Back to the auditor
CS·01Case study: Authentication & infrastructure buildout

The authority layer

The domain couldn't reach the inbox. First we fixed that.

A multi-state regulated CPG retailer with 1.8 million contacts was carrying active reputation damage across a domain that couldn't reliably deliver. Before any campaign strategy mattered, the infrastructure underneath had to be made correct. This is what that rebuild looked like, and what got built on top of it once the foundation could hold.

Sector: Multi-state regulated CPG Scale: 1.8M → 2M+ contacts Role: Email Mgr → Sr. Digital Mktg Mgr Identity: Anonymized · metrics verified
~1%
Bounce rate after cleanup, down from 5–10%
30days
To clear the reputation issues
2M+
Contacts, grown from 1.8M in six months
35X
ROI on acquisition campaigns
01The situation

An underworked list on a domain that couldn't deliver

A multi-state regulated CPG retailer: 1.8 million email contacts, physical storefronts across six states, owned eCommerce, and third-party marketplace presence. The product category carried federal restrictions that excluded the brand from mainstream marketing platforms.

Standard tools like Klaviyo, Mailchimp, and most major ESPs either blocked accounts outright or imposed terms that made compliant messaging impossible. Every campaign required specialized infrastructure: industry-specific CRM and SMS platforms with vetted carrier routing, state-by-state copy and offer adjustments, and compliance formatting that shifted with each market's regulatory window.

I came on as Email Marketing Manager and was promoted to Sr. Digital Marketing Manager as the scope expanded. The operation ran email, SMS, display, out-of-home, eCommerce, and social simultaneously. B2B and B2C email programs shared the same domain. The loyalty program ran through an industry-specific CRM; SMS deployed daily through a specialized compliant messaging platform. A headless CMS handled content across brand properties.

The core problem was twofold. First, the domain had active reputation issues that needed triage before anything else could be built. Second, the marketing operation was underbuilt: segmentation was limited to state and engagement level, and lifecycle automation was nonexistent. The list was 1.8 million contacts large and underworked. But none of the optimization mattered until the domain could reliably reach the inbox.

02Day one: Domain reputation

The first priority wasn't strategy. It was deliverability.

The domain had reputation issues that were actively degrading inbox placement. At 1.8 million contacts across six states, with B2B and B2C sharing the same sending domain, reputation damage on any single stream affected every message the organization sent.

This was not a problem that could wait for a ramp period. It was the problem that determined whether anything else I built would land. The root causes were operational, not exotic:

The multi-pronged approach cleared the issues within the first 30 days.

Bounce rate, before cleanup
5–10%
Infrastructure neglect, not disengagement
Bounce rate, after 30 days
~1%
Clean reputation posture restored

The audience genuinely wanted the content, so complaint rates weren't the primary driver; the damage was coming from infrastructure neglect. Once the domain's reputation posture was clean, everything that followed had a foundation that could actually deliver: the segmentation rebuild, the loyalty program, the geo-targeted campaigns.

03The operation

Six parallel programs under one calendar

1.8 million contacts receiving campaigns across a Monday-through-Thursday deployment schedule around 7:00–7:30 AM, with Friday reserved for reminder nudges. Every send was state-specific: promotional offers, compliance language, and product availability shifted by market. This wasn't a national blast cadence. It was six parallel programs running under one calendar.

SMS · daily

Compliant messaging under carrier constraints

Because the category is federally restricted, major carriers treat it as prohibited content. Unregistered sending faces immediate, permanent network suspension. Compliant SMS required A2P 10DLC registration through specialized platforms with vetted routing and structured formatting that satisfied per-carrier traffic thresholds. One-to-one disclosures and prior express written consent were baseline, not optional.

Segmentation

Granular and behavioral, not demographic

Purchase recency and frequency, product category and format preference, brand affinity, loyalty tier and point status, geographic market down to city and neighborhood level, and VIP / high-value customer flags.

Loyalty

Managed through the CRM platform

Points accrual, tier movement, behavioral triggers on purchase patterns, double and triple point promotions, referral incentives, birthday offers, and automated lifecycle flows that moved members through the program without manual sends.

Re-engagement

Winback on 60/90-day cadences

Separate from the main promotional calendar. Abandoned-cart flows were rebuilt after GA4 audits surfaced leaky conversion paths and buyer-intent signals the existing automation wasn't capturing.

Reporting ran on monthly GA4 audits and KPI reviews alongside an external analytics partner. I presented performance to leadership including C-level: open rate, click rate, CTR, CTOR, conversion rate, opt-in/opt-out rates, promo and points redemption, and spam/bounce rates on the engagement side; AOV, ROAS, first-time basket size, and customer acquisition cost on the revenue side.

04The growth engine

1.8M to 2M+ contacts in six months

The growth wasn't a signup-form exercise. It was a multi-channel acquisition and retention system built on behavioral automation.

200K+
New opt-ins in under three months
+25%
Loyalty list growth (+40K net-new members) over six months
35X
ROI on acquisition campaigns

Acquisition. 200K+ new opt-ins came from landing-page form captures, in-store promotional incentive campaigns with point-of-sale enrollment, in-store third-party digital signage (retail media networks), eCommerce checkout opt-in, and display. The 35X ROI came from channel-specific targeting, not blanket spend.

Retention and loyalty. The loyalty list grew 25% (+40K net-new members) over six months. The mechanism was lifecycle automation built on behavioral segmentation: purchase recency, frequency, category affinity, and loyalty tier determined which offers a member received and when. Double and triple point promotions, referral incentives, and birthday offers were triggered by behavior, not scheduled on a calendar. The 40K members weren't collected; they were earned through campaigns that rewarded repeat engagement.

Performance lifts. Email CTR increased 20% in one quarter through geo-targeted A/B testing tied to store-level promotional positioning. eCommerce conversions lifted 2.5% in the same quarter. The gains came from relevance, matching the offer to the customer's purchase history and local market, not from subject-line testing or send-time optimization alone.

05The flagship

A high-profile launch, targeted instead of blasted

A high-profile culinary collaboration launched across email, web, and social. The campaign segmented by five axes: geographic market, purchase history, brand preference, category preference, and loyalty status.

A product launch with a recognizable name attached could have been blasted to the full 1.8M-contact list. Instead, it was targeted so the highest-intent audience in the relevant markets saw it first.

15%+
In-store sales lift
60%+
eCommerce conversion spike (month-over-month)
24 hrs
Full product sellout

The sellout validated the targeting model, not the celebrity attachment.

The same segmentation architecture that ran the weekly promotional calendar was applied at its sharpest to a single high-visibility moment, and the returns proved the system worked under pressure. See the campaign creative and segmentation detail →

06The infrastructure layer

The layer the auditor checks, at enterprise scale

An email operation running 1.8 million sends per week across six states from multiple platforms has authentication requirements most marketers never think about and most sysadmins never see the business side of.

Every platform that sends on behalf of the domain needs its own place in the authentication stack. The CRM, the SMS platform's email component, the eCommerce transactional system, the third-party marketplaces: each is a sending source, and each needs SPF authorization, a DKIM signing key, and DMARC alignment. Miss one, and that stream fails authentication. At this volume, a single misconfigured platform doesn't just lose a few messages; it degrades domain reputation across every stream, because B2B and B2C share the same domain and the same reputation score.

SPF

Every include: mechanism counts toward the 10-DNS-lookup limit (RFC 7208). Three or four platforms can approach the ceiling before adding monitoring or transactional services. Exceed it and SPF returns a PermError: every message from every platform fails, silently, with no inbox-side notice.

DKIM

A signed selector per sending platform. Each generates its own key pair, published in DNS and actively signing. A missing selector means that platform can't achieve alignment. Key strength matters: 1024-bit passes, but 2048-bit is the current recommendation, and rotating across a multi-platform operation means coordinating every vendor.

DMARC

At enforcement (p=quarantine or p=reject) the domain is protected from spoofing, which matters more in a regulated industry, where impersonation creates compliance exposure, not just brand damage.

Reporting

Enforcement without aggregate reporting (rua=) is a blind policy: rejecting mail with no visibility into which legitimate senders are failing alignment. In a multi-platform operation, that's how a forgotten vendor silently loses mail for months.

Why this tool exists

None of the segmentation, the behavioral automation, or the loyalty mechanics matter if the domain can't pass basic authentication. A 2M-contact list sending 1.8M messages a week through multiple platforms only works when the infrastructure underneath is correct. The auditor exists to verify that foundation, in plain language, for the people responsible for what gets built on top of it.

Run the authentication audit