If you run outbound for clients, email onboarding is the moment where you either set yourself up for smooth scaling… or you quietly plant a deliverability time bomb that goes off three weeks later.

What makes it tricky is that “onboarding email” sounds like a simple admin task. Add inboxes. Connect DNS. Launch sequences. Done.

But in reality, it’s a security exercise, a reputation management exercise, and a process consistency exercise. You are taking control of someone else’s domain reputation and customer trust, sometimes even their entire revenue pipeline.

This is why understanding how to check email sender reputation becomes crucial during the onboarding process. It's not just about setting up email accounts; it's about maintaining the integrity and reputation of the client's brand.

So this is a practical, agency-friendly SOP you can actually follow. It’s designed for cold outreach, but honestly it applies to any situation where you are sending on behalf of a client and you don’t want to get them burned.

Along the way I’ll reference PlusVibe (https://plusvibe.ai) because it’s built for exactly this world: secure warmup, deliverability tooling, inbox rotation, throttling, verification. But the SOP itself is platform agnostic. You can implement it with whatever stack you use.

Table of contents

1. What “safe onboarding” actually means
2. The two rules that keep you out of trouble
3. Roles and access model (who gets what, and why)
4. Pre onboarding: intake checklist and risk scan
5. Domain and inbox architecture (how many domains, how many inboxes)
6. DNS setup SOP (SPF, DKIM, DMARC, tracking domains)
7. Inbox creation SOP (Google, Microsoft, alternative providers)
8. Connecting inboxes to your sending stack safely
9. Warmup SOP (what to warm, how long, and what to watch)
10. List and lead data SOP (verification, suppression, enrichment)
11. Content and compliance SOP (copy, links, unsubscribe, signatures)
12. Launch SOP (ramp plan, throttling, rotation, monitoring)
13. Ongoing monitoring SOP (daily, weekly, monthly)
14. Offboarding SOP (clean exit, credential cleanup, documentation)
15. Templates: checklists, client emails, internal handoffs

1. What “safe onboarding” actually means

Safe onboarding is not just about avoiding a password leak.

It entails:

• The client retains control of their domain and mailboxes.
• Your team gets only the necessary access to perform their tasks.
• Authentication processes are correct, aligned, and not brittle.
• Sending is ramped slowly enough that reputation grows instead of snapping.
• Tracking is configured for measurement without compromising trust.
• Lists are clean enough to prevent spikes in bounces and spam complaints, achieved through effective email scrubbing.
• There’s always an exit plan.

One messy onboarding can jeopardize:

• the main domain’s deliverability
• the CEO’s inbox placement
• their internal email
• their ability to send invoices or password resets (yes, this happens)
• their future marketing campaigns which could involve automated email marketing

The goal is to make onboarding feel mundane. Boring is good.

2. The two rules that keep you out of trouble

Rule 1: Never send cold email from the client’s primary domain

If their company domain is acme.com and it’s used for:

• normal employee email
• support
• billing
• product notifications
• investor communications

…do not use it for cold outbound.

Instead, utilize adjacent domains, sometimes referred to as secondary domains or sending domains:

• tryacme.com
• acmehq.com
• getacme.com

This isn't a strategy to be sneaky; it’s a measure for containment. If outbound gets bruised, core business email stays safe.

Rule 2: Understand the email sending limits of email service providers

Every email service provider has its own set of rules regarding how many emails you can send in a day. It's crucial to understand these limits to avoid getting your account suspended or your emails marked as spam.

Bonus Tip: Master the art of business communication

Effective business communication requires more than just sending an email. It's about formatting your emails correctly, understanding your audience, and delivering your message clearly.

Rule 2: You can’t fix bad sending with “better copy”

Copy matters. But deliverability is math plus behavior.

If you’re sending to unverified lists, blasting volume too quickly, skipping warmup, and your DNS is half configured, no subject line in the world will save you.

So the SOP is built around the boring stuff first.

3. Roles and access model (who gets what, and why)

Before you touch DNS or mailboxes, decide access like an adult. This is where agencies get sloppy.

Recommended roles

Client Owner (client side)

• owns domain registrar access
• owns Google Workspace / Microsoft 365 admin
• approves DNS changes
• has billing authority

Agency Deliverability Lead (your side)

• defines architecture and ramp plan
• reviews DNS records
• owns monitoring and incident response

Agency Ops / Onboarding Specialist

• creates inboxes (or guides client)
• connects to sending platform
• verifies warmup and readiness

Agency Copy / Campaign Manager

• builds sequences
• handles suppression and list hygiene checks
• monitors replies and adjusts targeting

Access principle

Give the agency delegated access where possible, and temporary access where not.

• Prefer Google Admin delegated roles or Microsoft admin roles over shared passwords.
• Prefer connecting inboxes via OAuth instead of SMTP passwords.
• Require 2FA everywhere. Non negotiable.
• Keep a credential inventory so you know what you have.

If a client says “here’s the login to everything”, you don’t celebrate. You slow down and fix that.

To avoid such pitfalls and scale your agency effectively, it's crucial to establish a clear roles and access model from the outset.

4. Pre onboarding: intake checklist and risk scan

This is the part everyone wants to skip. Don’t.

4.1 Client intake questions (copy/paste)

• What domain(s) do you own? Which is primary?
• Are you currently sending cold email? From where?
• What email provider do you use (Google Workspace, Microsoft 365, other)?
• Do you have DMARC configured today? If yes, what policy?
• Do you have any existing subdomains for marketing or tracking?
• Do you have previous outbound tools connected (Apollo, Lemlist, Instantly, Mailshake, etc)?
• Who will own replies (client team or agency)? What’s the SLA?
• What countries are you targeting? Any regulated industries?
• Do you have an unsubscribe page already?
• Do you have a suppression list (past opt outs, customers, competitors, partners)?

4.2 Quick risk scan

You’re looking for stuff like:

• Primary domain already blacklisted (rare but it happens)
• Domain is brand new (under 30 days)
• Client insists on sending from primary domain
• No ability to configure DNS (no admin access)
• They want 5k emails per day on week one
• They only have scraped data with no verification

If you find any of these, you don’t “push through”. You reset expectations.

4.3 Document everything

Create a single onboarding doc with:

• domains
• inbox list
• DNS records
• tools connected
• warmup start date
• planned ramp schedule
• owners

This is your audit trail. Also your survival kit.

5. Domain and inbox architecture (how many domains, how many inboxes)

This is where you decide the structure that will keep deliverability stable.

5.1 Domain strategy (simple version)

• Primary domain: business email only. No cold outbound.
• 1 to 3 sending domains: outbound only.
• Optional: tracking subdomain (like t.tryacme.com) if you’re using link tracking.

If the client is small, start with 1 sending domain. If they want scale, spread across multiple domains and inboxes.

5.2 Inbox strategy

A safe starting point:

• 2 to 5 inboxes per sending domain
• 20 to 40 cold emails per inbox per day at steady state (sometimes lower)
• ramp gradually

Yes, some people brag about 200 per inbox per day. Cool. You can also drive without a seatbelt.

5.3 Naming convention (so you don’t hate yourself later)

Pick a consistent scheme:

• first@tryacme.com
• first.last@tryacme.com
• team@tryacme.com (careful, looks generic)
• avoid sales@ and info@ for cold outbound, they’re often filtered harder

Also decide display names:

• “First” or “First at Acme”
• keep it human

6. DNS setup SOP (SPF, DKIM, DMARC, tracking domains)

DNS is where onboarding goes wrong quietly. You think it’s done, but it’s half done. Then deliverability suffers and everyone blames the list.

So here’s the DNS SOP.

6.1 SPF

SPF specifies who is authorized to send emails on behalf of the domain.

• You should have one SPF record per domain.
• If you utilize multiple tools, they should all be included in that single record.
• Excessive lookups (over 10) can cause SPF to malfunction.

Example (varies by provider):

txt v=spf1 include:_spf.google.com include:sendgrid.net ~all

What to check:

• Is there more than one SPF TXT record? If yes, merge them.
• Are you using ~all (softfail) or -all (hardfail)? It's typically advisable to start with ~all unless you're certain about your configuration.

6.2 DKIM

DKIM is responsible for signing outgoing mail.

• Activate DKIM in Google Workspace or Microsoft 365 for each sending domain.
• Publish the DKIM TXT record in DNS.
• Confirm its activation.

Always keep DKIM enabled.

6.3 DMARC

DMARC instructs receiving servers on how to act if SPF or DKIM fails, and where to send reports.

Initially, start with monitoring:

txt v=DMARC1; p=none; rua=mailto:dmarc@tryacme.com; ruf=mailto:dmarc@tryacme.com; fo=1;

Once stable, you can transition to quarantine or reject. However, don't rush this process if the client has complicated legacy systems.

What to check:

• Ensure DMARC alignment. The sending domain should match the visible From domain.
• Verify that the RUA inbox exists and is regularly monitored (or consider using a DMARC reporting service).

Additionally, it's crucial to check email validity and ensure that the email format is correct. This can be done using various online tools that can check if an email is valid.

6.4 Custom tracking domain (optional, but common)

If you use link tracking, set a branded tracking subdomain. This can reduce “random tracking domain” suspicion.

Example:

• Tracking subdomain: t.tryacme.com
• CNAME points to your platform’s tracking host

Two cautions:

• Link tracking can hurt deliverability on cold email if overused.
• You don’t need to track every click. Replies are the real KPI.

6.5 Screenshot or it didn’t happen

Ask the client to share screenshots of DNS records or give you read access. Also save a before and after.

Image: DNS onboarding checklist (add this to your SOP doc)

(If you publish this article on your own site, swap that link for your actual media URL in WordPress. The point is to include a visual checklist the team can follow.)

7. Inbox creation SOP (Google, Microsoft, alternative providers)

7.1 Google Workspace

Best practice steps:

1. Create user inbox (or alias, but real inbox is better).
2. Enforce 2FA.
3. Set recovery email and phone (client owned, not agency owned).
4. Set display name and profile image if you use one.
5. Turn on DKIM for the domain.

Avoid:

• shared passwords
• disabling 2FA “just for setup”

7.2 Microsoft 365

Similar idea:

1. Create user mailbox in admin center.
2. Enable MFA.
3. Ensure SMTP auth rules are understood (Microsoft can be picky).
4. Set up DKIM in Defender / security settings.

Microsoft deliverability can be fine, but it tends to punish sloppy behavior faster in B2B.

It's also crucial to maintain a clean email list for optimal deliverability rates, which is where best email validation list cleaning services come into play.

7.3 Alternative providers

You can use others, but for agency scale, Google and Microsoft are still the most predictable.

If a client insists on a random provider, make sure:

• they support DKIM
• they support modern auth or at least app passwords safely
• they’re not known for poor IP reputation

8. Connecting inboxes to your sending stack safely

This is where security and deliverability intersect.

8.1 Prefer OAuth connections

OAuth means:

• no password stored in your tool
• client can revoke access anytime
• cleaner audit trail

8.2 If you must use SMTP

Sometimes you do. If so:

• use app passwords, not primary passwords
• store them in a password manager
• rotate them on offboarding
• never paste them in Slack (please)

8.3 Multi inbox management

If you’re running 10, 20, 50 inboxes, you need:

• rotation
• throttling
• sending windows
• per inbox daily caps

This is exactly where platforms like PlusVibe help because it’s designed for multi inbox rotation and deliverability first sending behavior. You can still do it manually in other tools, but manual tends to drift over time. Someone adds volume. Someone forgets caps. Things break.

Image: Multi inbox rotation concept

9. Warmup SOP (what to warm, how long, and what to watch)

Warmup is not magic. It’s controlled reputation building.

9.1 What warmup should do

• send low volume, realistic emails
• receive replies
• have messages marked as important / moved out of spam sometimes
• create consistent sending patterns

9.2 How long to warm

Typical:

• minimum 14 days for brand new inboxes
• 21 to 30 days if the domain is brand new or you need higher volume later

If the client is impatient, you can still launch small volume while warming, but keep it very conservative.

9.3 Warmup settings

Guidelines:

• start at 5 to 10 emails per day per inbox
• increase slowly every few days
• keep send hours aligned with target timezone
• avoid weekends for B2B unless there’s a reason

9.4 Monitor during warmup

You watch:

• spam placement (seed tests if you have them)
• bounce rates (should be near zero in warmup systems)
• provider flags (Google postmaster is helpful if you have enough volume)
• sudden drops in open rates (opens are imperfect now, but trends still matter)

During the warmup phase, it's crucial to monitor the spam score of your emails. This can help you adjust your strategy to ensure better deliverability.

PlusVibe includes secure warmup as part of its deliverability focus, which is convenient because it lives next to your sending behavior. Less duct tape.

Image: Warmup ramp example chart

10. List and lead data SOP (verification, suppression, enrichment)

If you onboard email perfectly and then send to trash data, you still lose.

10.1 Lead sources and quality grading

Classify lead sources:

• Tier A: first party, opt in, inbound, referrals
• Tier B: credible B2B databases with verification
• Tier C: scraped or guessed emails

Tier C needs strict verification and low volume testing.

10.2 Email verification (mandatory)

Before any send, verify.

Targets:

• Hard bounce rate under 2% (ideally under 1%)
• Remove accept_all domains if your tool flags them as risky, or segment them for separate testing

PlusVibe includes bulk email verification, which is useful here because the fastest way to ruin a fresh domain is sending to invalid addresses.

10.3 Suppression list SOP

Maintain a master suppression list containing:

• opt outs
• past spam complainers
• existing customers (sometimes you suppress, sometimes you segment)
• partners and vendors
• competitor domains (optional)

And sync it across every tool. Every time. This is where agencies mess up when they scale.

10.4 Personal data caution

If you operate in or target EU/UK, you need to think about GDPR and lawful basis. I’m not your lawyer, but the operational takeaway is simple:

• store only what you need
• document why you’re contacting
• include a clear opt out
• honor removals fast

11. Content and compliance SOP (copy, links, unsubscribe, signatures)

Deliverability is not only DNS and volume. Content can absolutely trigger filters.

11.1 Copy rules that keep you out of spam

• Keep first email plain. One link max, often zero.
• Avoid heavy HTML.
• Avoid image heavy emails.
• Avoid “FREE”, “ACT NOW”, “GUARANTEE”, all caps, and aggressive punctuation.
• Keep personalization real. Don’t stuff fake compliments.

Write like a person who is busy. Because your recipient is busy.

11.2 Signature and identity

Use:

• real name
• real company name
• optional: LinkedIn link (sometimes helps, sometimes not)
• physical address: depends on your compliance stance and region, but many include it

11.3 Unsubscribe

For cold email, you still want a clear opt out.

Options:

• plain text “If you want me to stop, reply with ‘no’ and I will.”
• a one click unsubscribe link (some tools provide this)

Be careful:

• adding too many links can hurt deliverability
• but no opt out at all can increase spam complaints

Pick one approach and do it consistently.

11.4 A/B testing without chaos

Test one variable at a time:

• subject line or first line
• CTA wording
• offer angle

Don’t test five things with low volume. You’ll learn nothing and think you learned everything.

12. Launch SOP (ramp plan, throttling, rotation, monitoring)

This is the moment everyone rushes. Don’t rush it.

12.1 Pre launch checklist

• SPF passes
• DKIM passes
• DMARC record exists
• inboxes warmed at least 14 days (or you have a conservative hybrid plan)
• suppression list loaded
• leads verified
• sequences approved
• reply handling workflow set
• sending caps configured

12.2 Ramp plan (example)

Per inbox daily cold sends:

Week 1:

• Day 1 to 2: 10 per inbox
• Day 3 to 4: 15 per inbox
• Day 5: 20 per inbox

Week 2:

• 25 to 35 per inbox depending on results

Steady state:

• often 30 to 50 per inbox per day for many B2B offers
• adjust based on bounce and complaint rates

If you want to go beyond that, add inboxes. Don’t just crank one inbox.

12.3 Throttling and send windows

• spread sends across the day
• avoid bursts
• match recipient timezone when possible
• pause sending if bounce rate spikes

A platform like PlusVibe is built around inbox rotation and throttling, which is basically the guardrail you want when running multiple client accounts. Less “oops we blasted 500 in 10 minutes”.

12.4 First week monitoring cadence

Daily:

• bounce rate
• spam complaints (if visible)
• reply rate
• inbox health indicators
• blacklist checks (lightly, don’t obsess)

If anything looks off, you pause and diagnose. You don’t “push through to hit volume”.

Image: Launch readiness checklist

13. Ongoing monitoring SOP (daily, weekly, monthly)

Deliverability is not set and forget. It’s more like teeth. You keep brushing.

Daily (5 to 10 minutes)

• Check bounce rate by inbox and by domain
• Look for sudden reply drop (could be targeting, could be inboxing)
• Scan for “message rejected” errors
• Check if any inbox got locked or asked for verification

Weekly

• Review performance by segment (industry, title, country)
• Rotate copy if complaint risk increases
• Refresh verification on older leads if you’re recycling lists
• Check DMARC aggregate reports if you collect them
• Audit sending caps stayed the same (people love to “just bump it a bit”)

Monthly

• Add new inboxes if scaling
• Retire inboxes that look burned (don’t be sentimental)
• Review domain health and whether you need another sending domain
• Review suppression list hygiene
• Update the onboarding doc with any changes

14. Offboarding SOP (clean exit, credential cleanup, documentation)

Clients leave. Or you fire them. Either way, you need a clean exit.

14.1 Offboarding checklist

• Pause all campaigns
• Export campaign settings and performance report
• Export suppression list (and confirm client receives it)
• Revoke OAuth connections (client side ideally)
• Remove inboxes from your tool
• Delete stored SMTP credentials
• Rotate any app passwords that were shared
• Hand over DNS record list and recommend what to keep or remove
• Confirm reply handling is transitioned

14.2 What DNS records to keep?

Usually keep:

• SPF, DKIM, DMARC for domains still used Remove or update:
• tracking CNAMEs for tools they no longer use

Don’t just rip everything out without asking. But also don’t leave stale records pointing to your systems.

14.3 Final deliverability note to client

Tell them:

• what volume you were sending
• what domains were used
• what inboxes were active
• what warmup state was in place
• what to do if they continue outbound internally

This reduces “deliverability mystery” later.

15. Templates (copy/paste)

15.1 Internal onboarding task list (agency)

txt CLIENT: ______________________ PRIMARY DOMAIN: _______________ SENDING DOMAIN(S): ____________

[ ] Intake form completed [ ] Risk scan completed [ ] Domain architecture approved [ ] Inbox count plan approved [ ] DNS: SPF configured + verified [ ] DNS: DKIM configured + verified [ ] DNS: DMARC configured + verified [ ] Tracking domain configured (if needed) [ ] Inboxes created [ ] 2FA enabled on all inboxes [ ] Inboxes connected via OAuth (preferred) [ ] Warmup started (date: ________) [ ] Lead source documented [ ] Verification completed [ ] Suppression list uploaded [ ] Copy approved [ ] Ramp plan set [ ] Monitoring dashboard ready [ ] Launch date scheduled

15.2 Client email: request DNS changes (simple)

Subject: DNS updates needed for outbound sending domains

Hi {{Name}},

To set up outbound safely, we’ll send from {{sending_domain}} (not your main domain).

Could you please add the DNS records below at your registrar/DNS provider?

• SPF: {{record}}
• DKIM: {{record}}
• DMARC: {{record}}
• (Optional) Tracking CNAME: {{record}}

Once added, send me a screenshot or let me know and I’ll verify everything is passing.

Thanks
{{Your name}}

15.3 Client email: access request (OAuth first)

Subject: Connecting inboxes securely (no passwords)

Hi {{Name}},

Next step is connecting the new inboxes to our sending system using Google/Microsoft OAuth. This does not require sharing passwords, and you can revoke access anytime.

When you’re ready, I’ll send the connection link and we can do it live on a 10 minute call, or you can complete it async.

Thanks
{{Your name}}

A subtle recommendation (because it matters)

If your agency is managing multiple clients, the biggest practical failure mode is inconsistency. Different inbox rules, different caps, different warmup habits, random verification tools, messy suppression handling.

If you want one platform that’s clearly built around deliverability and outbound operations, PlusVibe is worth a look: https://plusvibe.ai

Not because “AI” is shiny. Because the boring guardrails, warmup, verification, inbox rotation, throttling, deliverability tooling, those are the pieces that keep client domains alive while you scale.

Final note

This SOP looks long because onboarding done right has a lot of little steps.

But after you run it a few times, it becomes muscle memory.

And the payoff is huge. Fewer inbox bans. Fewer “why did replies die?” weeks. Less panic. More predictable scaling.

Which is really what clients pay for. Not sending emails. Predictable revenue without lighting their domain on fire.

FAQs (Frequently Asked Questions)

What does 'safe onboarding' mean in the context of outbound email for clients?

Safe onboarding means more than just avoiding password leaks; it ensures that the client retains control over their domain and mailboxes, your team has only necessary access, authentication is correctly aligned, sending volume is ramped slowly to build reputation, tracking is configured without compromising trust, email lists are clean to prevent bounces and spam complaints, and there's always a clear exit plan. This approach protects the client's domain reputation and overall email deliverability.

Why should I never send cold emails from a client's primary domain?

Sending cold emails from the client's primary domain (e.g., acme.com) risks damaging their core business communications such as employee emails, support, billing, product notifications, and investor relations. Instead, use adjacent or secondary domains like tryacme.com or getacme.com to contain any potential deliverability issues and protect the main domain's reputation.

What are the key roles and access models recommended during email onboarding?

Key roles include: Client Owner who controls domain registrar access and approves DNS changes; Agency Deliverability Lead who defines architecture and monitors DNS; Agency Ops/Onboarding Specialist who creates inboxes and connects sending platforms; Agency Copy/Campaign Manager who builds sequences and manages list hygiene. Access should be delegated where possible and temporary when not, ensuring security and clarity in responsibilities.

How important is understanding email sending limits of providers during onboarding?

It's crucial to understand each email service provider's daily sending limits to avoid account suspensions or being marked as spam. Respecting these limits helps maintain sender reputation and ensures smooth scaling of outbound campaigns without triggering deliverability issues.

Can better email copy fix bad sending practices during cold outreach?

No. While copy matters for engagement, deliverability depends on factors like verified lists, gradual volume ramp-up (warmup), proper DNS configuration (SPF, DKIM, DMARC), and consistent sending behavior. Without solid technical foundations and list hygiene, even the best subject lines won't prevent emails from landing in spam folders.

What are some essential steps included in a safe email onboarding SOP?

Essential steps include: conducting a pre-onboarding intake checklist and risk scan; setting up domain architecture with appropriate domains and inboxes; configuring DNS records properly (SPF, DKIM, DMARC); creating inboxes securely across providers; connecting inboxes safely to sending stacks; implementing warmup protocols; verifying and scrubbing lists; ensuring compliant content with unsubscribe options; launching with ramp plans and throttling; ongoing monitoring; and planning offboarding with credential cleanup.