The authority layer
A multi-state regulated CPG retailer with 1.8 million contacts was carrying active reputation damage across a domain that couldn't reliably deliver. Before any campaign strategy mattered, the infrastructure underneath had to be made correct. This is what that rebuild looked like, and what got built on top of it once the foundation could hold.
A multi-state regulated CPG retailer: 1.8 million email contacts, physical storefronts across six states, owned eCommerce, and third-party marketplace presence. The product category carried federal restrictions that excluded the brand from mainstream marketing platforms.
Standard tools like Klaviyo, Mailchimp, and most major ESPs either blocked accounts outright or imposed terms that made compliant messaging impossible. Every campaign required specialized infrastructure: industry-specific CRM and SMS platforms with vetted carrier routing, state-by-state copy and offer adjustments, and compliance formatting that shifted with each market's regulatory window.
I came on as Email Marketing Manager and was promoted to Sr. Digital Marketing Manager as the scope expanded. The operation ran email, SMS, display, out-of-home, eCommerce, and social simultaneously. B2B and B2C email programs shared the same domain. The loyalty program ran through an industry-specific CRM; SMS deployed daily through a specialized compliant messaging platform. A headless CMS handled content across brand properties.
The core problem was twofold. First, the domain had active reputation issues that needed triage before anything else could be built. Second, the marketing operation was underbuilt: segmentation was limited to state and engagement level, and lifecycle automation was nonexistent. The list was 1.8 million contacts large and underworked. But none of the optimization mattered until the domain could reliably reach the inbox.
The domain had reputation issues that were actively degrading inbox placement. At 1.8 million contacts across six states, with B2B and B2C sharing the same sending domain, reputation damage on any single stream affected every message the organization sent.
This was not a problem that could wait for a ramp period. It was the problem that determined whether anything else I built would land. The root causes were operational, not exotic:
A 1.8M-contact list without streamlined hygiene was carrying invalid addresses, disengaged contacts, and potential spam-trap exposure. Bounce rates were running in the 5–10% range. At Gmail and Microsoft, engagement-based filtering means a dirty list poisons the sender score regardless of content quality.
Sending-infrastructure best practices around IP handling had been disregarded. The domain was appearing on blacklists, requiring direct remediation through MXToolbox.
DMARC was present but hadn't been updated since the last ESP/CRM migration. The organization was mid-transition between two industry-specific CRMs, a slow and complicated migration that left the authentication records pointing at infrastructure that was no longer the primary sending path. SPF and DKIM alignment gaps across old and new platforms meant a portion of legitimate mail was failing authentication silently.
Authentication and reputation posture had no ongoing visibility. I implemented EasyDMARC for continuous DMARC, SPF, and DKIM monitoring, so configuration drift and alignment failures surfaced in real time rather than showing up as unexplained placement drops weeks later.
The multi-pronged approach cleared the issues within the first 30 days.
The audience genuinely wanted the content, so complaint rates weren't the primary driver; the damage was coming from infrastructure neglect. Once the domain's reputation posture was clean, everything that followed had a foundation that could actually deliver: the segmentation rebuild, the loyalty program, the geo-targeted campaigns.
1.8 million contacts receiving campaigns across a Monday-through-Thursday deployment schedule around 7:00–7:30 AM, with Friday reserved for reminder nudges. Every send was state-specific: promotional offers, compliance language, and product availability shifted by market. This wasn't a national blast cadence. It was six parallel programs running under one calendar.
Because the category is federally restricted, major carriers treat it as prohibited content. Unregistered sending faces immediate, permanent network suspension. Compliant SMS required A2P 10DLC registration through specialized platforms with vetted routing and structured formatting that satisfied per-carrier traffic thresholds. One-to-one disclosures and prior express written consent were baseline, not optional.
Purchase recency and frequency, product category and format preference, brand affinity, loyalty tier and point status, geographic market down to city and neighborhood level, and VIP / high-value customer flags.
Points accrual, tier movement, behavioral triggers on purchase patterns, double and triple point promotions, referral incentives, birthday offers, and automated lifecycle flows that moved members through the program without manual sends.
Separate from the main promotional calendar. Abandoned-cart flows were rebuilt after GA4 audits surfaced leaky conversion paths and buyer-intent signals the existing automation wasn't capturing.
Reporting ran on monthly GA4 audits and KPI reviews alongside an external analytics partner. I presented performance to leadership including C-level: open rate, click rate, CTR, CTOR, conversion rate, opt-in/opt-out rates, promo and points redemption, and spam/bounce rates on the engagement side; AOV, ROAS, first-time basket size, and customer acquisition cost on the revenue side.
The growth wasn't a signup-form exercise. It was a multi-channel acquisition and retention system built on behavioral automation.
Acquisition. 200K+ new opt-ins came from landing-page form captures, in-store promotional incentive campaigns with point-of-sale enrollment, in-store third-party digital signage (retail media networks), eCommerce checkout opt-in, and display. The 35X ROI came from channel-specific targeting, not blanket spend.
Retention and loyalty. The loyalty list grew 25% (+40K net-new members) over six months. The mechanism was lifecycle automation built on behavioral segmentation: purchase recency, frequency, category affinity, and loyalty tier determined which offers a member received and when. Double and triple point promotions, referral incentives, and birthday offers were triggered by behavior, not scheduled on a calendar. The 40K members weren't collected; they were earned through campaigns that rewarded repeat engagement.
Performance lifts. Email CTR increased 20% in one quarter through geo-targeted A/B testing tied to store-level promotional positioning. eCommerce conversions lifted 2.5% in the same quarter. The gains came from relevance, matching the offer to the customer's purchase history and local market, not from subject-line testing or send-time optimization alone.
A high-profile culinary collaboration launched across email, web, and social. The campaign segmented by five axes: geographic market, purchase history, brand preference, category preference, and loyalty status.
A product launch with a recognizable name attached could have been blasted to the full 1.8M-contact list. Instead, it was targeted so the highest-intent audience in the relevant markets saw it first.
The sellout validated the targeting model, not the celebrity attachment.
The same segmentation architecture that ran the weekly promotional calendar was applied at its sharpest to a single high-visibility moment, and the returns proved the system worked under pressure. See the campaign creative and segmentation detail →
An email operation running 1.8 million sends per week across six states from multiple platforms has authentication requirements most marketers never think about and most sysadmins never see the business side of.
Every platform that sends on behalf of the domain needs its own place in the authentication stack. The CRM, the SMS platform's email component, the eCommerce transactional system, the third-party marketplaces: each is a sending source, and each needs SPF authorization, a DKIM signing key, and DMARC alignment. Miss one, and that stream fails authentication. At this volume, a single misconfigured platform doesn't just lose a few messages; it degrades domain reputation across every stream, because B2B and B2C share the same domain and the same reputation score.
Every include: mechanism counts toward the 10-DNS-lookup limit (RFC 7208). Three or four platforms can approach the ceiling before adding monitoring or transactional services. Exceed it and SPF returns a PermError: every message from every platform fails, silently, with no inbox-side notice.
A signed selector per sending platform. Each generates its own key pair, published in DNS and actively signing. A missing selector means that platform can't achieve alignment. Key strength matters: 1024-bit passes, but 2048-bit is the current recommendation, and rotating across a multi-platform operation means coordinating every vendor.
At enforcement (p=quarantine or p=reject) the domain is protected from spoofing, which matters more in a regulated industry, where impersonation creates compliance exposure, not just brand damage.
Enforcement without aggregate reporting (rua=) is a blind policy: rejecting mail with no visibility into which legitimate senders are failing alignment. In a multi-platform operation, that's how a forgotten vendor silently loses mail for months.
None of the segmentation, the behavioral automation, or the loyalty mechanics matter if the domain can't pass basic authentication. A 2M-contact list sending 1.8M messages a week through multiple platforms only works when the infrastructure underneath is correct. The auditor exists to verify that foundation, in plain language, for the people responsible for what gets built on top of it.
Run the authentication audit