built-in shared infrastructure. The platform UI stays the same; what changes is which IPs and which domain the mail actually leaves on. This is the most common pattern when an existing client doesn't want to rebuild their campaign workflows.

In the second pattern, the agency builds their own thin layer on top of us (often using MailWizz, Mautic, or a custom React admin) and the client logs into the agency's branded platform instead of Mailchimp. Pricing favours this pattern past a certain scale because the platform fees compound, but it's a bigger build.

What does DMARC migration look like for a client who's at p=none for the last three years?

+

30 days of monitoring at p=none with aggregate reports collected and parsed (we run the parser, you get the readable summary) to identify every legitimate sending source for that client. Most clients have 2-4 sources that no one in the agency knew about: a forgotten Mailchimp instance from a previous agency, a CRM doing transactional sends, a HubSpot landing-page confirmation flow, the office 365 tenant. All of those need DKIM-aligned authentication before the policy can move forward.

Then 30 days at p=quarantine to confirm nothing legitimate is getting caught. Then p=reject. Total time: ~90 days for a clean migration. Faster if the client's infrastructure was already simple; sometimes 4-6 months if there are vendors who need to be replaced because they can't authenticate properly.

If we move a client over, do they keep their existing reputation?

+

Domain reputation moves with the domain (it's a property of the sending domain, not the infrastructure). IP reputation does not — moving to new IPs means going through the 14-28 day warmup. We typically run dual-send during the warmup: the existing platform handles maybe 80% of traffic while the new IPs ramp from 10% on day one to full capacity by day 21. By week 4, traffic is fully on our infrastructure and the old contract can be cancelled.

If the client's previous deliverability was poor (DMARC was at p=none with lots of failures, or they were on a shared IP pool with bad neighbours), the move often improves reputation rather than maintaining it. We've seen first-month inbox placement gains of 8-15 percentage points for clients who were on the worst of the shared-pool platforms.

What happens when a client gets nasty about deliverability problems they caused?

+

This is the conversation our reports are built to support. Per-client send logs, complaint rates by recipient domain, DMARC failure reports, FBL data, and DNSBL listings are all attributed back to the originating client. When a client claims "your deliverability is bad," you can show them their own complaint rate climbed past 0.30% three weeks ago because they uploaded a list from a conference badge scan. The data is yours; we just make sure it's collected and presentable.

For agencies, this is often the value that's hardest to communicate up front but most valuable in retention. The clients who were going to fire you because deliverability dropped will stay when they see the data showing it was their actions, not your competence.

Do we get a real human to call when something breaks?

+

Stockholm phone number, a Slack channel for the agency's deliverability lead, and a CC on the operator inbox. On critical incidents (multiple clients affected, Microsoft block, /24 listing), the on-call rotation responds within an hour during EU business hours; off-hours response is typically 2-3 hours for critical, longer for non-urgent. For agencies on the Managed Deliverability retainer (+€1,200/mo), the response and the relationship are tighter — there's a named deliverability engineer who's on your account.

What about GDPR and the agency-client-subprocessor chain?

+

Standard chain: the client is the controller, you (the agency) are the processor, we're the sub-processor. Our DPA is built for this pattern and includes the standard contractual clauses for any data movement (which is rare anyway — Stockholm primary, Frankfurt secondary, no transfer outside EU by default). For French and Spanish agencies, the chain works under the equivalent RGPD framing. For German agencies, the AVV per Art. 28 DSGVO is the canonical form.

Can we white-label this so the client never sees Authorize Hosting?

+

Yes. The sending hostnames, HELO, Received headers, FBL configuration, and rDNS PTRs all use your agency's branded hostname. The dashboard can be served on a subdomain you own (e.g. mail.your-agency.com) with your branding. The only places we appear are inside the legal documents at the bottom of the chain — typically not visible to the end client. Most agencies present us internally as "our deliverability infrastructure partner" and never name us to clients.

The migration conversation is the right starting point

Tell us how many clients, your current sending stack, how the volume distributes across the book, and what specifically broke in the last six months. We'll come back with an architecture proposal and a phased migration plan, not a contact-sales placeholder.