How do I authenticate email for several company domains at once?

Bind each company's domain to Folio and point its MX at us. Every bound domain automatically receives its own RSA-2048 DKIM key (per RFC 6376) and its own SPF record (per RFC 7208), and is provisioned as a separate sending identity in Amazon SES. You publish the records Folio shows you per domain; from there each company is authenticated and isolated, and all of them report into one dashboard.

Can I tell whether any of my companies is being spoofed?

Yes — that's the core of the Deliverability dashboard. It reads each domain's DMARC aggregate (rua) reports and names the sources putting your From line on mail. A forger using your address reads differently from a real sender you simply forgot to authorize, and the dashboard labels which is which, per domain, so you can see spoofing across the whole portfolio in one place rather than checking each brand separately.

How do I diagnose why one company's mail is landing in spam?

Open that domain's row in the Deliverability dashboard. It shows messages seen, passed, and failed, the policy you've published, and the specific sources failing alignment. A real sender you forgot to authorize (fix the SPF include) looks different from a forger (tighten the policy). The diagnosis is usually a misaligned legitimate sender or a policy still stuck at p=none — both visible at a glance.

When is it safe to move a domain to p=reject?

When a domain has passed DMARC on effectively every reported message across a clean window, and the only remaining failures are forgers rather than your own misconfigured senders. Folio guides each domain up the ladder — p=none to collect data, then p=quarantine, then p=reject (per RFC 7489) — and marks a domain clean only once real mail proves it aligns, so the only thing you start rejecting is the forgeries.

Does each company get its own sending reputation, or do they share one?

Each company gets its own. Every bound domain has a distinct DKIM key and is a separate sending identity in Amazon SES, so a bounce storm or a complaint spike on one domain doesn't drag down deliverability on the others. The studio's reputation is the studio's; the holdco's is the holdco's. That isolation is the whole point of running them through one operator-priced account instead of one shared identity.

Does a clean pass rate prove a given message is genuine?

No, and Folio won't claim it does. A clean pass rate means your domain's real mail authenticates and forgeries are being caught — it's a statement about the domain's health, not a per-message guarantee of authenticity. There is no 'trusted' badge that certifies any single letter is real. Reputation tells you the world can no longer easily spoof you; it is not proof of identity, and the dashboard is careful to say so.

Email authentication for portfolio entrepreneurs

Several companies. Several reputations.
One place to defend them.

Running two to five companies means two to five sending domains, each with its own reputation and its own exposure to spoofing — and no single place to watch them. Folio isolates each company's DKIM key and SES reputation, then reads every domain's DMARC reports into one portfolio pass-rate view: who's passing, who's forging your From line, and exactly when each domain is safe to tighten to p=reject.

You run two to five operating companies — a consulting practice, a product, a holding entity, a side experiment. Each sends from its own domain, and each domain carries its own sending reputation that you alone are responsible for. The trouble is that authentication is invisible until it breaks: a domain that's being spoofed, or one that's quietly landing in spam, looks exactly like a domain that's fine. You only find out when an invoice goes unanswered.

Folio is bring-your-own-domain email for that operator. Point each company's MX at Folio; every domain gets its own signing key and its own reputation, and every domain's DMARC reports roll into a single pass-rate view — so you can see all of them at once, instead of none of them ever.

Updated 22 June 2026 (2026-06-22)

Start free — no card See the price

Android app live on Google Play

I · The problem with several reputations

Five domains, five blind spots.

One company is a deliverability problem you can just about hold in your head. Five is not. Each one publishes its own SPF and DKIM records, each one earns or loses its own standing with Gmail and Outlook, and each one is a separate target for anyone who wants to put your From line on mail you never wrote. Five domains means five authentication postures to keep aligned and five reputations to defend — with attention divided five ways.

The tooling assumes you have one. A single Workspace admin console shows one domain's story. Run several brands and that's several consoles, several logins, several places you'd have to remember to check — which means, in practice, you check none of them. The spoofing of the dormant holding domain, the studio that slipped to p=none and stayed there, the product domain that's been landing in spam for a month: each is legible somewhere, and visible nowhere.

The reports that would tell you all exist. DMARC aggregate feedback arrives daily, per provider, per domain — as raw XML nobody opens. For a one-person portfolio that's a dozen unreadable attachments a day, and so the one question that matters for each company — can the world still spoof me, and is my real mail getting through? — goes permanently unanswered.

Running five companies doesn't mean five times the spoofing risk. It means five times the surface and one set of eyes — which is worse.

II · A morning across the portfolio

Four letters, four reputations, one operator.

Not a screenshot — a live render in the same editorial design system the app uses. Each row's stripe is the domain the letter was sent to. Hover (or read quickly, by eye): which self is each one addressed to?

MON 22 JUN · 8:06 AM·The Correspondence4 letters

8:04 AM
Deliverability
hush-candle-co.com
via the studio
A source is sending as this domain — and not passing
Yesterday's reports name 203.0.113.44 — not one of your senders — putting your From line on four messages that failed authentication. Your policy here is still p=none, so receivers are letting them through…
7:51 AM
Deliverability
field-supply.co
via the practice
Mailchimp is failing — but it's really you
198.51.100.7 sent eleven messages that failed alignment. This is a real sender you forgot to authorize, not a forger. The fix is an SPF include, not a rejection — tighten the policy and you'd bounce your own newsletter…
yesterday
Deliverability
hearth-and-board.com
via the holdco
Clean window complete — ready for p=reject
Fourteen days, every reported message aligned, the only failures forgers. This domain is ready to move the last rung — quarantine to reject — and start turning spoofed mail away outright…
Jun 19
Spam · filed on arrival
field-notes.mail
via dispatch
Re: April invoice — failed authentication
This message claimed to come from your own dispatch domain but failed DKIM and SPF. Folio filed it to Spam on arrival and explained why — a forger answering your own thread, caught at the door…

III · How the portfolio gets legible

Every company's authentication, in one column.

Bind each company's domain to Folio and point its MX at us. From that moment each domain is isolated — its own signing key, its own reputation — and every domain's DMARC reports roll into a single rollup. One pass rate for the whole house, and a count of the brands that need a look this morning.

·
Each company signs with its own key. Every bound domain gets its own RSA-2048 DKIM key, its own SPF record, and its own SES sending reputation. A bounce storm on the experiment never bleeds onto the practice; the studio's standing is the studio's alone.
·
One pass-rate view over the whole portfolio. The Deliverability dashboard reads each domain's DMARC aggregate (rua) reports and rolls them into a single column: total domains, messages across the window, a portfolio pass rate, and how many domains need attention. No XML, no per-brand logins.
·
Forger vs. real sender, named per domain. For each company the failing sources are spelled out — a forger using your From line reads differently from a real sender you forgot to authorize — so you know whether the answer is to reject or to fix an SPF include.
·
Spoofed inbound caught at the door. Mail failing authentication on the way in is filed to Spam on arrival, every check explained plainly. Missing or temperror auth fails open, so a real sender's outage never silently buries a real letter.

IV · The pieces under the hood

Per-domain isolation, then one view on top.

A portfolio operator needs each company walled off from the others, and a single pane to watch them all. These are the pieces that deliver both — each visible from the domains page, each auditable from your own DNS.

Per-domain DKIM & SPF: Each bound domain gets its own RSA-2048 DKIM key (per RFC 6376), its own SPF record (per RFC 7208), and its own SES sending reputation. Reply-From is selected automatically per domain — the address a letter arrived at is the address the reply leaves from.
Portfolio DMARC rollup: The Deliverability dashboard reads DMARC aggregate (rua) reports per domain (per RFC 7489) and presents a portfolio pass-rate rollup: per domain, the messages seen, passed, and failed, plus the policy you've published.
Named failing sources: For every domain, the IPs sending as you that don't pass are listed and classified — a forger on your From line versus an unauthorized real sender — so the remedy is obvious: reject the one, authorize the other.
Guided policy ladder: The dashboard walks each domain p=none → p=quarantine → p=reject, marking a domain clean only once a window proves your real mail aligns — so you tighten without bouncing your own newsletter.
Inbound anti-spoofing: On arrival, mail failing authentication is filed to Spam and the reason explained in plain language (changelog No. 011). Missing or temperror auth fails open, never silently dropped.
Reputation is not identity: A domain with a clean pass rate is a domain whose real mail authenticates — not a guarantee that any single message is genuine. Folio never shows a 'trusted' badge that claims to prove authenticity; the dashboard reports what the reports say, no more.

V · Common questions

Questions readers ask.

How do I authenticate email for several company domains at once?: Bind each company's domain to Folio and point its MX at us. Every bound domain automatically receives its own RSA-2048 DKIM key (per RFC 6376) and its own SPF record (per RFC 7208), and is provisioned as a separate sending identity in Amazon SES. You publish the records Folio shows you per domain; from there each company is authenticated and isolated, and all of them report into one dashboard.
Can I tell whether any of my companies is being spoofed?: Yes — that's the core of the Deliverability dashboard. It reads each domain's DMARC aggregate (rua) reports and names the sources putting your From line on mail. A forger using your address reads differently from a real sender you simply forgot to authorize, and the dashboard labels which is which, per domain, so you can see spoofing across the whole portfolio in one place rather than checking each brand separately.
How do I diagnose why one company's mail is landing in spam?: Open that domain's row in the Deliverability dashboard. It shows messages seen, passed, and failed, the policy you've published, and the specific sources failing alignment. A real sender you forgot to authorize (fix the SPF include) looks different from a forger (tighten the policy). The diagnosis is usually a misaligned legitimate sender or a policy still stuck at p=none — both visible at a glance.
When is it safe to move a domain to p=reject?: When a domain has passed DMARC on effectively every reported message across a clean window, and the only remaining failures are forgers rather than your own misconfigured senders. Folio guides each domain up the ladder — p=none to collect data, then p=quarantine, then p=reject (per RFC 7489) — and marks a domain clean only once real mail proves it aligns, so the only thing you start rejecting is the forgeries.
Does each company get its own sending reputation, or do they share one?: Each company gets its own. Every bound domain has a distinct DKIM key and is a separate sending identity in Amazon SES, so a bounce storm or a complaint spike on one domain doesn't drag down deliverability on the others. The studio's reputation is the studio's; the holdco's is the holdco's. That isolation is the whole point of running them through one operator-priced account instead of one shared identity.
Does a clean pass rate prove a given message is genuine?: No, and Folio won't claim it does. A clean pass rate means your domain's real mail authenticates and forgeries are being caught — it's a statement about the domain's health, not a per-message guarantee of authenticity. There is no 'trusted' badge that certifies any single letter is real. Reputation tells you the world can no longer easily spoof you; it is not proof of identity, and the dashboard is careful to say so.

VI · Adjacent readers

Where the claims come from.

Open the first letter

See all five reputations at once.

Start free — no card. Your first domain is free and the first 100 sends are on us; bind a company, publish one rua= line, and watch the reports you were never reading turn into one answer. Add the rest of the portfolio when you want them: Solo covers up to 3 domains, Studio up to 10, Holding Co. unlimited. If it isn't the shape you need, walk away — nothing was billed.

Start free — no card Read the manual