What belongs in an enterprise email/SMS agency RFP?

Outcomes & KPIs (RPR, 30-day second-purchase, complaints, discount reliance, payback), stack & migration requirements, deliverability standards, experimentation & incrementality (holdouts/uplift), global/multilingual ops, security & compliance (SOC2, DPA, data flows, 10DLC, GDPR/CCPA), team & SLAs, pricing model, evaluation rubric, and a 45-day pilot plan.

How should we score vendors?

Use weighted criteria: Outcomes & Incrementality 30%, Security & Compliance 20%, Stack Fit & Migration 20%, Operations & Governance 15%, Team & Pricing 15%. Score 0–5 per criterion, multiply by weights, and require evidence for any 4–5 score.

How do we ensure a zero-downtime migration?

Require a warm-up plan (dedicated domain, DMARC), parallel sends for critical flows, seed/panel checks, event and identity mapping, explicit go/no-go criteria, rollback procedures, and post-cutover stabilization.

What metrics prove agency impact to finance?

Holdout-adjusted RPR (flows vs campaigns), 30-day second-purchase rate, reorder interval and save rate for subscriptions, discount reliance trend, and cohort payback. Avoid relying on opens or last-click revenue alone.

RFP Template + Scoring Rubric for Email & SMS Agency Procurement

November 12, 2025

Do this today: Draft a one-page Intent-Aligned RFP Brief you can send before you ever issue a long RFP. Five bullets. No fluff.

Outcomes: In 90 days we must move these dials: Revenue per Recipient (RPR), 30-day second-purchase rate, inbox placement/complaints, discount reliance, and payback.
Stack: Our current stack is <ESP/SMS/CDP/Commerce>. We will/will not migrate. Regions/languages <list>.
Security floor: SOC 2 posture, DPA, data flows/access controls, 10DLC registration & compliant consent wanted.
Ops: Persistent holdouts, QA SLAs, change control, weekly 10-minute readout, named owners (RACI).
Pilot: 45-day pilot with three success criteria and a kill switch.

If a vendor can’t respond coherently to this single page, they won’t survive your full RFP. You just saved three months.

Why most messaging RFPs fail (and how to fix yours)

Email/SMS procurement went wrong when we treated retention like a creative service. We asked for dribbble shots and subject lines, not plumbing. The result: pretty decks, slow migrations, and KPIs that look busy while finance wonders where payback went. The fix is structural: write an RFP that evaluates systems—deliverability discipline, zero-downtime cutovers, incrementality you can show a CFO, and governance that prevents “we blasted the whole list because it was a big week.”

This guide is not a “tips & tricks” list. It’s an operator’s packet: a copy-ready RFP template, a weighted scoring rubric, interview scripts that smoke out red flags, and a pilot plan that forces reality in 45 days. Use it to select a partner who paints after the plumbing works.

The RFP template (copy/paste sections)

Below is a complete structure you can paste into your procurement doc or portal. Replace bracketed text. Keep the structure—even if you trim prose—because it maps to the scoring rubric and your IT/legal review.

1. Executive Summary

Context: Brief business overview, regions, brands, in-scope channels.
Objective: Select an agency to improve RPR, second-purchase rate, inbox placement/complaints, reduce discount reliance, and accelerate payback in 90 days.
Scope headline: Lifecycle (flows), campaigns, SMS, deliverability, migration (if any), experimentation, analytics, governance.
Timeline: RFP release, Q&A, demos, shortlisting, reference checks, award, 45-day pilot.

2. Current State & Stack

ESP/SMS/Push: <Klaviyo/Braze>, <Attentive/Postscript>, push <Y/N>
Commerce: Shopify (+ Markets), headless, subscriptions/loyalty systems
Data: warehouse/CDP (Snowflake/BigQuery/dbt? Reverse ETL Hightouch/Census?)
Regions/Languages: list locales; RTL needs
Deliverability posture: dedicated domain, DMARC, complaint trends

3. Business Outcomes & KPIs

Holdout-adjusted RPR (flows vs. campaigns), 30-day second-purchase rate, complaint/unsub by domain, discount reliance, payback.
Secondary: reorder interval, subscription save rate.
Reporting rhythm: weekly 10-minute readout; monthly retro with “what changed / learned / test next.”

4. Functional Requirements

4.1 Lifecycle & Campaigns: rebuild post-purchase & second-purchase flows (proof-first); orchestrate SMS as nudge; coverage grid by cohort.

4.2 Experimentation: message-level holdouts, uplift for incentives, bandits for framing; sample size & stopping rules.

4.3 Deliverability: dedicated domain + DMARC, engagement bands, sunset policy, complaint monitoring by domain, incident playbook.

4.4 Global: dynamic templates with language packs; RTL support; regional consent & quiet hours.

4.5 Migration (if applicable): parallel sends, warm-up plan, event mapping, go/no-go criteria, rollback.

5. Security & Compliance

SOC 2 posture or control mapping; DPA readiness; sub-processor list; data flow diagrams.
Access control & offboarding; secrets management; logging; incident response.
10DLC registration and compliance; consent capture; HELP/STOP keywords; quiet-hours enforcement.
GDPR/CCPA: roles (processor vs. controller), subject rights handling, retention & deletion policy.

6. Team & Operating Model

Org chart: strategist, deliverability lead, producer, builders, analyst; coverage by timezone/locale.
RACI for deliverability, analytics, creative, ops, approvals.
SLAs: QA windows, incident response, change control, send freezes.

7. Pricing & Commercials

Pricing model: retainer/pod/outcome-based; what’s included, what’s not; change-order policy.
Hidden costs surfaced: migrations, reverse ETL, panel seeds, SMS brand/campaign fees.
Payment terms, contract length, termination, IP ownership, confidentiality, non-solicit.

8. Vendor Response Instructions

Single PDF: executive summary, case studies with holdout-adjusted metrics, security packet, staffing plan, SOW draft, 45-day pilot plan.
Mandatory attachments: anonymized “weekly 10-minute” report; deliverability SOP; incident post-mortem.
Demo requirements: live template with language pack; deliverability dashboard; holdout readout.

9. Evaluation & Timeline

Weights (see rubric): Outcomes 30%, Security 20%, Stack/Migration 20%, Ops/Governance 15%, Team/Pricing 15%.
Milestones: Q&A window, demo week, shortlist, references, award, pilot start.

10. Appendices

Data definitions (margin, attribution, complaint threshold)
Sample SOW clauses (QA SLA, incident response, change freeze)
Legal templates: DPA outline, 10DLC checklist

RFP Cover Letter Email (copy-ready)

Subject: RFP: Enterprise Email/SMS/Retention Agency – [Brand]

Hi [Vendor Team],

[Brand] is issuing an RFP to select an enterprise partner for email, SMS, and retention. 
Our 90-day success criteria: improve RPR (flows vs. campaigns), 30-day second-purchase rate, inbox placement/complaints, 
and discount reliance while maintaining payback. Stack: [ESP/SMS/CDP/Commerce]. Security: SOC2 posture/DPA/10DLC/consent.

Timeline:
• RFP Q&A: [dates]  • Demo window: [dates] • Shortlist: [date] • Award: [date] • Pilot start: [date].

Please confirm receipt and share a single-PDF response by [deadline], including:
(1) holdout-adjusted case studies, (2) security packet (data flows, access), (3) staffing plan,
(4) SOW draft with SLAs, (5) 45-day pilot plan.

Thanks,
[Name, Title]
[Procurement/Lifecycle]

The scoring rubric (weights, criteria, math)

Score on a 0–5 scale for each criterion, multiply by weight, and sum to 100. Require written evidence or a live demo for any 4–5 score. “Trust us” earns a 2.

Category	Weight	Criteria (0–5 each)
Outcomes & Incrementality	30%	Holdout-adjusted RPR & P2 lift; payback impact; discount reliance trend; uplift tests for incentives; CFO-grade reporting
Security & Compliance	20%	SOC2 posture/controls; DPA; data flows; access control; incident response; 10DLC registration/consent; GDPR/CCPA readiness
Stack Fit & Migration	20%	Receipts in your ESP/SMS; parallel cutovers; warm-up curves; event/identity mapping; multilingual; warehouse/RTEL alignment
Ops & Governance	15%	SLAs; QA checklist; change freeze; weekly 10-min readouts; RACI with named owners; coverage by timezone
Team & Pricing	15%	Named senior team; capacity plan; clear scope & change-order policy; transparent fees; surfaced hidden costs

Rubric CSV (paste into Sheets)

Category,Weight,Criterion,Score (0-5),Weighted
Outcomes & Incrementality,0.30,Holdout-adjusted RPR/P2 lift,,
Outcomes & Incrementality,0.30,Payback impact,, 
Outcomes & Incrementality,0.30,Discount reliance trend,, 
Outcomes & Incrementality,0.30,Uplift tests for incentives,, 
Outcomes & Incrementality,0.30,CFO-grade reporting,, 
Security & Compliance,0.20,SOC2/DPA/Data flows,, 
Security & Compliance,0.20,Access control & incident response,, 
Security & Compliance,0.20,10DLC & consent controls,, 
Security & Compliance,0.20,GDPR/CCPA readiness,, 
Stack & Migration,0.20,ESP/SMS receipts,, 
Stack & Migration,0.20,Parallel cutover & warm-up,, 
Stack & Migration,0.20,Event/identity mapping,, 
Stack & Migration,0.20,Warehouse/RTEL alignment,, 
Ops & Governance,0.15,SLAs & QA checklists,, 
Ops & Governance,0.15,Change freeze & readouts,, 
Ops & Governance,0.15,RACI & timezone coverage,, 
Team & Pricing,0.15,Named team & capacity,, 
Team & Pricing,0.15,Scope & hidden costs surfaced,, 
TOTAL,,,

Scoring math

Total = Σ(score_i / 5 * weight_i), scaled to 100. Require ≥70 to shortlist; require ≥80 plus clean security to award. Tie-break on pilot plan clarity and reference strength.

Vendor questions that surface truth

Open a live deliverability dashboard and show complaint rate by domain for a recent launch. What did you change when Gmail ticked up?
Show a holdout readout where RPR improved and discount reliance fell. What changed in creative, cadence, or segmentation?
Walk us through a zero-downtime migration: warm-up curve, parallel sends, go/no-go criteria, and how you’d roll back.
Open a live template with a language pack/partials; invite a translator to change copy safely.
Share your incident post-mortem template; anonymize a real example.
Who has production access in client accounts? How do you offboard staff? Show the checklist.
What’s your change-freeze policy during peak weeks or placement incidents?
Share the 10-minute weekly readout and one decision it changed in the last quarter.

Interview & demo agenda (90 minutes that matter)

10 min – Outcomes: two holdout-adjusted case studies; CFO dials only.
15 min – Deliverability: live dashboard; complaint by domain; incident process.
15 min – Migration/Stack: mapping, warm-up, data checks; sample cutover plan.
15 min – Global: language packs, RTL demo, regional consent.
15 min – Ops: SLAs, QA checklists, RACI; weekly readout ritual.
10 min – Pilot plan: scope, success criteria, kill switch.
10 min – Q&A: open the floor.

Security & compliance packet (what IT needs)

Ask vendors to submit a single security brief with the following:

Data flow diagram (PII ingress/egress; encryption; residency)
SOC 2 status or control mapping; pen test summary; vulnerability management
DPA template; sub-processor list; retention/deletion policy
Access control (SSO, MFA, least-privilege, offboarding)
Incident response (detection, escalation, communication timeline)
10DLC registrations; consent policies; HELP/STOP keyword handling; quiet-hours enforcement

Migration & cutover checks (zero downtime)

Migrations fail in two places: deliverability and data fidelity. Your RFP must measure both.

Warm-up: dedicated domain + DMARC; engagement-band sends for 2–3 weeks; seed tests.
Parallel: dual sends on critical flows; compare RPR/placement; complaint watch.
Mapping: event names, identities, suppressions/preferences; recon checklist.
Cutover: go/no-go criteria; rollback plan; post-cutover stabilization.

Deliverability & placement requirements

Dedicated domain, aligned DMARC/DKIM, tracking CNAMEs
Engagement banding; sunset policy; send-freeze rules
Complaint dashboards by domain; placement proxies (seed/panel, read-time)
Template standards: real text, alt text, AAA contrast; no image-only emails
Incident playbook with owners and timelines

Attribution & incrementality (proof finance accepts)

Require randomized controls on messages that justify spend (saves, recommendations, SMS nudges). Grade agencies on their discipline, not just their math.

Message-level holdouts (10–20%)—never removed during big weeks
Flow-level controls when changing structure
Uplift tests for incentives by risk band—only persuadables get perks
Report holdout-adjusted RPR, conversion, AOV, P2-rate, payback

Global & multilingual ops requirements

Language capture on profile; footer toggle; preference center
Template language packs/partials; translators edit keys, not logic
RTL support (dir="rtl" containers; mirrored icons; fonts)
Regional consent; quiet hours; regional deliverability history

Pricing & staffing models (and hidden costs)

Common models

Retainer: predictable fee for outputs; requires change-order discipline.
Pod: cross-functional team dedicated to you; higher velocity, higher cost.
Outcome-based: milestone/KPI-linked tranches; align incentives; needs clean baselines.

Hidden costs to surface: migrations and warm-up, reverse ETL, seed panels, SMS brand/campaign fees, additional experimentation traffic, translation ops.

SLAs, SOW & governance (prevent fire drills)

Your SOW is the brake pedal. Bake governance into it.

QA SLA: minimum review windows; rendering checks; links/UTMs; segmentation audits
Incident response: who pauses sends; who notifies; fix timelines; “no blame” post-mortems
Change control: approval steps; change logs; send freezes during risk windows
RACI: named owners for deliverability, analytics, creative, ops
Reporting rhythm: weekly 10-minute readout; monthly retro with decisions

Sample SOW clauses (excerpt)

QA & SEND SLA. Agency shall provide a minimum QA window of [X] business hours before any scheduled send, including device rendering, link/UTM validation, 
segmentation audits, and suppression checks. No changes may be made within [Y] minutes of send time.

INCIDENT RESPONSE. If complaint rate exceeds [0.08%] on Gmail or seed/panel indicates placement risk, Agency will pause promotional sends, 
notify Client within [60] minutes, and implement the deliverability incident playbook.

PERSISTENT HOLDOUTS. Agency will maintain 10–20% randomized holdouts on save/recommendation messages. Holdouts shall not be removed during “big weeks.”

The 45-day pilot: scope, success criteria, kill switch

A pilot forces reality. It protects both parties from three-month “strategy” phases that never touch revenue.

Scope (example)

Rebuild post-purchase & second-purchase flows (proof-first modules)
Deliverability task: domain warm-up or complaint remediation
One SMS nudge with quiet hours + Snooze
Holdouts on save/recommendation touches

Success criteria

+X% holdout-adjusted RPR on pilot messages
+Y pts in 30-day second-purchase rate for exposed cohort
Complaints ≤0.08% (Gmail); unsub ≤0.3% targeted sends; SMS opt-out steady or down
Discount reliance flat or down

Kill switch

Two strike conditions (e.g., missed SLAs twice, complaint spikes) auto-pause the pilot. If a vendor resists a kill switch, that’s your decision.

Procurement timeline & communications plan

Week	Milestone	Owner	Notes
1	RFP release + brief	Procurement	Include Intent-Aligned Brief
2	Q&A window	Procurement + Lifecycle + Security	Publish clarifications
3	Responses due; rubric scoring	Evaluation panel	Use weighted table
4	Demos/interviews	Evaluation panel	90-min script
5	Shortlist + reference checks	Procurement	Reference script
6	Award + SOW/DPA	Legal + Procurement	Add kill switch
7	Pilot kickoff	Lifecycle + Vendor	Weekly 10-min begins

Reference check script (copy-ready)

What measurable change did they deliver in 90 days? (RPR, P2-rate, payback, complaints, discount reliance)
Describe a migration or placement incident. How did they respond?
Were SLAs honored? Did QA prevent avoidable mistakes?
How transparent were they about experiments that failed?
Would you hire them again? Why or why not?

Receipts vs. red flags checklist

Receipts (green lights)

Holdout-adjusted case studies; uplift tests for perks
Deliverability SOP; incident post-mortem
Live template with language pack; translator-safe process
Security brief: data flows, access control, DPA
Weekly 10-minute reports; decisions changed by data

Red flags

Open-rate worship; no incrementality
“Warm a domain in a week” promises
“We duplicate flows per language” with no governance
Pooled team with no named seniors; contractor black box
No QA checklist; “agile” used as a synonym for chaos

Downloadables & formats

RFP Template — DOCX/Google Doc (sections above)
Scoring Rubric — CSV/XLSX (table above)
Evaluation Checklist — PDF (security, deliverability, ops, global)
Pilot Plan Outline — DOCX/PDF
Security Brief Request — DOCX (data flows, sub-processors, access control)

FAQ

How many vendors should we invite?

Three to five is sane. More than five and you’ll drown in decks. If you need breadth, run a two-stage process: short Intent Brief → five vendors → full RFP for three.

What’s a reasonable demo requirement?

Live dashboards (deliverability, complaint by domain), a live template with language packs, and one holdout readout. Screenshots don’t earn 4–5 scores.

Should we require SOC 2 certification?

It helps, but many excellent boutiques map controls without formal certs. Ask for security briefs, DPAs, and control evidence; score accordingly.

What if finance wants hard ROI before award?

That’s what the 45-day pilot is for. Define success criteria up front and include a kill switch. Award the full SOW only after the pilot clears.

Do we need a CDP for this?

No. A warehouse + dbt + reverse ETL can carry most enterprise needs until you have a mature data team and clear CDP use-cases.

Closing: choose plumbing, then paint

The “best agency” is the one that treats email/SMS as infrastructure—deliverability, migration discipline, incrementality, and governance—then paints with proof. If your RFP measures those things, you’ll hire builders. If it measures deck gloss, you’ll buy headlines. Use this template, score with the rubric, run the pilot, and let receipts decide.

Back to blog

Country/region