What does 'signed by' my domain mean in an email?

The 'signed by' message indicates that your email has passed DKIM (DomainKeys Identified Mail) authentication. When it shows your domain, it means the email was digitally signed by your domain, verifying its authenticity and preventing tampering. This builds trust with recipients and helps with deliverability.

Can I really show 'signed by' my own domain when using these services?

Yes, absolutely. Both Amazon SES and Mailchimp provide the necessary tools to configure DKIM for your custom domain. You'll need to add specific CNAME records provided by each service to your domain's DNS. Once these records are verified, your emails will be signed by your domain, not the ESP's.

Why is DMARC alignment so important for 'signed by' emails?

DMARC alignment is crucial. It means the 'From' header domain (what recipients see) matches the domain that authenticated with SPF or DKIM. If this alignment doesn't occur, your emails might still show a 'via' message or be treated as suspicious, even if SPF or DKIM technically passed.

Do I need to configure SPF and DKIM differently for Amazon SES and Mailchimp?

Mailchimp handles SPF implicitly by sending from their own authorized IPs. You primarily focus on adding the DKIM CNAME records Mailchimp provides. For Amazon SES, you typically include 'amazonses.com' in your SPF record, in addition to setting up Easy DKIM CNAME records.

How can I manage email authentication if I use both Amazon SES and Mailchimp?

You can use subdomains like 'marketing.yourdomain.com' for Mailchimp and 'transactional.yourdomain.com' for Amazon SES. Each subdomain can have its own independent SPF, DKIM, and DMARC records, helping to isolate sender reputation and simplify troubleshooting across multiple sending platforms.

How do I show 'signed by' my domain when using Amazon SES or Mailchimp? - Technical - Email deliverability - Knowledge base

When your recipients open emails sent from your domain, you want them to see signed by yourdomain.com or similar, not a third-party service like signed by amazonses.com or sent via Mailchimp. This seemingly small detail plays a significant role in establishing trust and improving your email deliverability. Seeing your own domain instantly signals legitimacy to recipients and mailbox providers alike.

The challenge arises when you use third-party email service providers (ESPs) like

Amazon SES or

Mailchimp to send emails. By default, these services might append their own domain to the email's authentication signatures, leading to that generic via or signed by notation. Fortunately, it's possible to configure these services to show your own domain, ensuring better brand consistency and improved inbox placement.

Understanding email authentication and why it matters

To achieve the signed by yourdomain.com message, you need to properly implement email authentication protocols: SPF, DKIM, and DMARC. These are the foundational pillars of email security and deliverability. Without them, your emails are more likely to land in spam folders or be rejected outright by mailbox providers.

SPF (Sender Policy Framework) allows you to specify which IP addresses are authorized to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) provides a digital signature for your emails, verifying that the content hasn't been tampered with and that the email truly originated from your domain. DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM by allowing you to tell mailbox providers how to handle emails that fail authentication and provides valuable reports on your email sending. Understanding these protocols is crucial for ensuring your emails are delivered correctly and appear signed by your domain. You can learn more about DMARC, SPF, and DKIM in our comprehensive guide.

The key to showing signed by your domain is achieving DMARC alignment. This means that the domain in your email's From header (the one recipients see) must align with the domains used for your SPF and DKIM authentication. If these domains don't match, or if your ESP's domain is used instead of yours, DMARC alignment will fail, and you'll see the via message or your emails may go to the spam folder. This is why it's crucial to set up DKIM signing for your custom domain with each ESP you use.

DMARC alignment explained

DMARC alignment is the process of checking whether the domain in the From header (RFC5322.From) matches the domain that passed SPF or DKIM authentication (RFC5321.MailFrom or DKIM d= tag). For your emails to display as signed by yourdomain.com, both SPF and DKIM should be set up to authenticate your domain, not the ESP's domain.

Many email authentication issues stem from misconfigured DMARC policies or improper alignment. This is why DMARC monitoring is so important.

Configuring Amazon SES for proper domain signing

Amazon SES (Simple Email Service) is a robust and highly scalable email sending platform. To ensure your emails are signed by your domain when using SES, you need to verify your domain and configure DKIM. Amazon provides a straightforward process for this.

The critical step is setting up Easy DKIM within the SES console. When you verify a domain in SES, it gives you the option to generate DKIM settings. This will provide you with three CNAME records that you need to add to your domain's DNS. Once these records are published and verified by SES, your outgoing emails will be DKIM-signed with your domain, ensuring proper DMARC alignment and displaying signed by yourdomain.com instead of an SES subdomain. This is essential for preventing your emails from being flagged as spam or getting listed on a blacklist (or blocklist).

Example DKIM CNAME records for Amazon SESDNS

NAME: xxxxxxxx._domainkey.yourdomain.com
TYPE: CNAME
VALUE: xxxxxxxx.dkim.amazonses.com

NAME: yyyyyyyy._domainkey.yourdomain.com
TYPE: CNAME
VALUE: yyyyyyyy.dkim.amazonses.com

NAME: zzzzzzzz._domainkey.yourdomain.com
TYPE: CNAME
VALUE: zzzzzzzz.dkim.amazonses.com

Additionally, configuring a custom MAIL FROM domain in SES can further enhance your brand's presence and improve deliverability. This ensures that the Return-Path header also uses your domain, rather than the default bounce.amazonses.com domain. You can find details on setting up a custom MAIL FROM domain in the SES documentation. This helps improve your overall email deliverability rates.

Authentication Type	Record Type	Purpose
DKIM (Easy DKIM)	CNAME	Digitally signs outgoing emails with your domain.
SPF (implicit)	TXT	Authorizes Amazon SES IPs to send on your behalf.
Custom MAIL FROM	MX	Sets Return-Path to your domain for bounce handling.

Authenticating your domain with Mailchimp

Mailchimp also offers domain authentication features that allow your emails to appear signed by your domain. While Mailchimp handles SPF for you by sending from their own authorized IPs, the key to signed by visibility lies in configuring DKIM.

To set this up, you'll need to go into your Mailchimp account settings and access the domain authentication section. Mailchimp will provide you with specific CNAME records. These records are unique to your domain and Mailchimp account. You'll add these CNAMEs to your domain's DNS records, just like with Amazon SES. Once these records propagate and Mailchimp verifies them, your emails will be DKIM-signed using your domain, resolving the via Mailchimp issue. You can find detailed instructions on setting up email domain authentication in the Mailchimp knowledge base.

Mailchimp's authentication process

DKIM setup: Mailchimp provides two CNAME records for DKIM. Adding these to your DNS allows Mailchimp to sign emails on your domain's behalf, ensuring DMARC alignment for DKIM.

SPF handling: Mailchimp sends emails from their own authorized IP addresses, which are included in Mailchimp's SPF record. This means you typically don't need to add Mailchimp to your SPF record for SPF alignment. However, DMARC will still require DKIM alignment if SPF doesn't align.

Amazon SES's authentication process

DKIM setup: Amazon SES provides three CNAME records for Easy DKIM. Implementing these ensures your domain is used for DKIM signing, crucial for DMARC.

SPF handling: You typically include Amazon SES's SPF mechanism (e.g., include:amazonses.com) in your domain's SPF record to authorize SES sending IPs, ensuring SPF alignment.

Custom MAIL FROM: Optionally, configure an MX record for a subdomain to handle bounces, further aligning your domain with your email infrastructure.

By ensuring both Amazon SES and Mailchimp have their respective DKIM records configured for your domain, you override their default signing. This allows your emails to pass DMARC checks with alignment, leading to the desired signed by yourdomain.com display and helping you avoid potential email blacklists (or blocklists).

Advanced strategies for multi-ESP environments

For organizations using multiple ESPs, a powerful strategy is to segment your mail streams using subdomains. For instance, you could use marketing.yourdomain.com for Mailchimp and transactional.yourdomain.com for Amazon SES. This approach offers several benefits, especially for managing reputation and troubleshooting.

Why segment with subdomains?

Independent reputation: If one mail stream encounters deliverability issues (e.g., lands on a blocklist), it won't impact the reputation of your other sending activities or your main domain.
Easier troubleshooting: When an issue arises, you can quickly identify which ESP and subdomain are affected, narrowing down the scope of investigation.
Clearer authentication: Each subdomain can have its own SPF, DKIM, and DMARC records tailored to the specific ESP, simplifying authentication management.

While this adds a layer of complexity to DNS management, the benefits in terms of deliverability and brand integrity are substantial. It also helps in situations where you might need to set up email authentication for multiple ESPs on the same main domain, allowing each to operate with optimal authentication.

Regardless of your setup, continuous DMARC monitoring is key. DMARC reports provide invaluable insight into how your emails are authenticating across all sending sources, allowing you to quickly identify and rectify any alignment issues or unauthorized sending. This proactive approach is vital for maintaining a strong sender reputation and ensuring your emails always show signed by your domain.

Views from the trenches

Best practices

Always prioritize DKIM authentication as it is often the primary factor determining the 'signed by' domain, especially with DMARC policies in place.

Use dedicated subdomains for different email sending purposes (e.g., transactional, marketing) to isolate reputation and simplify authentication management.

Implement DMARC with a 'p=none' policy initially to collect reports and understand your email ecosystem before enforcing stricter policies.

Regularly review your DMARC reports to identify any authentication failures or unauthorized sending sources that might affect your 'signed by' status.

Common pitfalls

Forgetting to publish all required CNAME records for DKIM, leading to authentication failures and 'signed by' issues.

Incorrectly configuring SPF records by adding ESPs that handle SPF on their end, potentially causing SPF validation failures.

Not monitoring DMARC reports, which can lead to unnoticed authentication failures and emails going to spam or blocklists without your knowledge.

Assuming that setting up the ESP is enough without proper DNS configuration for your custom domain.

Expert tips

To confirm your 'signed by' domain, send test emails to various mailbox providers (Gmail, Outlook, Yahoo) and inspect the email headers for authentication results.

Consider using a DMARC monitoring tool to get granular insights into your email authentication status and identify any issues with alignment.

If using multiple ESPs, ensure each has its own unique DKIM selector to prevent conflicts and ensure proper signing.

Be patient with DNS propagation, as it can take hours for new records to be fully recognized across the internet.

Expert view

Expert from Email Geeks says that segmenting mail streams by subdomains, such as marketing.domain.com or transactional.domain.com, allows for independent authentication and can be run on multiple services if needed. This also makes it easier to find all mail origins by setting up DMARC at p=none.

2022-02-08 - Email Geeks

Expert view

Expert from Email Geeks says that implementing DKIM for each domain and service provider, ensuring it aligns with the mailing domain, will help remove the 'Sent via [service]' notation from emails.

2022-02-08 - Email Geeks

Ensuring your emails are signed by your domain

Displaying signed by yourdomain.com when using Amazon SES or Mailchimp is entirely achievable through proper email authentication. The key lies in configuring DKIM records for your domain with each ESP, which ensures DMARC alignment and signals to mailbox providers that you are the legitimate sender.

Taking the time to set up SPF, DKIM, and DMARC correctly, potentially with subdomain segmentation, is an investment in your email program's success. It not only improves your sender reputation and inbox placement but also strengthens your brand's trustworthiness in the eyes of your recipients. Consistent monitoring of your authentication through DMARC reports will help you maintain this crucial aspect of your email strategy.

By following these steps, you can ensure that your emails are not only delivered but also correctly attributed to your domain, avoiding the generic via messages and enhancing your overall email presence. For more information on why emails go to spam, check out our guide: Why your emails are going to spam.