Skip to content
← ALL WRITING

2026-04-21 / 12 MIN READ

The DTC stack audit I run before accepting any retainer

A 24-check audit across tracking, analytics, theme performance, and attribution I run before signing any retainer. Full checklist inside, with scoring.

Before I take on any DTC retainer, I run a 24-check audit of the client's stack. I've taken on clients without doing it and spent the first three months fixing infrastructure instead of building anything. I'd rather know upfront.

// pre-retainer checklist

scoreA(72/72)
0/8 checks complete
8 of 24 checks shown here across 4 modules. Full scoring rubric (0-3 per check, 72-point scale) is in the DTC Stack Audit product.

The pre-retainer DTC stack audit checklist

Run these before scoping any engagement. If you have a week before a sales call, this tells you what you're walking into.

Module 1: Tracking Layer (6 checks)

  1. Client-side Meta pixel firing on homepage, product page, cart, and thank-you page
  2. Server-side CAPI firing via a server container (Stape or equivalent)
  3. event_id deduplication wired between pixel and CAPI - check the dedup tab in Events Manager
  4. PII hashing: email, phone, and identifiers SHA-256 hashed before leaving the browser
  5. iOS/ATT recovery: what percentage of iOS purchases are server-only events
  6. Advanced matching parameters: how many PII fields pass per event (target is 5 or more)

Module 2: Analytics Coverage (6 checks)

  1. GA4 standard purchase event firing on thank-you page
  2. Custom dimensions registered and populating (product category, customer type, traffic source detail)
  3. Funnel visualization configured for the primary conversion path
  4. Data freshness: is GA4 data current within 24 hours or running on a stale pipeline
  5. Cross-domain tracking: if the store uses a separate checkout domain, is the session preserved
  6. Attribution model alignment: are Meta and GA4 using the same default attribution window

Module 3: Theme Performance (6 checks)

  1. Largest Contentful Paint (LCP) on mobile under 3 seconds
  2. Render-blocking scripts: count of scripts blocking the main thread on load
  3. Image optimization: are product images WebP or AVIF, and do they have width/height set
  4. Third-party script weight: total size of non-essential scripts loaded on the product page
  5. Mobile usability: no horizontal overflow, tap targets at least 44px
  6. Cart page speed: time from add-to-cart click to cart page fully interactive

Module 4: Attribution Reconciliation (6 checks)

  1. Shopify vs Meta revenue delta for the last 30 days (below 15% is healthy)
  2. GA4 vs Shopify order count delta (should be within 5%)
  3. UTM parameter coverage: what percentage of sessions have a UTM source
  4. Click ID preservation: are fbclid and gclid being captured in Shopify order attributes
  5. Attribution window alignment: does the brand know what window Meta is using vs their own reporting
  6. Cross-channel attribution: any awareness of where Meta, Google, and email are overlapping on the same conversions

Why the tracking layer checks matter most

The tracking module is where I find the highest-dollar problems. Not always the most technically complex, but the ones costing money every day they run.

Client-side pixel plus CAPI - and why both must fire

The Meta pixel and CAPI are not redundant. They're complements. The pixel catches browser-side events with good attribution data (fbclid, fbp cookies). CAPI catches the events the pixel misses because of iOS ATT, browser blocking, or a failed page load.

If both are not firing, you're not getting redundancy. You're choosing which events to lose.

The deduplication check (Check 3) is where most implementations break. If event_id is not shared between the pixel and the server container, Meta sees the same purchase twice. The conversion count inflates, ROAS looks great for about 48 hours, and then Meta's backend quietly deduplicates it. ROAS drops. The client blames the agency.

If both are not firing, you're not getting redundancy. You're choosing which events to lose.

PII hashing and match quality

Match quality below 6.5 is the clearest signal that the server-side setup is incomplete. A score that low means Meta is matching fewer than two in three events to a real person. The optimizer is essentially guessing.

A match quality jump from 4 to 8 typically follows from three changes: adding external_id (hashed Shopify customer ID), adding hashed email to upper-funnel events (ViewContent, AddToCart), and fixing the event_source_url on server-side events so it points to the actual page URL rather than the server endpoint.

The CPM impact of low match quality is real. Brands running with a score below 6.5 typically pay 20 to 40% more per thousand impressions to reach the same audience.

The analytics gap checks most brands miss

Most brands can tell you their GA4 session count. Fewer can tell you what those sessions were doing, where they dropped, or why.

GA4 custom dimensions and funnel visibility

GA4 out of the box gives you traffic. It does not give you context. Without custom dimensions - product category, customer type (first-time vs returning), acquisition source detail - you have volume with no texture.

The funnel check is often the most revealing. A brand with no conversion funnel configured in GA4 has no idea whether they're losing people at product pages, at checkout, or at the payment step. They know the final purchase number and nothing else. That's not enough to optimize anything.

Cross-domain and attribution model alignment

Cross-domain tracking is a problem whenever the store and checkout live on different domains. Shopify Plus stores that use a custom checkout domain are especially vulnerable. If the session is not preserved across the domain boundary, GA4 counts the checkout as a new session from direct traffic. Every conversion looks organic.

Attribution model alignment is a different problem. If Meta is reporting on a 7-day click window and the brand's internal reporting uses a 1-day click window, the numbers will never reconcile. Neither is wrong. They're just measuring different things. But if the team doesn't know this, every strategy conversation starts from false premises.

Theme performance is a paid-traffic problem

A slow store is a paid-traffic problem. Every impression you pay for lands on a page that loads slowly. LCP above 3 seconds on mobile is where I see conversion rates drop meaningfully.

Third-party scripts are the most common cause. Review apps, loyalty widgets, chat tools, and affiliate trackers all compete for main-thread time on page load. A product page carrying 400KB of third-party JavaScript is burning ad spend.

The cart speed check often surfaces the highest-leverage single fix. A cart that takes more than two seconds to become interactive after an add-to-cart click loses a real percentage of users on mobile. That's revenue, not polish.

Attribution reconciliation: Shopify vs Meta delta

The delta check (Check 19) is the fastest way to get a client's attention. Pull last 30 days of Shopify revenue and last 30 days of Meta-attributed revenue. Calculate the gap.

A delta below 15% is healthy. It accounts for view-through attribution and some attribution window overlap.

A delta above 30% is systematic. Something is structurally wrong: the pixel is double-firing, CAPI is not firing on the right events, Consent Mode is blocking events for EU traffic, or some combination. At 30%+ delta, the brand is allocating ad budget based on incorrect data. Scaling spend in that state accelerates the problem.

The most common cause I find is browser-only tracking paired with iOS ATT. The pixel misses 25 to 40% of iOS purchases. With no server-side recovery, those purchases are invisible to Meta. Meta's attribution model fills in the gaps with last-click attribution to whatever it can find. The numbers look reasonable but are wrong.

What a failing audit looks like in practice

I ran this audit on a mid-market DTC operator before starting an engagement. The grade came out D. Three critical fails: no server-side CAPI, no event deduplication, match quality at 4.2.

After a four-week infrastructure sprint - CAPI deployed server-side, dedup wired, advanced matching parameters added - the match quality moved to 9.1. The Shopify-to-Meta delta dropped from 38% to 11%.

I'm not citing exact revenue numbers here because the baseline varies too much by store size to be useful. What I can say is that a match quality jump of that magnitude consistently results in Meta's optimizer doing materially better work. The dollar impact follows from that, not from the audit itself. The pattern shows up across multiple DTC engagements in the work section.

What happens when you skip this

Without an audit upfront, the first two months of a retainer become diagnosis. You're figuring out why the numbers don't make sense while the client expects results.

What sticks in the client's memory is month two with nothing to show. They don't remember that the infrastructure was broken when you arrived. They remember when the results were supposed to start.

If the infrastructure is broken, it needs to be in the statement of work, not discovered during it.

How I use the audit score to scope retainers

An A or B grade means the stack is reasonably healthy. The engagement can start with growth work: campaigns, creative testing, audience strategy.

A C grade means there's meaningful infrastructure work needed, but it's manageable alongside growth work. I scope an infrastructure sprint for weeks 1 to 4 and layer in campaign work at week 5.

A D or F grade changes the conversation entirely. The brand needs an infrastructure rebuild before growth work makes sense. Running ads into a broken tracking setup is throwing money away. I scope the engagement as a phased project: infrastructure first, growth second.

A retainer signed without this clarity is a retainer that will disappoint both sides. I've written about the economics of retainers vs productized work separately if the comparison is useful.

Five things that save time when running this audit

  • Pull the Events Manager dedup tab first. The deduplication rate tells you immediately whether Check 3 is a pass or fail, and it's the check that affects revenue most directly. Start there before digging into GTM.
  • Ask for 30-day revenue numbers before the call. The Shopify vs Meta delta check (Check 19) is the fastest way to calibrate severity. If you have the numbers before the conversation, you can lead with the finding instead of asking for data mid-call.
  • Use PageSpeed Insights for the theme checks, not Lighthouse locally. Local Lighthouse scores reflect your machine, not a real mobile device on a mobile connection. The PSI API uses a real mobile device from Google's lab.
  • Check the Events Manager match quality score screenshot before anything else in Module 2. A score below 6 tells you that the data quality problems are bad enough to invalidate most of the analytics work. Fix the match quality first; then the analytics findings become trustworthy.
  • Don't audit the attribution window mismatch in isolation. Check 23 is only useful in context of the business's actual reporting stack. If they're using a third-party attribution tool like Northbeam or Triple Whale, the window mismatch may be intentional. Confirm before flagging it as a fail. The full remediation guides are in the product suite.

Frequently asked questions

Can I run this audit myself?

Yes. The full 24-check methodology is packaged as the DTC Stack Audit. It includes scoring rubrics, remediation steps for each check, and the scripts that automate the fetch work. If you want to run it yourself before bringing anyone in, that's the right starting point.

How long does the manual audit take?

About 90 minutes with access to Shopify admin, Events Manager, GA4, and GTM. The packaged version runs some of the checks programmatically and cuts that down. The attribution reconciliation section requires pulling numbers manually regardless.

What if I fail most of the checks?

Most DTC brands that haven't had an infrastructure audit in the past 12 months fail between 6 and 10 checks. That's not unusual. It's information. The audit tells you where the problems are and roughly how much each one is costing. That's more useful than not knowing.

Do you need Shopify admin access to run it?

Ideally yes - it makes Checks 9, 10, 11, and 19 faster. For a pre-engagement audit I usually ask for read-only access. If that's not possible, a set of screenshots from Events Manager, GA4, and GTM covers about 80% of the checks.

What's different about this versus a standard analytics audit?

Most analytics audits focus on the analytics platform: GA4 configuration, event tracking, reporting. This audit includes that, but the attribution reconciliation module is the part most analytics audits skip. The Shopify vs Meta delta check is often where the biggest problems surface.

Sources and specifics

  • 24-check methodology across 4 modules, each scored 0-3 on a 72-point scale (A-F letter grade). Scoring rubric is in the DTC Stack Audit product.
  • Match quality below 6.5 correlates with 20-40% CPM inflation on Meta (sourced from Meta's own documentation on match quality impact).
  • Server-side CAPI deployment can recover 30-40% of tracked revenue vs browser-only tracking; this is an observed benchmark range from production implementations, not a guarantee. Individual results vary significantly by store size and traffic mix.
  • Shopify-to-Meta revenue delta above 30% is classified as severe misattribution in the audit rubric. Below 15% is the healthy threshold for most DTC stores with a mix of iOS and non-iOS traffic.
  • Consent Mode v2 configuration is required for Meta ad delivery to EU and UK audiences since Q1 2024. Failure to configure it creates GDPR exposure and can result in Meta stopping ad delivery to those regions.
  • All audit methodology developed through direct work on DTC ecommerce stacks and refined through production use.

// related

DTC Stack Audit

If this resonated, the audit covers your tracking layer end-to-end. Server-side CAPI, dedup logic, and attribution gaps - all mapped to your stack.

>See what is covered