Part 3 of a five-part email deliverability playbook.

Quick test: does your newsletter come from @yourcompany.com, the same domain as your invoices, your password resets, and the CEO’s actual inbox?

If yes, all of those share one sender reputation. Gmail doesn’t keep separate books for “the campaign blast” and “the invoice.” One domain, one reputation. A rough campaign (stale list, spam complaints, a spike in bounces) dents the same reputation your password resets depend on.

The fix is boring and almost universal among companies that send serious volume: marketing gets its own subdomain. email.yourcompany.com, news.yourcompany.com, go.yourcompany.com. Pick one. (You’ve seen these in your own inbox for years. Now you know why.)

What isolation buys you

Blast radius. Mailbox providers track reputation largely per domain. When marketing sends from email.yourcompany.com, a bad week damages that subdomain’s standing. Your transactional and corporate mail, on their own domains, keep their track record. The failure stops at the property line.

Cleaner DMARC. Each sending stream gets its own SPF and DKIM, scoped to its own subdomain, instead of one root-domain SPF record carrying includes for every tool you’ve ever signed up for (and creeping toward the 10-lookup limit). Marketing’s records live on marketing’s subdomain. Untangling alignment per stream gets dramatically easier.

Legibility. When something breaks, you know which mail stream broke. “The subdomain’s reputation dropped” is a Tuesday problem. “The domain’s reputation dropped” is an everyone problem.

The honest trade-offs

A new subdomain starts with no reputation, so you warm it up. Start with smaller sends to your most engaged segment and ramp over a few weeks, rather than pointing the full list at it on day one.

And know what isolation doesn’t do: your root domain still shows in the From name people read, and mailbox providers are smart enough to see family resemblance between a domain and its subdomains. This is a firebreak, not an alibi. It limits damage, it doesn’t license bad sending.

One genuine warning: your DMARC policy may treat subdomains more loosely than you think. If your root policy is strict but it carries sp=none, every subdomain (including ones you’ve never created) is unprotected. Worth checking while you’re in there.

The setup, briefly

  1. Pick the subdomain. email., news., go.. The convention matters less than the separation.
  2. Run your ESP’s domain-authentication flow for that subdomain. Their wizard generates the SPF/DKIM records; you add them at the subdomain, not the root.
  3. Make sure DMARC covers it with a real policy (inherited from the root or its own record).
  4. Warm it up, then move campaign traffic over.

While you’re at it, the same logic separates transactional from marketing: receipts and resets on one subdomain, campaigns on another. Most companies do marketing first because it’s the risky stream, and that’s the right order.

None of this is exotic. It’s a few DNS records and a few weeks of patience. The part worth being careful about is the cutover: authenticating the new subdomain properly before traffic moves, so you don’t trade a reputation problem for an alignment problem.