Should ESPs force DKIM and DMARC on paid customers, and what are the implications and downsides?
Michael Ko
Co-founder & CEO, Suped
Published 17 May 2025
Updated 17 Aug 2025
7 min read
The email landscape is constantly evolving, with a significant shift towards stricter authentication standards. Major mailbox providers like Google and Yahoo have recently announced new requirements that emphasize email authentication protocols such as DKIM and DMARC. This has sparked a crucial discussion: should Email Service Providers (ESPs) make DKIM and DMARC mandatory for their paid customers? While the immediate answer might seem like a resounding yes, given the deliverability benefits, there are important implications and potential downsides that warrant a closer look.
For years, ESPs have largely left the choice of implementing these records up to their customers. This approach, while offering flexibility, has contributed to a fragmented email ecosystem where not all senders are properly authenticated. The new mandates from major mailbox providers are pushing the industry towards a more secure and trustworthy environment.
I believe that mandating these protocols is a necessary step towards a healthier email landscape, but the path to universal adoption is not without its hurdles. It’s a balance between ensuring optimal email deliverability and navigating the complexities for customers who may not be technically adept.
In the past, many ESPs did not require customers to authenticate with their own domain, often authenticating as the ESP themselves. This historical approach, while convenient at the time, has contributed to the current challenges. Today, the landscape is different. Mailbox providers like Microsoft are increasingly enforcing stricter standards, making SPF, DKIM, and DMARC settings mandatory for high-volume senders. This industry-wide shift means that ESPs must adapt to ensure their customers' emails reach the inbox.
DKIM (DomainKeys Identified Mail) provides a way for senders to digitally sign their emails, verifying that the message has not been tampered with in transit and that it originates from the claimed sender. DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM by allowing domain owners to specify how recipient mail servers should handle emails that fail authentication checks, and to receive reports on these failures. These protocols are essential for email authentication and protecting against various forms of abuse, including spoofing and phishing. Mailbox providers expect all legitimate senders to have these records configured.
The rationale behind mandating these protocols is clear. Without proper authentication, emails are far more likely to be flagged as spam or rejected outright. This not only impacts a sender's deliverability but also damages their domain reputation. For an ESP, having a large number of unauthenticated senders on their platform can negatively affect the reputation of their shared IPs and the overall service. This can lead to the ESP's IPs or domains landing on a blocklist (or blacklist), which then impacts all customers.
Advantages of mandating DKIM and DMARC
Enforcing DKIM and DMARC offers significant benefits for both the ESP and its customers. It's a proactive measure that safeguards sender reputation and improves inbox placement rates.
Before mandate
Deliverability: Inconsistent, with higher rates of emails landing in spam or being rejected.
Reputation: Vulnerable to abuse, impacting overall ESP and customer domain standing.
Security: Increased risk of email spoofing and phishing attacks using customer domains.
After mandate
Deliverability: Significantly improved inbox placement due to verified authenticity.
Reputation: Protected and enhanced domain reputation for both customers and the ESP.
Security: Reduced instances of successful spoofing and phishing attacks.
This leads to fewer emails landing in spam folders and a stronger overall sending identity. For ESPs, it means a cleaner sending infrastructure and fewer incidents of shared IPs being added to blocklists (or blacklists). Ultimately, a policy requiring authentication is about ensuring that legitimate emails reach their intended recipients reliably.
Key benefits of mandatory authentication
Enhanced Brand Protection: Protects your domain from being used for unauthorized sending.
While the benefits are substantial, forcing DKIM and DMARC upon customers can introduce challenges, particularly related to onboarding and technical support. Many customers, especially smaller businesses or those less technically inclined, may struggle with DNS record configuration. This can lead to increased support tickets and potentially frustrated users.
A common point of contention arises with DMARC policies, particularly with `p=quarantine` or `p=reject`. While these policies offer the strongest protection against spoofing, they can also cause legitimate emails to be rejected if not configured perfectly. This is especially problematic for mailing lists, where emails are often modified in transit, breaking DMARC alignment. This can lead to messages from legitimate senders being dropped or marked as spam, disrupting communication flows.
Potential downsides and challenges
Onboarding Overhead: ESPs may face increased complexity and time in guiding customers through setup.
Customer Resistance: Some customers may lack the technical expertise or resources to implement DNS changes.
Mailing List Compatibility: DMARC policies, particularly at enforcement, can break message flows for mailing lists, leading to delivery issues.
False Positives: Poorly configured DMARC records (e.g., too strict too soon) can block legitimate emails.
This highlights the importance of guiding customers through a phased implementation of DMARC, starting with a monitoring-only policy (p=none) to gather data before moving to stronger policies like quarantine or reject. This allows for identification and resolution of legitimate mail flows that might otherwise be impacted. You can find more details about DMARC record examples here.
Navigating implementation
Forcing these protocols means ESPs need to provide robust support and simplified processes. This could involve offering automated DNS configuration tools or clear, step-by-step guides. The goal should be to make the technical setup as frictionless as possible, transforming a potential hurdle into a seamless part of the onboarding experience.
ESPs should offer comprehensive resources and tools, such as a DMARC record generator, and integrate the setup into their platform. Some ESPs might even consider providing a service for customers who prefer not to handle DNS records directly, ensuring compliance without technical burden. Automating the DNS configuration can significantly reduce the onboarding overhead that many anticipate with such mandates.
This record, when published, instructs receiving mail servers to report DMARC failures without affecting delivery, providing crucial visibility into email authentication issues. It's a foundational step to safely implement DMARC.
Final thoughts on mandatory authentication
I often hear debates about DMARC's effectiveness and its impact on email functionality beyond bulk sending. The consensus from my perspective is that while it has its complexities, especially concerning mailing lists, its role in preventing unauthorized spoofing of domains and subdomains is undeniable.
The long-term benefits of a secure and authenticated email ecosystem far outweigh the initial setup challenges. It positions customers for better deliverability, protects their brand, and aligns with the direction major mailbox providers are heading.
ESPs have a responsibility to guide their customers through this transition, providing the necessary tools and support to ensure successful adoption. This approach not only benefits individual senders but also contributes to the overall health and trustworthiness of the email channel for everyone.
Views from the trenches
Best practices
Start DMARC implementation with a p=none policy to monitor email authentication without affecting delivery.
Provide clear, concise guides and resources for customers to set up DKIM and DMARC DNS records.
Offer automated DNS configuration tools or services to simplify the technical process for customers.
Common pitfalls
Forcing a p=quarantine or p=reject DMARC policy too quickly without thorough monitoring can lead to legitimate emails being blocked.
Underestimating the technical support burden that customers might require during the setup process.
Not addressing the impact of DMARC on mailing lists, which can break functionality or prevent delivery.
Expert tips
Consider a dedicated subdomain for mailing list communications to avoid DMARC policy conflicts with the primary domain.
Utilize DMARC reports to gain visibility into email authentication failures and adjust policies progressively.
Recognize that DMARC is one piece of a larger email security puzzle, focusing on overall email hygiene and sender reputation.
Expert view
Expert from Email Geeks says that forcing DKIM and DMARC is the right decision, especially considering recent updates from Google and Yahoo, and notes that it depends on the ESP's offer positioning.
2023-12-04 - Email Geeks
Marketer view
Marketer from Email Geeks says that making this change is an amazing decision, despite wishing it was something their own company could implement.
2023-12-04 - Email Geeks
Embracing a more secure email future
In conclusion, the move by ESPs to mandate DKIM and DMARC for paid customers is not just a trend but a critical adaptation to the evolving email security landscape. While it presents some initial challenges related to customer onboarding and technical complexities, especially concerning indirect mail flows like mailing lists, the overarching benefits for deliverability and brand protection are clear.
By proactively ensuring that customers authenticate their domains, ESPs enhance the overall trustworthiness of their platform and contribute to a healthier email ecosystem. This approach reduces the likelihood of emails being flagged as spam or blocked, ultimately leading to better email deliverability outcomes for all parties involved.
Google and 
Yahoo have recently announced new requirements that emphasize email authentication protocols such as DKIM and DMARC. This has sparked a crucial discussion: should Email Service Providers (ESPs) make DKIM and DMARC mandatory for their paid customers? While the immediate answer might seem like a resounding yes, given the deliverability benefits, there are important implications and potential downsides that warrant a closer look.
Microsoft are increasingly enforcing stricter standards, making SPF, DKIM, and DMARC settings mandatory for high-volume senders. This industry-wide shift means that ESPs must adapt to ensure their customers' emails reach the inbox.
