The three-layer model
Every piece of infrastructure in TenantCore sits inside one of three layers:Tenants
A Microsoft 365 tenant is the top-level container for your Microsoft infrastructure. It holds your users, domains, mailboxes, and Exchange Online configuration. In TenantCore’s model, one tenant maps to one client. If you run an agency with five clients, you should have five tenants — one per client.Why tenant isolation matters
Microsoft’s abuse detection operates at the tenant level. If a tenant is flagged for spam or policy violations, all domains and mailboxes on that tenant are exposed to suspension. Isolating clients means a deliverability problem for one client cannot cascade to another.Shared tenant approach
Some operators and agencies do run multiple clients on a single tenant. This is not inherently wrong, but it shifts the responsibility for tenant health entirely onto you. When multiple clients share a tenant, the combined sending volume of all mailboxes across all clients counts against a single TERRL. A single client sending aggressively can push the entire tenant toward Microsoft’s enforcement threshold and affect every other client on it. If you are running a shared tenant, enforcing strict send limits on every mailbox through TenantCore is not optional — it is the only thing standing between your full client roster and a tenant-wide suspension. See Send Limits and Understanding TERRL for how enforcement works and where Microsoft’s thresholds sit.Domains
Each tenant can have up to 12 custom domains attached. TenantCore enforces this ceiling because the risk profile of a tenant grows with the number of domains — more domains means more surface area for abuse signals to accumulate.Domain reputation
Domains develop their own sending reputation independently of each other, even on the same tenant. Adding 12 domains and ramping them simultaneously is a fast way to get all 12 flagged at once. Stagger domain activation and ramp each one individually.DNS requirements
Every domain attached to a tenant must have valid DNS records before mailboxes can send. TenantCore generates the required records — MX, SPF, DKIM, and DMARC — but you are responsible for adding them to your registrar. See DNS Setup for a full breakdown of each record type.Mailboxes
Each domain supports up to 3 mailboxes. This is the most important limit in the model.Why 3 mailboxes per domain
Industry configurations that put 10, 20, or 100 mailboxes on a single domain treat the domain as an unlimited resource. It isn’t. Microsoft and receiving mail servers evaluate the volume of mail originating from a domain relative to its age and reputation. High mailbox density on a new domain is a strong spam signal. 3 mailboxes per domain keeps volume proportional to what a legitimate business would send from a given domain.Shared mailboxes
TenantCore provisions all mailboxes as shared mailboxes in Exchange Online. This is a Microsoft term that is commonly misunderstood — it does not mean mailboxes that are shared between clients or users. In Microsoft’s Exchange ecosystem, a shared mailbox is a specific mailbox type that has no direct license assigned to it but retains full SMTP send and receive capability. It functions identically to a regular mailbox from a sending perspective — it has an email address, sends authenticated mail, and appears as a normal sender to receiving mail servers. They are a standard, officially supported Exchange Online feature used widely across organizations for roles like info@, support@, or sales@ addresses.For the official Microsoft definition, see Shared mailboxes in Exchange Online.
Licensing for shared mailboxes
TenantCore requires 1 Exchange Online license per tenant. That single license covers the entire tenant and all shared mailboxes provisioned on it, up to TenantCore’s ceiling of 36 mailboxes (12 domains × 3 mailboxes). The minimum viable license is either:- Exchange Online Plan 1 (~$4/month)
- Microsoft 365 Business Basic(no teams) (~$6/month )