AdvancedOperations · 7 min read

Subdomain strategy — isolate your reputations

Marketing should not poison receipts. Mass campaigns should not poison password resets. The cheapest insurance is a sending subdomain per traffic class.

A reputation incident on one mail stream can drag down the others. A high-volume marketing campaign that misfires can park your password resets in spam for weeks. The fix is to isolate streams onto sending subdomains so each builds and loses reputation independently.

A typical split

receipts.acme.dev — transactional. Highest engagement, lowest complaint rate. Sacred ground.
mail.acme.dev — bulk marketing. Higher complaint rate is acceptable.
updates.acme.dev — product announcements, lifecycle. Mid-volume, mid-engagement.
support.acme.dev — inbound + reply-handling. Different DNS, different MX.

Each subdomain gets

Its own SPF record (or shared via DMARC inheritance).
Its own DKIM keys (separate selectors).
Its own DMARC policy (typically inherits from parent unless overridden).
Its own dedicated IP (Pro Max), warmed independently.
Its own reputation curve, tracked separately in Postmaster Tools.

Why this works

Receivers score reputation per (IP, domain) pair. Splitting domains means a complaint storm on mail.acme.dev does not bleed onto receipts.acme.dev — they are different scoring buckets.

Click-tracking subdomain

A separate links.acme.dev for click-tracking URLs keeps the tracker domain off the spam-feedback path. If a recipient clicks a URL and then hits a malware filter on the tracking redirector, the bad reputation pings the tracker domain, not your sending domain.

Set up subdomain isolation early — before the first incident. It costs nothing on day zero and is painful to retrofit on day 200.

In VoltMail: every subdomain you verify gets its own DKIM selectors, dedicated IP options, and reputation tracking. Send by setting from = noreply@receipts.acme.dev — we route it to the right pool automatically.