Email Authentication & Deliverability Setup
Full SPF, DKIM, DMARC, and BIMI configuration with a staged rollout plan, so you move from unauthenticated to fully enforced without blocking legitimate mail.
Cold outreach and lead nurturing shouldn't feel like a guessing game. As a performance-oriented email marketing agency, we build clean infrastructure to keep your business out of the spam filter. We specialise in server-side validation configurations, custom email marketing funnels, and cold sequences engineered to fill your dashboard with meetings.
Exora Leads is a UK-registered digital marketing agency built and run by a single specialist, not handed off between account managers. We build the email infrastructure, write the sequences, and manage the CRM automation ourselves, using the same authentication and deliverability practices on our own outbound campaigns into the UK, Saudi Arabia and Tunisia that we set up for clients.
Most cold email and email marketing failures are not a copywriting problem, they are an infrastructure problem. Missing SPF records, unsigned DKIM keys, and a DMARC policy left at monitor-only mean a carefully written sequence never reaches a real inbox. Google and Yahoo have enforced stricter sender authentication requirements since 2024, and unauthenticated senders now land in the spam folder at a dramatically higher rate than properly configured ones.
We combine email authentication and deliverability setup, B2B lead generation and list building, cold outreach sequence design, and AI CRM automation into one connected system. Every enquiry or reply, whether it comes from a cold email, an inbound form, or a paid campaign, is picked up automatically and routed into a follow-up sequence, so a working sequence and a working inbox are never treated as two separate problems.
Every email marketing and cold outreach engagement starts with a full SPF, DKIM, and DMARC audit of your domain, not as an add-on but as the foundation everything else is built on. We configure a dedicated sending subdomain for outbound and cold campaigns, keep it fully authenticated, and monitor DMARC aggregate reports so a spoofing attempt or a misconfigured third-party sender never quietly tanks your inbox placement.
Once your infrastructure is clean, we build the sequences and connect them to CRM automation so replies get handled the moment they land. AI CRM automation routes a positive reply into a booked call within minutes, not whenever someone next checks their inbox, using the same GoHighLevel and n8n stack we use for our own outbound sequences.
We start every engagement with a free deliverability audit covering your SPF, DKIM, DMARC and BIMI status, blacklist checks, and current sender reputation, so you know exactly what is broken before you spend anything. No 12-month lock-in, no agency retainer required to get the audit. You can also see our project portfolio to see the same automation stack running for another client first.
We check your SPF, DKIM, DMARC, and BIMI status, blacklist presence, and sender reputation. Most deliverability problems are found and diagnosed here, before a single email is written.
We source and verify contacts using Apollo, Hunter.io, and Apify, removing invalid and risky addresses before they touch your sending domain and damage your reputation.
We write multi-step sequences and deploy them from a dedicated, warmed-up sending subdomain, isolated from your everyday business email, with full SPF, DKIM, and DMARC coverage.
Replies are routed instantly through GoHighLevel and n8n automation, with positive responses converted into booked calls without manual admin.
Deliverability lives or dies on three DNS records. Here is what each one does, why it matters, and roughly what it looks like once it is published.
SPF is a TXT record on your domain that lists every mail server allowed to send email on your behalf. When a receiving server gets an email claiming to be from your domain, it checks the sending server's IP against this list. If the IP is not on it, the email fails SPF.
yourdomain.co.uk. TXT "v=spf1 include:_spf.google.com include:amazonses.com -all"-all (hard fail) tells receivers to reject anything not on the list. ~all (soft fail) asks them to flag it instead — useful while you are still onboarding new senders.
DKIM adds a cryptographic signature to each outgoing email, generated with a private key on your sending server. The receiving server looks up the matching public key in a DNS TXT record and verifies the signature. If anything in the email was altered in transit, or the signature does not match, DKIM fails.
selector1._domainkey.yourdomain.co.uk. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."The selector (selector1 here) lets you run multiple DKIM keys at once, for example one for Google Workspace and a different one for your outbound sending platform.
DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails either check: do nothing, quarantine it (send to spam), or reject it outright. It also gives you daily aggregate reports showing every server sending email as your domain, which is how you catch spoofing and misconfigured senders.
_dmarc.yourdomain.co.uk. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.co.uk; pct=100; adkim=s; aspf=s"Start at p=none to monitor without affecting delivery, move to p=quarantine once reports look clean, then p=reject for full enforcement. Rushing straight to reject before you have reviewed reports can silently block legitimate mail.
BIMI is optional but requires DMARC enforcement (p=quarantine or p=reject) to be eligible. It lets your verified logo appear next to your emails in supporting inboxes such as Gmail and Yahoo, which is a visible trust signal on top of the authentication itself.
default._bimi.yourdomain.co.uk. TXT "v=BIMI1; l=https://yourdomain.co.uk/logo.svg;"Some providers also require a Verified Mark Certificate (VMC) for the logo to display, particularly for higher-trust display in Gmail.
Email spoofing is when someone forges the "From" address on a message to make it look like it came from your domain, most often to run phishing or invoice-fraud scams against your own customers or staff. Without SPF and DKIM, a receiving server has no way to check whether an email genuinely originated from a server you authorised. Without DMARC, even a failed SPF or DKIM check does not automatically stop the message from landing in someone's inbox looking exactly like it came from you. The three records together close that gap: SPF and DKIM prove authenticity, DMARC enforces what happens when a message fails to prove it.
One architecture decision matters more than any individual DNS record: never send cold or bulk email from the same domain your team uses for everyday correspondence. A dedicated sending subdomain, for example mail.yourdomain.co.uk, gets its own SPF, DKIM and DMARC records and its own sender reputation. If an outbound campaign has a bad day, spam complaints or a temporary blacklisting stay isolated on that subdomain and never touch the inbox your invoices, contracts, and client replies depend on.
The UK's Data & Marketing Association tracked average email marketing ROI rising from roughly 30:1 to 38:1 over five years.
Source: DMA UKAutomated sequences such as welcome flows, abandoned cart, and nurture drips generate around 320% more revenue than one-off broadcast sends.
Source: Campaign MonitorSince Google and Yahoo began enforcing bulk sender authentication in 2024, unauthenticated senders see inbox placement rates roughly 45 percentage points lower than fully authenticated senders.
Source: DigitalApplied, 2026Personalised subject lines increase open rates by roughly 27% compared with generic, non-personalised sends.
Source: industry benchmark data, 2026Around 79% of B2B marketers rank email as their most effective channel for content distribution and lead generation.
Source: DemandSage, 202641% of marketers say email is their single most effective channel, more than double social media and paid search, which sit at 16% each.
Source: Litmus / emailmondayAfter fixing SPF/DKIM alignment on our own sending domain, reply rates on cold sequences recovered roughly 6x within one week.
ExoraLeads internal data, 2026Fully authenticated email outreach produces leads at a fraction of typical Google/Meta Ads CPL once inbox placement is fixed.
ExoraLeads client benchmark, 2026Post-remediation inbox placement rate across our outbound domain, verified via seed-list testing.
ExoraLeads internal audit, 2026Clients moving cold outreach to a dedicated, authenticated subdomain saw booked meetings increase 3.2x on average within 60 days.
ExoraLeads client data, 2026We were sending outreach directly from our Zoho CRM mail server while waiting on lead replies. Emails were authenticating against our root domain SPF, but the DKIM signature didn't match the actual sending server — a silent misalignment. Every message landed in spam.
We audited every DNS record line by line and found the DKIM selector being signed wasn't the one our Zoho sending server was actually using — SPF passed, DKIM technically passed too, but alignment (required by DMARC) failed. Google and Yahoo don't tell you this in the bounce log; you only see it as poor inbox placement.
We isolated outbound sending to mail.exoraleads.com, re-signed DKIM so the selector matched the actual sending infrastructure, and removed Zoho's default mail server from our sending path entirely. Within days, replies started landing in the primary inbox again.
Clean authentication gets your email into the inbox. Automation is what turns that inbox placement into a booked call without you manually chasing every reply. We connect your AI CRM automation stack — GoHighLevel and n8n — directly to your sending infrastructure, so a reply, whether positive, negative, or an out-of-office, triggers the right next step automatically.
Apify handles data enrichment on incoming leads, n8n routes replies into the correct pipeline stage, and GoHighLevel manages the follow-up sequence and booking flow. A positive reply can go from inbox to a calendar invite without anyone touching a keyboard in between.
We built the GoHighLevel CRM automation system behind Raseen's lead pipeline: every enquiry gets an automated response within 60 seconds, a follow-up SMS within the hour, and a structured nurture sequence if they do not convert immediately. The same infrastructure now powers our own outbound sequences into Saudi Arabia and Tunisia, so a reply from a cold email prospect gets the same instant, automated handling as a warm inbound lead. That consistency, treating email marketing, cold outreach, and CRM follow-up as one connected pipeline rather than three separate tools, is what turns a good sequence into a predictable stream of booked calls.
Get the same automation stack for your business — free auditEvery service links to a full breakdown of what we do, how it works, and what it costs.
Full SPF, DKIM, DMARC, and BIMI configuration with a staged rollout plan, so you move from unauthenticated to fully enforced without blocking legitimate mail.
Multi-step cold sequences across email, LinkedIn, and WhatsApp, written around concrete audit findings rather than generic templates.
Apollo, Hunter.io, and Apify sourcing with verification built in, so bad addresses never touch your sending reputation.
Klaviyo, ActiveCampaign, GoHighLevel, or Resend/SES, set up and managed around your actual business model, not a one-size-fits-all recommendation.
GoHighLevel and n8n automation that routes replies, books calls, and runs nurture sequences without manual admin.
Ongoing DMARC report monitoring, blacklist checks, and sender reputation tracking, so problems get caught before they tank a campaign.
Common questions about email marketing, cold outreach, and deliverability.
UK email marketing and cold outreach management typically runs from around £300 to £1,500 per month, depending on list size, sequence complexity, and whether authentication setup and CRM automation are included. Exora Leads offers pilot packages with no long-term contract, and every engagement starts with a free deliverability audit so you know exactly what is broken and what it will cost to fix before committing to anything.
SPF lists which mail servers are allowed to send email for your domain. DKIM adds a cryptographic signature to prove an email was not altered in transit. DMARC ties the two together and tells receiving servers what to do when SPF or DKIM checks fail: quarantine, reject, or take no action. All three work together, and missing any one weakens your deliverability.
The most common causes are missing or misconfigured SPF, DKIM, or DMARC records, sending cold or bulk email from your main domain instead of a dedicated subdomain, poor sender reputation from unverified lists, and content that trips spam filters. We run a full authentication and reputation audit to identify exactly which of these is affecting you.
Email spoofing is when someone forges the sender address on an email to impersonate your domain, often used for phishing or fraud against your customers or staff. SPF and DKIM let receiving mail servers verify that a message genuinely came from a server you authorised and was not altered. DMARC then instructs receivers to quarantine or reject anything that fails those checks, closing the gap that spoofers exploit.
Yes, for cold outbound and high-volume campaigns. Sending bulk or cold email from your root domain risks damaging the reputation of your main business email, the address your team and customers rely on. We set up a dedicated sending subdomain with its own SPF, DKIM, and DMARC records, so a deliverability issue on outbound campaigns never touches your everyday inbox.
It depends on your business model. E-commerce businesses tend to do best on Klaviyo for its Shopify integration and behavioural triggers. B2B nurture and CRM-linked automation work well on GoHighLevel or ActiveCampaign. High-deliverability transactional and cold outbound sending typically runs on infrastructure like Resend or Amazon SES with proper authentication. We assess your business model in the free audit and recommend the platform that fits.
Adding correct SPF, DKIM, and DMARC records typically takes a few hours once we have DNS access. Moving from a monitoring-only DMARC policy to full enforcement safely takes 2 to 6 weeks, since legitimate sending sources need to be reviewed in DMARC reports before enforcement blocks anything outright. Sender reputation recovery on a previously damaged domain can take longer, often 4 to 8 weeks of consistent, well-authenticated sending.
Yes. We handle the full authentication stack: SPF record configuration, DKIM key generation and DNS publishing, DMARC policy setup with a staged rollout from monitoring to enforcement, and BIMI where supported. This is typically the first thing we fix before any email marketing or cold outreach campaign goes live.
Get a free audit covering SPF, DKIM, DMARC, BIMI, blacklist status, and sender reputation. No commitment, no sales pitch, just a clear picture of what is broken and what to fix first.