Email Setup · SMTP, SPF, DKIM, DMARC

Email that actually reaches the inbox.

The records, relays, and routing that turn sent into received. We configure the authentication layer that mailbox providers now treat as the price of entry — and we keep watching it after the launch screenshot, because deliverability drifts.

Get a free SEO report See what’s included
Sub-techniques covered · Google Workspace · Microsoft 365 · Tencent Exmail · Alibaba DirectMail · SMTP2GO · SPF · DKIM · DMARC · Mail Routing
01 — What’s Included

Six layers of email,
one deliverable stack.

Email is no longer a single product you switch on. It is at least three jobs running in parallel — domain mailboxes, transactional sends, and authentication records — that all have to agree on who is allowed to send on your behalf.

We set the whole stack up correctly the first time, and we monitor it afterwards because mailbox-provider rules tighten quietly and what worked last quarter does not always work this one.

N° 01

Domain Email — Google Workspace & Microsoft 365

Mailboxes

Provisioning and migrating the day-to-day mailboxes your team works from. We set up Google Workspace or Microsoft 365 from scratch, migrate from cPanel webmail or a previous provider without losing folders or aliases, configure shared mailboxes and groups, set up MX records and the platform’s own SPF and DKIM publishers, and lock down the security defaults that the setup wizard quietly leaves loose. For teams already on a platform, we audit the configuration, surface the misconfigurations, and document the result so it can be handed to anyone.

N° 02

Transactional Email — SMTP2GO, Mailgun, Postmark

Application sends

The email that comes out of your website, your CRM, your booking system, and your invoicing tool — order confirmations, password resets, contact-form notifications, receipts. These should never go through a mailbox provider, and they should not share a sending reputation with your marketing campaigns. We configure a dedicated transactional relay — typically SMTP2GO, Mailgun, or Postmark — wire it into WordPress via WP Mail SMTP, register the sending domain, and prove out delivery to Gmail, Outlook, Yahoo, and the major Chinese mailbox providers before we hand the keys back.

N° 03

CN-Market Email — Tencent Exmail & Alibaba DirectMail

China deliverability

Sending from a Western relay into Chinese inboxes is a slow exercise in disappointment. For clients with mainland customers we configure 腾讯企业邮 (Tencent Exmail) for domain mail and Alibaba Cloud DirectMail for transactional traffic — including the gotcha that quietly breaks most first attempts: the SMTP login is not your mailbox password, it is a separately generated 客户端专用密码 (client-specific password). We choose between the 国内 (mainland) and 海外 (overseas) endpoints based on where your servers actually live, set the DNS authentication, and verify delivery into QQ Mail, 163, and Foxmail.

N° 04

SPF, DKIM, DMARC — DNS Authentication

The records that matter

SPF declares which servers may send for your domain. DKIM cryptographically signs each message so the recipient can prove it has not been tampered with. DMARC tells mailbox providers what to do when SPF or DKIM fails — and gives you the reports that show who else is trying to send as you. We publish all three correctly the first time: a clean SPF record under the ten-lookup limit, a DKIM key per sender with a sensible rotation cadence, and a DMARC policy that begins at p=none with reporting and graduates to p=quarantine or p=reject once the legitimate senders are accounted for. Done well, this is the largest single deliverability lever you have.

N° 05

Mail Routing & Forwarding

Aliases & flow

The quiet plumbing that decides where a message ends up after it arrives at your domain. Catch-alls, role aliases like support@ and billing@, departmental groups, automatic forwarders for legal-name mismatches, and the routing rules that keep abuse and postmaster addresses operative. We also configure SRS (Sender Rewriting Scheme) where forwarding would otherwise break SPF, set up shared inboxes on Front, Help Scout, or Google Groups when a single mailbox is no longer enough, and document the topology so the next person who joins the team understands which address goes where.

N° 06

Deliverability Testing & Monitoring

Ongoing observation

Setup is not the end of the job. We seed test sends to Gmail, Outlook, Yahoo, iCloud, QQ, and 163 to confirm inbox placement, check the sending IP and domain against the major blacklists, parse the DMARC aggregate reports for unauthorised senders, and watch the bounce-and-complaint rates against Gmail’s and Yahoo’s bulk-sender thresholds. When deliverability drifts — and it does, every few months, for reasons rarely under your control — we have the data to explain why and the records in place to fix it without a panic.

02 — Our Approach

Audit. Configure.
Verify. Watch.

Email deliverability rewards patience and methodical work. We do not push a DMARC enforcement policy on day one; we do not assume the SPF record someone copied from a forum post in 2019 is still correct; and we do not call the engagement closed until the test sends land in the right folder, in every market that matters.

i

Audit before changing records

The first deliverable is a written audit of every authentication record currently published, every legitimate sender we can identify (mailbox provider, transactional relay, marketing platform, CRM, helpdesk), and every send that the DMARC reports show originating from your domain. Until we know who is sending, we do not know what the SPF record needs to permit — and rushing past this step is how good intentions break a billing flow.

ii

Configure the whole stack at once

Mailboxes, transactional relay, sending-domain verification, SPF, DKIM per sender, DMARC at p=none, MX records — we set them up together rather than in scattered tickets. Doing it as a single configured stack means the records reference each other coherently, the documentation is a single page rather than a folder of fragments, and the verification step at the end actually proves something.

iii

Verify with real test sends

Tools that grade your records in green ticks are useful but not sufficient. The honest test is whether a message from your domain reaches the inbox — not the spam folder, not the promotions tab — at Gmail, Outlook, Yahoo, iCloud, and the relevant Chinese providers. We seed test sends from each legitimate sender, screenshot the placement, and only then promote DMARC from monitoring to enforcement.

iv

Watch after the launch

Deliverability is not a setting. It is a posture that drifts as new tools join your sending stack, as mailbox providers tighten their rules, and as forwarders re-route messages in ways that confuse your authentication. We parse the DMARC aggregate reports each month, watch for new senders appearing on your domain, and adjust the records before bounces become customer-support tickets. Honest about that work being ongoing, not one-time.

03 — Who It’s For

Businesses whose email
is quietly losing them money.

Email deliverability is one of those problems that rarely announces itself. The customer who never receives the booking confirmation does not write to complain — they go and book somewhere else. The investor who does not see your reply assumes you are not interested. The list below is the small number of recurring profiles where the deliverability work is the unlock.

A few recurring profiles where setting up the stack properly is the single highest-leverage move.

  • i Founders launching a new domainYou have a brand-new domain, no sending history, and a launch date in two weeks. Get the records right the first time, warm up the sending reputation gradually, and avoid the months-long penalty box that comes from spamming Gmail on day one.
  • ii Teams whose email keeps landing in spamCustomers ask why your replies arrived in promotions or never arrived at all. The cause is almost always a misconfigured or incomplete authentication stack, a contaminated shared-hosting IP, or a forwarder breaking SPF — all fixable, in priority order.
  • iii WordPress sites where forms have stopped notifyingThe contact form “works” — but nobody on the team is receiving the lead emails any more. Shared-hosting PHP mail is being silently dropped by Gmail. A transactional relay with proper authentication fixes the problem in an afternoon.
  • iv Companies adding a new sending platformYou are about to wire HubSpot, Klaviyo, Mailchimp, or a billing system into your domain. Each one needs its own DKIM, its own SPF entry, its own sender verification. We add it without breaking the senders already in place.
  • v Cross-border businesses sending into ChinaThe Western relay that performs flawlessly into Gmail and Outlook delivers to QQ Mail and 163 about half the time. A China-side sender — Tencent Exmail or Alibaba DirectMail — and the right authentication is the difference between reaching the customer and not.
  • vi Agencies preparing for Gmail and Yahoo’s bulk-sender rulesThe 2024 rules made DMARC, one-click unsubscribe, and a strict spam-rate ceiling table-stakes for anyone sending more than five thousand messages a day. Many smaller senders are now caught by the same enforcement. We bring the stack into compliance without breaking the ongoing campaign.

Email setup pairs naturally with our DNS & domain management work — the SPF, DKIM, and DMARC records all live in DNS, and a clean DNS zone is the foundation that makes the whole stack legible. For clients on a maintenance retainer, we monitor the deliverability posture continuously rather than waiting for the next outage report.

04 — A complimentary report

Curious how Google sees your site?

Send us your URL. We’ll send back a Premium SEO Report, prepared by hand, within 48 hours — domain authority, keyword rankings, backlinks, competitor gap, and the quick wins worth chasing first.

No sales call required.

Deliverability is a discipline, not a feature. The records you publish today are the reason your invoice gets paid next quarter.
— The Aureole Practice —
05 — Frequently Asked

Questions we get
about email.

If a question is missing here, the contact link at the foot of the page goes straight to the person who would answer it. No ticket queues, no funnels.

i Our email is mostly arriving — do we really need SPF, DKIM, and DMARC?
Yes — and the answer has changed in the last eighteen months. Gmail and Yahoo’s 2024 bulk-sender rules now require all three for any domain sending more than a low daily threshold, and the major mailbox providers are quietly applying the same logic to smaller senders. Without DMARC published, your domain can also be spoofed by anyone with a free SMTP account, which means phishing emails go out as you to your customers. The work is one to two weeks of careful configuration in exchange for a deliverability and security posture that compounds for years. The honest answer is that it is no longer optional for any business that depends on email reaching the inbox.
ii What is the difference between domain email and transactional email?
Domain email is the human-to-human mail you read in Gmail, Outlook, or whatever client your team uses — replies to customers, internal threads, calendar invitations. Transactional email is the machine-generated mail your applications send: order confirmations, password resets, form notifications, receipts, system alerts. The two should run on different infrastructure. Domain mail goes through Google Workspace or Microsoft 365 and inherits their reputation. Transactional mail goes through a dedicated relay like SMTP2GO, Mailgun, or Postmark with its own warmed sending domain. Mixing them causes one of two failures: marketing complaints damaging the reputation that customer replies depend on, or a per-mailbox sending limit dropping receipts during a launch.
iii Can you fix our deliverability without changing our mail provider?
In most cases, yes. Deliverability problems usually trace back to misconfigured or missing SPF, DKIM, and DMARC records, a forwarder breaking SPF in transit, a contaminated shared-hosting IP, or a transactional sender that was never properly authenticated. We audit the existing setup, fix the records and the routing, and verify with real test sends — typically without any change to the mailbox provider. We only recommend a provider change when the existing platform is genuinely the bottleneck, which is the exception rather than the rule.
iv We send into China — what changes?
A great deal. Chinese mailbox providers — QQ Mail, 163, Foxmail, Sina — apply more aggressive filtering to traffic originating outside the mainland and they treat unfamiliar Western relays with extra suspicion. For consequential mail, we configure 腾讯企业邮 (Tencent Exmail) for domain mailboxes and Alibaba Cloud DirectMail for transactional sends, choosing between the 国内 and 海外 SMTP endpoints based on where your application servers actually run. The single most common gotcha: the SMTP login is not the mailbox password — it is a separately generated 客户端专用密码 (client-specific password) that must be created from inside the Tencent or Alibaba console. Roughly nine in ten failed first attempts come down to that one detail.
v How long does an email setup engagement take?
A standard engagement runs one to two weeks. Days one to three are the audit and the inventory of legitimate senders. Days four to seven are the configuration — mailboxes, transactional relay, SPF, DKIM per sender, MX records, mail routing, and DMARC at p=none with reporting. The remaining time is verification: real test sends to every major mailbox provider, parsing the first DMARC reports, and confirming we have not missed a sender. After two to four weeks of monitoring at p=none, we promote the DMARC policy to p=quarantine or p=reject if your traffic warrants it. New domains take a touch longer because the sending reputation has to be warmed up gradually rather than turned on at full volume.
vi Will you keep monitoring after the setup?
For project-only engagements, the deliverable is the configured stack, the documentation, and a thirty-day monitoring window so we can confirm the DMARC enforcement step is safe. For retainer clients, we keep watching the DMARC aggregate reports each month, flag new senders appearing on the domain, monitor for blacklist hits and bounce-rate creep, and adjust the records before issues become tickets. Email is one of those areas where the posture genuinely drifts — new tools join the stack, mailbox providers tighten thresholds, forwarders behave unexpectedly — so ongoing observation is meaningfully different from one-time setup. We are honest about that being a real, recurring discipline rather than a configuration you can sign off and forget.
06 — Connected Practice

Where email setup
fits in the whole.

Email lives at the seam between DNS, applications, and security. The link below returns to the parent service; the pills extend laterally to the sister sub-disciplines that share the same infrastructure.

Parent service

IT ServicesLess hassle, more growth. The full IT practice — hosting, DNS, email, Cloudflare, SSL, backup and recovery, and server monitoring — under one accountable team.

Sister sub-disciplines

Hosting & Cloud DNS & Domains Cloudflare & CDN SSL & Security Backup & Recovery Server Monitoring

Adjacent services

SEO Web Design & Development Maintenance & Care Plans Content & Copywriting
The Invitation

Ready for email that
quietly arrives?

Tell us where the deliverability is breaking — spam folders, missing notifications, China-side bounces, or a brand-new domain that needs warming. We’ll respond within one business day with an audit plan and a sensible scope.

Get in touch Or request a free SEO report
Mon–Fri · 9–6 PT support@aureoleintelligence.com Reply within 1 business day