Mobile Locker Email Sending Options
Understanding Email Infrastructure for Your Organization
Table of Contents
- Overview
- How Mobile Locker Sends Email
- Option A: Subdomain Delegation
- Option B: Corporate Email via Microsoft 365
- Comparison: Both Options
- Common IT Questions About Subdomains
- How Email Subdomain Reputation Works
- DNS Records Required for Option A
- Mailgun's Official Recommendation
- References
Overview
When a rep sends an email through Mobile Locker, it must be delivered through an email infrastructure provider — not through your company's Microsoft 365 or Google Workspace account directly. Mobile Locker offers two ways to handle this, depending on your organization's IT requirements and budget.
Option A — Subdomain Delegation is the standard approach. Your IT department creates a subdomain of your corporate domain (e.g., ml.company.com ) and delegates it to Mobile Locker. Emails are sent from that subdomain with the rep's real address set as the Reply-To.
Option B — Corporate Email via Microsoft 365 is the premium approach. Mobile Locker connects to each rep's Microsoft 365 account via OAuth and sends email directly through it. Emails come from rep@company.com — no subdomain needed.
Both options are in production use today across Mobile Locker's customer base.
How Mobile Locker Sends Email
Regardless of which option you choose, Mobile Locker's goal is to make emails appear to come directly from your rep.
With Option A (subdomains):
- Email is sent FROM the rep's address on a Mobile Locker subdomain:
john.doe@ml.company.com - REPLY-TO is set to the rep's real corporate address:
john.doe@company.com - When a recipient hits Reply, their email client sends the reply to
john.doe@company.com— the rep's real inbox - Mobile Locker does not intercept or process replies
With Option B (Corporate Email):
- Email is sent FROM the rep's real corporate address:
john.doe@company.com - Delivered through Microsoft 365 infrastructure
- The email appears in the rep's Outlook Sent folder
- No subdomain is involved
Why two systems can't share the same domain:
Microsoft 365 and Mobile Locker cannot both send authenticated email from company.com simultaneously — they would conflict with each other's DNS authentication records (SPF, DKIM). The subdomain approach resolves this by giving Mobile Locker its own dedicated sending lane, while corporate email continues flowing through Microsoft 365 on the main domain.
Option A: Subdomain Delegation
With this option, your IT department creates one subdomain per Mobile Locker team and delegates it to Mailgun, Mobile Locker's email infrastructure provider.
Example:
| Team | Sending Domain |
|---|---|
| Sales | sales.company.com |
| Marketing | marketing.company.com |
| Medical | med.company.com |
Each subdomain is independent — it has its own reputation, its own DNS records, and no connection to the others or to the main domain.
Mobile Locker will provide all the necessary DNS records. IT typically needs to add 4–5 records per subdomain. These records have no effect on company.com or on Microsoft 365 configuration.
Cost: Included in standard Mobile Locker pricing.
Option B: Corporate Email via Microsoft 365
With this option, Mobile Locker sends an email directly through each rep's Microsoft 365 account using Nylas, a certified Microsoft partner. No subdomains or DNS changes are required.
How setup works:
Each rep completes a one-time OAuth authorization — a standard Microsoft login flow that grants Mobile Locker permission to send on their behalf. This is the same mechanism used by other Microsoft 365 integrations (such as Salesforce, HubSpot, etc.). IT involvement is minimal.
What reps experience:
- Emails are sent from their real
rep@company.comaddress - Every email sent through Mobile Locker appears in their Outlook Sent folder
- Replies arrive in their normal inbox
Why this delivers the best results:
Emails sent through the Microsoft 365 infrastructure carry the full trust and reputation of your corporate domain. At large organizations with strict inbound email security (Microsoft Defender, Proofpoint, Mimecast, etc.), emails arriving from a familiar corporate domain are significantly more likely to reach the inbox than emails from a subdomain.
Cost: Approximately $5 per user per month above standard Mobile Locker pricing.
More information: mobilelocker.com/en/corporate-email
Security documentation: nylas.com/security
Comparison: Both Options
| Factor | Option A: Subdomain (ml.company.com ) |
Option B: Corporate Email (Nylas + M365) |
|---|---|---|
| Sending domain | ✅ rep@ml.company.com |
rep@company.com |
| Recipient recognition | ✅ Clearly, your company | ✅ Exactly your company |
| Deliverability at large HCOs | ✅ Good - brand recognition | ✅ Best - M365 infrastructure |
| Rep's Outlook Sent folder | ❌ Not visible | ✅ Every email appears in the Sent folder |
| DNS changes required | ✅ Yes - 4-5 records per subdomain | ✅ None |
| IT setup effort | Low - one-time DNS configuration | Minimal - OAuth only |
| Risk to the main domain | ✅ None - subdomains are isolated | ✅ None - standard M365 sending |
| Follows Mailgun best practices | ✅ Yes - explicitly recommended | ✅ N/A - uses Microsoft infrastructure |
| Additional cost | None | ~$5 per user/month |
Common IT Questions About Subdomains
"Will a Mobile Locker subdomain affect the reputation of our main domain?"
No. This is the most common concern, and it is also the reason the industry recommends subdomains in the first place.
When Mobile Locker sends an email from ml.company.com , every major inbox provider (Gmail, Microsoft, Yahoo) evaluates that subdomain's reputation independently of company.com . The subdomain has its own SPF, DKIM, and DMARC records, completely separate from those on the main domain. Issues on the subdomain — high bounce rates, spam complaints, anything — are contained to the subdomain and do not affect company.com or Microsoft 365 deliverability.
This is not a Mobile Locker claim. It is the documented recommendation of Mailgun, Salesforce Marketing Cloud, and Microsoft, all of whom advise using subdomains specifically because they protect the parent domain.
"What if we already have strict DMARC policies on our main domain?"
Subdomain records are scoped to the subdomain and do not conflict with existing DMARC or SPF policies on the main domain. Mobile Locker's subdomain can also be configured to align with your organization's DMARC reporting if desired.
"Does a subdomain give Mobile Locker any access to our Microsoft 365 environment?"
No. DNS records are public infrastructure — adding them grants Mobile Locker permission to send from the subdomain, not any access to your Microsoft 365 environment, email accounts, or data.
How Email Subdomain Reputation Works
Email sender reputation is tracked at the domain level by inbox providers. When a message arrives at Gmail or Microsoft, the provider evaluates the sending domain's reputation from the authentication headers—not the parent domain.
Key technical facts:
- SPF, DKIM, and DMARC records are configured per domain. A subdomain like
ml.company.comhas its own records, completely separate from those on company.com. - Inbox providers (Gmail, Microsoft) maintain independent domain-level reputation scores.
ml.company.comis a different entity fromcompany.comin every major reputation database. - A subdomain with high bounce rates or spam complaints does not lower the parent domain's reputation.
- The strong reputation of
company.comprovides brand recognition and legitimacy to the subdomain — without transferring any reputation risk back.
Analogy: Think of it like a corporate subsidiary. ml.company.com is a department operating under your company's brand. If the department has a problem, the parent organization is not directly implicated. The department benefits from operating under your company's name but maintains its own independent accountability.
DNS Records Required for Option A
For each subdomain, the following DNS records are needed. Mobile Locker (via Mailgun) will supply the exact values:
# Authorizes Mailgun to send on behalf of the subdomain ml.company.com IN TXT "v=spf1 include:mailgun.org ~all" # Email signing key (Mailgun provides these values) mailo._domainkey.ml.company.com IN TXT "v=DKIM1; k=rsa; p=..." # Authentication reporting policy _dmarc.ml.company.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:..." # Inbound reply handling ml.company.com IN MX 10 mxa.mailgun.org ml.company.com IN MX 20 mxb.mailgun.org
These records have zero effect on company.com DNS. They are scoped entirely to the subdomain. Microsoft 365 configuration is unchanged.
Mailgun's Official Recommendation
Mailgun — the email infrastructure provider powering Mobile Locker — explicitly recommends that all customers use a subdomain when sending through their service:
We recommend all customers use a subdomain when sending through our service."
The reasons Mailgun gives:
- Reputation protection: The subdomain has its own reputation, isolating it from the parent domain.
- Segmentation: Different sending programs can use distinct subdomains to prevent issues in one program from affecting others.
- Deliverability: ISPs can evaluate the subdomain's sending patterns independently, improving inbox placement.
Reference: Mailgun: The Basics of Email Subdomains
References
- Nylas Security Documentation
- Mailgun: The Basics of Email Subdomains
- Mailgun: How Email Sender Reputation Impacts Inbox Placement
- Salesforce: Custom Domain or Subdomain Delegation in Marketing Cloud
- Microsoft: Email Authentication Best Practices
- Litmus: Everything You Need to Know About Email Subdomains
- ActiveCampaign: Subdomains and Deliverability