There’s something I took a while to admit out loud.
For months we were sending emails to prospects, following up with clients, wondering why the response rate felt off. Not terrible. Just… off. Like talking to a room where some people hear you and others don’t, and you don’t know which is which.
It wasn’t the message. It wasn’t the offer. It was our domain.
Specifically, it was a combination of things nobody had explained to us as business owners. Not the web developer. Not the email provider. Nobody. Terms like DMARC, DKIM, A2P 10DLC, HSTS, Content Security Policy. Words that sound like server-room jargon, not a conversation between two people trying to grow a real business. What I know now is this: domain compliance isn’t an IT problem. It’s a business problem. And it hits you where it hurts — in the wallet, in the reputation, and in the relationship with the clients you worked so hard to get.
This article is the conversation I wish I’d had three years ago.
In Summary
Domain compliance covers 4 areas every business must have: web security (SSL, HSTS, security headers), email authentication (SPF, DKIM, DMARC), legal policy pages (Privacy, Terms, CCPA/GDPR disclosures), and A2P 10DLC compliance for text messages. Most companies fail in at least two without knowing it. Consequences: emails landing in spam, texts blocked by carriers, legal exposure from missing policies. Check the 4 issues at the link at the end.
What “Domain Compliance” Means Without the Technical Jargon
Domain compliance is shorthand for: your domain does what it promises to do, securely, and the systems evaluating it — Google, Gmail, Outlook, phone carriers, browsers — trust it.
When your domain complies, the emails you send land in the inbox. The text messages you send don’t get blocked. Clients visiting your site see a green padlock, not a red warning. Lawyers don’t send you letters because your privacy policy doesn’t exist. It’s invisible when it works. It’s devastating when it doesn’t.
The problem is that “compliance” sounds boring and technical. It sounds like something the developer should have handled. But they didn’t — because every piece of the puzzle lives with a different provider (hosting, domain, email, SMS, legal) and nobody owns the full picture. That responsibility is yours. And this article gives you the map.
The 4 Areas Where Your Domain May Be Failing
Problem 1 — Web Security: When “We Have SSL” Isn’t Enough
Most business owners believe that if their site has the green padlock, they’re covered. SSL exists. The browser is happy. End of story. That was true ten years ago. Today it’s the floor — not the ceiling. A site with only SSL has a front wall, but the windows are wide open. Modern browsers and search engines evaluate four additional layers:
HSTS (HTTP Strict Transport Security). Tells the browser: “always connect to this site via HTTPS, never HTTP, for the next 365 days.” Without HSTS, an attacker can intercept a user’s first visit and redirect them to a fake version before SSL kicks in. With HSTS, that attack window disappears.
Security headers. X-Frame-Options (prevents your site from being embedded in another for clickjacking attacks), X-Content-Type-Options (prevents browsers from interpreting files dangerously), Content Security Policy (controls where your site can load scripts from). Three lines of server configuration. Most sites don’t have them.
DNSSEC. Authentication of your domain’s DNS. Without DNSSEC, an attacker can falsify DNS responses and redirect your traffic to a malicious server without anyone noticing. It’s like having your home address in the directory but with no guarantee the directory wasn’t tampered with.
Cross-Origin headers. COOP, COEP, CORP. Control how other sites can interact with yours. Especially relevant if you use integrations with other services, iframes, or process payments. Modern browsers are starting to penalize sites without this configuration.
Problem 2 — Email Authentication: Your Domain Is Being Spoofed Right Now
This is the most expensive problem and the most invisible. If your domain doesn’t have SPF, DKIM and DMARC configured correctly, two things are happening — both bad.
First: your legitimate emails are landing in spam. Google and Microsoft, since February 2024, are rejecting bulk mail from domains without proper authentication. They’re not marking them as spam — they’re outright rejecting them. Your prospect doesn’t know you wrote them. Your client doesn’t receive the invoice. Your follow-up sequence never leaves your server.
Second, and worse: someone else is using your domain to scam your own clients. Email spoofing doesn’t require access to your server — it only requires that you haven’t publicly declared (via DMARC) which servers are authorized to send mail on your behalf. Without that declaration, anyone can write an email that appears to come from you@yourdomain.com and send it to your clients. Phishing, impersonation, fraud. Your client opens the email because it looks legitimate. You absorb all the damage.
SPF, DKIM and DMARC are three pieces of the same puzzle. SPF declares which servers can send email from your domain. DKIM cryptographically signs every outgoing email so the recipient can verify it wasn’t altered. DMARC is the policy telling the receiving server what to do when SPF or DKIM fail — reject, mark as spam, or just report.
The most common mistake isn’t not having them. It’s having them misconfigured. SPF with ~all instead of -all. DKIM with a key that was rotated two years ago. DMARC permanently stuck on p=none, which is equivalent to not having it. Each of these small errors leaves a crack open. The sum of the cracks is your deliverability falling 30-40% with nobody knowing why.
Configuration takes between 30 minutes and 2 hours depending on the provider. Cost is zero. The difference in deliverability is measurable from the first week.
Problem 3 — Legal Policies: The Pages Nobody Reads Until You Need a Lawyer
The Privacy Policy, the Terms of Service, the cookie notice, the CCPA and GDPR disclosures. They’re the least-visited pages on your site. And they cause the most damage when missing — or when poorly drafted.
The important shift of the last two years: privacy laws are no longer just European (GDPR) or Californian (CCPA). Texas, Colorado, Virginia, Utah, Connecticut, Montana, Tennessee, Indiana and Oregon have passed similar laws. Each with its own requirements. If your site receives visitors from any of those states — and every site does — they apply.
What most generic policies downloaded from online templates don’t cover: specific disclosures about AI use (mandatory in several states since 2025), biometric data processing, data transfer to named third parties, data deletion request processes, explicit retention of minors’ data. A privacy policy that says “we use Google Analytics” without naming the specific third parties and their purposes doesn’t comply with CCPA. A policy without a visible opt-out mechanism doesn’t comply with any of the recent state laws.
The cost of non-compliance isn’t theoretical. CCPA fines can reach $7,500 per intentional violation, and “intentional” includes “should have known.” Private class-action lawsuits (allowed under CCPA) are a growing industry — there are law firms automatically scanning sites looking for missing or incomplete policies.
Naty: The hardest thing to explain to clients is that “I have a privacy policy” doesn’t mean “I’m protected.” The policy has to be updated with current laws, has to reflect what you actually do with data, and has to be accessible from every page of the site.
Todd: And there’s a technical trap. Many policies were generated by a plugin two years ago, then the owner changed the tech stack — added a CRM, a chatbot, an ad pixel, an AI integration — and the policy was never updated. Technically the original policy is lying about what the site does. That’s worse than having no policy.
Naty: The “plugin syndrome.” Exactly. And it happens more with CRM integrations because the CRM touches every piece of business data. If the client doesn’t know their data goes to a CRM, to an email marketing service, to an AI provider — and the policy doesn’t declare it — there’s legal exposure from day one.
Todd: The simple rule is: every time you add a new tool to the stack, the privacy policy and terms get reviewed. Every time. Without exception. And a mechanism exists for users to request deletion of their data — not just in the policy, but functionally implemented in the backend.
Want to know how many of the 4 problems are failing in your domain?
Free 10-minute audit covering SSL, SPF, DKIM, DMARC, legal policies and A2P 10DLC status. Clear report, no jargon, with what to fix first.
Problem 4 — A2P 10DLC: Why Your Text Messages Are Getting Blocked
A2P 10DLC is the ugliest acronym on this list — and probably the one that affects small businesses most when they depend on SMS for appointment confirmations, reminders, or follow-up.
A2P stands for “Application-to-Person” — any SMS sent from an automated system to a phone number. 10DLC stands for “10-Digit Long Code” — the standard 10-digit local number format most businesses use. Since 2023, US phone carriers (AT&T, Verizon, T-Mobile) require every company to register its brand and SMS campaigns with a central organization (The Campaign Registry) before they can send commercial messages.
If you’re not registered, one of two things happens. Best case: 20-40% of your messages are delivered with considerable delay, and the rest are simply lost without notification. Worst case: your number is suspended and your SMS provider charges you fines for every non-compliant send attempt. All of this without the business owner knowing, because the messages “were sent” from the dashboard — they just never arrived.
A2P 10DLC registration has two parts: registering your brand (Brand Registration — one time) and registering each message campaign (Campaign Registration — one per message type: reminders, marketing, transactional notifications). The cost is low (~$4 brand setup + $10-15/month per campaign) but the process can take 2-3 weeks and requires specific documentation. Most businesses discover they need this only when their messages start failing en masse.
When we started implementing automated follow-up systems for clients, A2P 10DLC wasn’t on my radar. Six months in, we started seeing a pattern: clients reporting “the SMS aren’t landing well” while our dashboard said 100% delivered. The problem wasn’t our systems. It was that their domains weren’t registered with the carriers, and the carriers were silently blocking between 30% and 50% of messages.
Today, A2P 10DLC registration is part of mandatory onboarding before activating any SMS sequence. Non-negotiable. And I say this from experience: a single client who discovers their appointment reminders never reached their patients for three months can end the relationship in one email. Compliance isn’t optional when your reputation depends on messages arriving.
How to Run Your Own Domain Compliance Audit Right Now
You don’t need to be technical to do an initial review. Here are the steps any business owner can follow in 20 minutes to identify where the main problem is:
Step 1 — Web security review (5 min). Go to securityheaders.com and enter your domain. It’ll give you a grade from A+ to F based on configured security headers. If you score C or lower, you have work to do. Also try hstspreload.org to check if your domain is on the HSTS preload list.
Step 2 — Email authentication review (5 min). Go to mxtoolbox.com and look up your domain with the SPF, DKIM and DMARC tools. Each must show a valid record. If any say “not found” or show errors, there’s an active problem. Also check your score on mail-tester.com by sending a test email — anything below 9/10 needs attention.
Step 3 — Legal policy review (5 min). Visit your own site and verify you have: Privacy Policy (accessible from footer), Terms of Service, cookie notice (if you use non-essential cookies), and a contact mechanism for privacy requests. Read the Privacy Policy. Does it mention every tool you use (Google Analytics, Meta Pixel, CRM, email marketing, AI)? If not, it’s outdated.
Step 4 — A2P 10DLC review (5 min). If you send automated SMS from your CRM or marketing platform, contact your SMS provider and specifically ask: “Is my brand registered with The Campaign Registry? Which campaigns do I have approved?” If your provider can’t answer this in minutes, you’re probably not registered — and that explains why some messages don’t arrive.
Frequently Asked Questions: Domain Compliance
Some pieces yes (SSL, web security headers), others no (email authentication depends on the email provider, A2P 10DLC on the SMS provider, legal policies are business content). The common problem is each piece lives in a different system and nobody owns the full picture. That's why it helps to have an audit that reviews all four areas together.
Most configurations are free or low cost. Web security headers are server configuration — zero cost. SPF, DKIM and DMARC come with your email provider. Legal policies require a one-time legal review ($300-$1,500 depending on complexity). A2P 10DLC costs ~$4 setup and $10-15/month per active campaign. The real cost isn't configuration — it's the time to do it correctly, which can be 4-8 hours of specialized work.
The consequences are cumulative and silent. Legitimate emails landing in spam reduces your response rate 20-40%. Blocked SMS means missed appointments and clients thinking you don't follow up. Missing legal policies expand your risk of class-action lawsuits and regulatory fines. None of these problems warn you — you just see the symptoms: fewer responses, fewer conversions, and eventually, a letter from a lawyer.
Full review annually at minimum. Spot review every time you add a new tool to the stack (CRM, email platform, chatbot, AI integration, new plugin). Privacy laws are changing quarterly in the United States, and email authentication rules changed significantly in February 2024 with Google and Yahoo's new policies. What complied a year ago may not comply today.
Yes. As part of Hub365 CRM onboarding, we review all four compliance areas and configure what's within our scope: email authentication, web security headers, A2P 10DLC integration with the SMS provider, and a base template of legal policies the client can adapt with legal counsel. For Growth Partner Program clients, continuous compliance monitoring is included.
Compliance is silent until it costs you clients. The audit takes 10 minutes.
Request your free domain compliance audit — we review the 4 areas (web security, email authentication, legal policies, A2P 10DLC) and deliver a clear report with what to fix first. Or talk directly with Todd and Naty to review it together.
Naty Ross is Co-Founder of Hub365.AI, a bilingual digital marketing agency based in Fort Lauderdale, FL. Todd Ross is Co-Founder and leads the technical implementation of domain infrastructure and compliance for Hub365 CRM clients.
