Summary
When handling email authentication for ESP customers without their own domains, the prevailing strategy involves leveraging subdomains. ESPs can create and manage customer-specific subdomains, configuring SPF, DKIM, and DMARC records to ensure authentication. This approach offers the benefit of reputation isolation, preventing one customer's sending behavior from negatively impacting others. While dedicated IPs offer enhanced control over reputation, they require active management. For smaller customers, shared IPs are often used, but it's essential to mitigate risks by setting up authentication on subdomains. Dynamic DNS record synthesis can streamline the management of numerous subdomains. While some ESPs manage DNS zones directly, others are phasing out mutualized domains in favor of delegated domains or internal domain purchases. SenderID is an older alternative to address authentication.
Key findings
- Subdomain Authentication: Creating and managing subdomains for each customer enables authentication via SPF, DKIM, and DMARC, even without customer-owned domains.
- Shared IP Risks: Shared IPs carry the risk of reputation damage due to the actions of other senders; subdomains with proper authentication help mitigate this.
- Dynamic DNS: Dynamically synthesizing DNS records reduces the maintenance burden associated with numerous subdomains.
- Reputation Isolation: Using subdomains isolates reputation, preventing one customer's sending behavior from affecting other customers.
- Dedicated IPs offer Enhanced control: Allocating dedicated IPs provides more granular control over reputation management but requires active oversight.
Key considerations
- Technical Expertise: Implementing subdomain authentication, especially with dynamic DNS or PowerDNS, requires technical expertise.
- Reputation Management: Regardless of the approach, actively managing sending reputation is crucial for ensuring deliverability.
- Infrastructure Costs: Consider the costs associated with managing DNS infrastructure, particularly if outsourcing.
- Domain Strategy: Evaluate the trade-offs between mutualized domains, delegated domains, and internal domain purchases to determine the best approach.
- SenderID: Is an outdated technology that is not as well supported
What email marketers say
6 marketer opinions
When ESP customers lack their own domains, a common approach is to use subdomains. ESPs can create and manage subdomains (e.g., customer1.youresp.com), configuring SPF, DKIM, and DMARC records on these subdomains to provide authentication. For smaller customers, shared IPs are often used, but this can negatively impact deliverability if other senders on the IP have poor reputations. Setting up appropriate authentication is critical even without dedicated domains. Dynamic DNS record synthesis can automate DNS management. Some ESPs may phase out mutualized domains, opting instead for delegated domains or internal domain purchases, while others provide manual configuration options and prioritize individual DKIM setup for customers.
Key opinions
- Subdomain Authentication: Using subdomains allows ESPs to manage authentication on behalf of customers without their own domains.
- Shared IP Risks: Shared IPs can harm deliverability due to the actions of other senders; authentication can mitigate this.
- Dynamic DNS: Dynamically synthesizing DNS records simplifies management for numerous subdomains.
- Authentication Importance: SPF, DKIM, and DMARC records are essential for authentication, even without dedicated domains.
Key considerations
- Reputation Management: Carefully manage the reputation of shared IPs and subdomains to ensure good deliverability.
- Implementation Complexity: Setting up and maintaining DNS records (even dynamically) can be complex and require technical expertise.
- Customer Needs: Tailor authentication strategies to the specific needs and technical capabilities of your ESP customers.
- Phasing Out Mutualized Domains: Consider moving away from shared domains to improve customer control and reduce deliverability risks.
Marketer view
Email marketer from Reddit explains that shared IPs can hurt deliverability because of other senders on the IP. Suggests to use authentication even without domains to help control reputation and provide isolation. You can do this through subdomains.
2 Feb 2022 - Reddit
Marketer view
Email marketer from Email Geeks shares their approach to managing domains for small companies in Sarbacane, including the use of mutualized domains (being phased out), delegated domains with NS system, internal domain purchases with a DNS tool, and manual configuration with provided SPF/DKIM/DMARC records. They are also moving towards individual DKIM for each customer.
9 Jul 2023 - Email Geeks
What the experts say
5 expert opinions
The best approach for handling email authentication for ESP customers without their own domains involves using customer-specific subdomains of an ESP-owned domain. This facilitates setting up DKIM, SPF, and DMARC, providing clean authentication and isolating reputation. While generating separate DNS zone files for each customer is an option, it's maintenance-intensive and potentially costly. A more efficient solution is to have the DNS server dynamically synthesize records upon request, integrating authentication maintenance into an existing CNAME-based framework. Customer subdomain authentication processes often involve generating synthetic DNS records, linking authentication maintenance to CNAMEs, and can be implemented with tools like PowerDNS.
Key opinions
- Subdomain Authentication: Customer-specific subdomains are ideal for DKIM/SPF/DMARC setup.
- DNS Synthesis: Dynamically synthesizing DNS records reduces maintenance overhead.
- CNAME Integration: Authentication maintenance can be integrated into a CNAME framework.
- Isolation: Subdomains isolate reputation, preventing spammers from poisoning delivery.
Key considerations
- Maintenance: Avoid generating huge DNS zone files due to maintenance overhead.
- Cost: Outsourcing DNS management can be expensive.
- Implementation: Implementing subdomain authentication requires technical expertise and tools (e.g., PowerDNS).
Expert view
Expert from Email Geeks references an article about how to implement customer subdomain authentication, including a PowerDNS backend hack: <https://wordtothewise.com/2023/10/customer-subdomain-authentication/>.
17 Apr 2025 - Email Geeks
Expert view
Expert from Email Geeks mentions that generating huge DNS zone files, so there are records for each customer is possible, but maintenance is a pain and could be costly with outsourced DNS providers.
21 Jul 2021 - Email Geeks
What the documentation says
4 technical articles
When ESP customers lack their own domains, several strategies can be used for email authentication. AWS suggests using Bring Your Own IP (BYOIP) addresses and authenticating them with SPF and DKIM via subdomains. Mailgun highlights the practice of creating subdomains for each customer and configuring authentication records there. SparkPost recommends allocating dedicated IPs for better reputation control and setting up authentication directly on those IPs. Microsoft suggests using SenderID, setting it up to ensure mail servers recognize emails as authentic.
Key findings
- BYOIP with Subdomains: AWS: Using Bring Your Own IP addresses allows for controlling the sending reputation and authenticating via subdomains.
- Subdomain Authentication: Mailgun: Creating subdomains for each customer and configuring SPF, DKIM, and DMARC is a common practice.
- Dedicated IPs: SparkPost: Allocating dedicated IPs provides greater control over reputation management.
- SenderID: Microsoft: Use SenderID to help indicate that an email is authentic when customers lack traditional authentication.
Key considerations
- Reputation Management: Dedicated IPs offer more control, but require active reputation management.
- Technical Setup: Configuring subdomains and DNS records requires technical expertise and careful setup.
- SenderID Limitations: SenderID is an older technology, it's adoption may be less common and not as reliable as SPF, DKIM and DMARC.
Technical article
Documentation from SparkPost shares that allocating dedicated IPs to customers gives you much more control over reputation management, regardless of whether they have their own domains. You'd then set the authentication up on those dedicated IPs.
2 Jun 2022 - SparkPost Documentation
Technical article
Documentation from Mailgun explains that using subdomains for your sending domain is a common practice. ESPs can create subdomains for each customer (e.g., customer1.youresp.com) and configure SPF, DKIM, and DMARC records for these subdomains, providing authentication even if the customer lacks their own domain.
23 Jun 2022 - Mailgun Documentation
Do small email senders need their own SPF/DKIM records or can they rely on their ESP?
Do SPF and DKIM records need to be aligned for all email service providers?
How can I ensure email compliance with Yahoo/Google rules including DMARC, SPF, and FcrDNS?
How can I prevent brand and sender profile impersonation in emails and what actions can I take?
How do ActiveCampaign and other ESPs handle DMARC records during custom return-path setup, and what are the potential issues?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
