What are the main technical challenges for deliverability in this scenario?

The primary technical challenge is DMARC alignment. DMARC requires that either the SPF or DKIM domain aligns with the visible From header domain. If a third-party uses their own domain for SPF/DKIM but the vendor's domain in the From header, DMARC may fail, leading to deliverability issues. Vendors must grant proper authorization and include third-party sending IPs in their SPF record or allow DKIM signing with their domain.

How does third-party sending affect the vendor's sender reputation?

If a service company has poor sending practices (e.g., high spam rates, blocklist appearances), it can severely impact the vendor's overall domain reputation . This can lead to all emails from the vendor, even those sent directly, being sent to spam (junk) folders or blocked.

What steps can vendors take to ensure secure third-party email sending?

To mitigate risks, vendors should enforce DMARC, carefully vet third-party senders, ensure proper SPF and DKIM setup (ideally with subdomains), and monitor their DMARC reports regularly. Service companies should also adhere to email best practices, including list hygiene and compliance with anti-spam laws.

Is it normal for service companies to send emails on behalf of actual vendors? - Sender reputation - Email deliverability - Knowledge base

Q: Is it normal for service companies to send emails on behalf of actual vendors?

Yes, it is common. Many businesses outsource email functions to specialized service providers for transactional messages, marketing, or billing. These providers often send emails appearing to be from the vendor's brand to maintain continuity and customer recognition, even if the technical sending domain belongs to the service company.

It's a common scenario in today's interconnected business world: you receive an email that looks like it's from a familiar brand, but the technical details, like the MAIL FROM address, point to a third-party service. For example, an email might display your favorite retailer in the visible From header, but the underlying envelope sender (the MAIL FROM) belongs to an entirely different domain, such as an email service provider (ESP) or a specialized service company.

This setup, while sometimes appearing suspicious or even phishy, is often a legitimate and widespread practice. Companies frequently outsource various functions, including customer service, warranty management, billing, and marketing communications, to specialized service providers. For brand continuity, they want these emails to appear as if they originate directly from their brand.

However, navigating the complexities of email authentication protocols like DMARC makes direct spoofing of the sender's domain challenging and often leads to deliverability issues. This leads to the common pattern of service companies using their own domain in the technical headers while retaining the vendor's brand name in the user-facing From header. While this practice is normal, it also introduces potential pitfalls for email deliverability and security if not handled correctly.

The landscape of third-party email sending

The outsourcing of email sending has become standard across industries, driven by the specialized infrastructure and expertise required to manage large-volume email campaigns and transactional communications. For instance, many businesses use third-party billers to send invoices or accounting software to handle financial notifications. These services are equipped to manage deliverability, compliance, and scale in a way that many individual companies are not. When these third-party vendors send emails, they aim to preserve the original vendor's brand identity to avoid confusion and maintain customer trust.

This means that while the email appears to be from "Warranty Information from Best Buy <customer_service@realgoodinsurance.com>", the customer_service@realgoodinsurance.com address is the actual sender in the technical headers. This method allows the service provider to handle the email sending from their own infrastructure while still clearly associating the message with the main brand. It's a pragmatic solution for brand continuity without requiring the main vendor to delegate full authentication control.

While this approach helps maintain brand recognition, it also highlights the challenge of establishing trust in email. Users might perceive such emails as suspicious because the visible sender domain doesn't perfectly match the technical sending domain. This perception underscores the importance of proper email authentication to signal legitimacy to both email servers and recipients.

Navigating email authentication and DMARC

The practice of service companies sending emails on behalf of vendors is heavily influenced by modern email authentication standards, particularly DMARC, SPF, and DKIM. These protocols are designed to combat email spoofing and phishing by verifying that an email genuinely originates from the domain it claims to be from. For a third-party sender, achieving DMARC alignment can be a complex task. DMARC requires either SPF or DKIM to align with the From header domain.

When a service company sends email, they might use their own domain for the MAIL FROM (envelope sender) address, which is checked by SPF. The visible From header, however, will contain the vendor's domain. If the vendor does not allow the third-party to send using their domain for SPF/DKIM, the DMARC check will fail, potentially leading to emails being rejected or sent to spam (junk) folders. This is why some service companies resort to using their own domain in the From address as a DMARC workaround.

Example of email headers from a third-party sendertext

MAIL FROM: <VERP@third-party.com>
From: "Add-on for Service <Customer_service@third-party.com>"

A better practice for third-party senders is to fully align SPF and DKIM with the vendor's domain. This involves the vendor adding the third-party's sending IPs to their SPF record or allowing the third-party to send using a DKIM signature with the vendor's domain. This approach ensures DMARC compliance and improves email deliverability. If this isn't possible, using a subdomain (e.g., marketing.yourcompany.com) dedicated to the third-party sender is another viable solution that maintains brand association while keeping authentication aligned.

Reputation, trust, and legal implications

While common, third-party sending carries significant risks if not managed carefully. The most prominent concern is the potential damage to the vendor's sender reputation. If the service company engages in practices that lead to high spam complaints or land on an email blocklist (or blacklist), it can negatively impact the primary vendor's email deliverability across all their communications. Email providers, such as

Google and

Yahoo, are increasingly strict about sender authentication and reputation, making proper setup crucial.

Another major consideration is legal compliance. Depending on the type of email and the regions targeted, various laws govern email communication, such as the CAN-SPAM Act in the U.S. or GDPR in Europe. Both the vendor and the service provider share responsibility for ensuring these emails comply with consent requirements, unsubscribe mechanisms, and clear identification of the sender. Failure to comply can result in hefty fines and damage to brand reputation.

Furthermore, the practice can lead to recipient confusion, making emails appear like phishing attempts, even if they are legitimate. This is particularly true if the third-party domain is not clearly recognizable or if the email content seems inconsistent with the vendor's usual communications. This confusion can lead to higher spam complaint rates, further harming sender reputation. Understanding how email blacklists work can help vendors navigate these risks.

Best practices for secure and legitimate third-party sending

For vendors, it's crucial to establish clear guidelines and technical configurations with any service company sending on their behalf. This ensures that brand integrity is maintained and email deliverability is optimized. Here are key best practices for both parties:

Vendor responsibilities: Establish DMARC policies for your domain, ideally moving towards quarantine or reject to enforce authentication. Provide your service company with the necessary SPF and DKIM entries to include in your DNS. Monitor your DMARC reports to identify any unauthenticated sending.
Service company responsibilities: Implement proper SPF and DKIM authentication for the vendor's domain, ensuring alignment with DMARC. Use distinct subdomains (e.g., service.yourbrand.com) for emails sent on behalf of clients. This provides a clear distinction and helps manage sender reputation effectively. Follow all relevant email marketing and privacy regulations, such as best practices for sending on behalf of others.

By adhering to these best practices, both vendors and service companies can ensure that emails sent on behalf of actual vendors are delivered reliably and do not trigger spam filters or raise security concerns for recipients. This collaborative approach safeguards sender reputation and promotes a trustworthy email ecosystem.

Ensuring trustworthy email delivery

While third-party sending is a common necessity for many businesses, it carries inherent risks if not managed with precision. The key takeaway is that merely changing the visible From header without proper underlying technical alignment is not sufficient for optimal deliverability and trust. Ensuring that all emails, regardless of the sender, are properly authenticated through DMARC, SPF, and DKIM is paramount. This not only protects the brand's sender reputation but also builds recipient trust by preventing legitimate emails from being mistaken for spam or phishing attempts. It's about combining business necessity with technical rigor to ensure successful email delivery.

Views from the trenches

Best practices

Always align SPF and DKIM records to the sending domain for optimal DMARC compliance and improved deliverability.

Use dedicated subdomains for third-party senders to isolate reputation and maintain consistent branding.

Regularly monitor DMARC reports to identify unauthorized sending and ensure proper authentication by all parties.

Educate service providers on your email policies and best practices to prevent actions that could harm your domain's reputation.

Common pitfalls

Ignoring DMARC alignment, which can lead to legitimate emails being marked as spam or rejected by recipient servers.

Allowing third-party senders to use your primary domain without proper SPF/DKIM authentication, risking your sender reputation.

Failing to monitor third-party sending practices, which can lead to unexpected blocklisting (or blacklisting) of your domain.

Not having a clear contract with third-party senders regarding email sending compliance and reputation management.

Expert tips

Consider leveraging BIMI (Brand Indicators for Message Identification) to display your brand logo alongside authenticated emails, further enhancing brand recognition and trust.

Implement a feedback loop service to receive spam complaints directly from ISPs, allowing for quick action on issues related to third-party sending.

Conduct periodic email deliverability audits for all third-party senders to ensure they meet your standards and current industry best practices.

For transactional emails, prioritize reliable delivery over brand display if full authentication alignment is not feasible. Transparently communicate the sender to recipients.

Expert view

Expert from Email Geeks says this is what many accounting software packages like PayPal and Intuit do, where the service company sends the email with their own domain in the technical headers.

2023-12-04 - Email Geeks

Expert view

Expert from Email Geeks says it is a common practice for outsourced components to keep brand recognition, especially in B2C financial services, so customers receive emails from familiar brands.

2023-12-04 - Email Geeks