What are the considerations for using different domains for From, DKIM, and SPF?

Key findings

• DMARC alignment: DMARC primarily evaluates the From domain. For DMARC to pass, either the SPF-aligned domain or the DKIM-signed domain must match the organizational domain of the From address. Relaxed alignment (as opposed to strict) allows for subdomains to align with the organizational domain.
• DKIM's flexibility: DKIM can sign emails with a domain different from the From domain, often using subdomains or separate domains for signing. This is crucial for DMARC alignment, especially when using third-party senders. More information on DKIM setup on subdomains is available.
• SPF's scope: SPF authenticates the sending IP based on the Return-Path (Mail From) domain. This domain can be different from the From domain, and SPF still works independently. However, for DMARC alignment, the Return-Path domain needs to align with the From domain.
• DMARC policy placement: A DMARC policy must be published on the From domain (the domain visible in the 'From:' header) for DMARC to be effective. If the From domain lacks a DMARC record, or has p=none, DMARC will not enforce any policy on messages from that domain.

Key considerations

• Impact on deliverability: While technically possible to use disparate domains, it can complicate deliverability. Email providers prioritize messages with proper authentication and alignment. Lack of DMARC enforcement on the From domain can leave your emails vulnerable to spoofing and increase the likelihood of landing in spam.
• Complexity vs. clarity: A complex domain setup can make troubleshooting difficult. Simplified setups, where authentication domains (DKIM, SPF) are closely aligned with the From domain, are generally easier to manage and explain.
• DMARC policy evolution: For enhanced security and deliverability, gradually moving the From domain's DMARC policy from p=none to p=quarantine or p=reject is a best practice. This requires ensuring all legitimate sending sources pass DMARC alignment. Learn more about DMARC implementation challenges.
• Monitoring and validation: Regardless of the complexity, continuous monitoring of DMARC reports is crucial to validate that your configuration works as expected and to identify any authentication failures. Email authentication protocols are key to preventing spoofing.

Key opinions

• Feasibility: Using different domains for From, DKIM, and SPF is generally considered feasible, particularly if DKIM is in relaxed alignment with the From domain. This setup allows for various sending configurations.
• DMARC's role: DMARC only applies to the From domain. If the From domain does not have a DMARC policy (or it is p=none), then DMARC will not actively enforce policies for messages sent using that From domain. Marketers should understand when SPF, DKIM, and DMARC are needed.
• Troubleshooting: Marketers prefer setups that are easier to troubleshoot and explain to clients, sometimes favoring specific domain structures over more technically complex DKIM selectors.
• Existing setups: Often, domain configurations are inherited from older setups or dictated by specific platform limitations, leading to continued use of disparate domains even when a simpler approach might be ideal.

Key considerations

• DMARC policy updates: If the goal is to increase email security and deliverability, marketers should aim to implement a more strict DMARC policy (e.g., p=quarantine or p=reject) on the From domain, which necessitates ensuring all sending sources achieve DMARC alignment.
• Domain reputation: Consistent authentication practices across all domains contribute positively to overall email domain reputation, even when using disparate domains. Poor configuration can lead to blocklisting.
• Testing and validation: Always test the configuration thoroughly and regularly check DMARC reports to confirm that messages are passing authentication as intended. This proactive approach helps identify and rectify issues before they impact deliverability.
• SPF record limits: If using many sending services, be mindful of the 10-lookup limit for SPF records. Publishing multiple DKIM records is permitted with unique selectors, but only one SPF record per domain.

Key opinions

• DMARC's focal point: Experts affirm that DMARC solely evaluates the From domain. Any DMARC policy placed on a subdomain, when the From header uses the root domain, will not be active or enforced for those specific messages.
• Relaxed alignment is key: For configurations with differing domains (e.g., a From domain with a subdomain for DKIM signing), relaxed DMARC alignment (for either SPF or DKIM) is crucial for passing DMARC checks. This allows a sub-domain to align with the root domain.
• Subdomain authentication: DKIM can be differentiated using selectors without necessarily requiring different subdomains for each provider. However, subdomains can be effectively used for DKIM and SPF authentication if properly configured to align with the From domain.
• Policy enforcement: DMARC only applies a policy (quarantine or reject) if the From domain has a DMARC record set to something other than p=none. If the From domain uses p=none, DMARC is essentially turned off for enforcement purposes.

Key considerations

• Proactive DMARC setup: It is highly recommended to eventually deploy a stricter DMARC policy on the From domain to protect against spoofing and enhance deliverability. This necessitates ensuring all legitimate sending sources correctly align with DMARC.
• Regular validation: Experts stress the importance of regularly checking DMARC reports to validate that email configurations are working as expected. This allows for early detection of any authentication failures or configuration errors.
• Alignment choices: When setting up SPF, DKIM, and DMARC for marketing or transactional emails sent from different subdomains, careful consideration of alignment is necessary to pass DMARC.
• Monitoring deliverability: Beyond technical setup, monitoring inbox placement rates and recipient feedback is essential, as even technically correct configurations can sometimes face deliverability challenges without proper reputation management. This contributes to reliable email delivery.

Key findings

• SPF operation: SPF checks the IP address of the sending server against a list of authorized IPs in the DNS record of the Return-Path (Mail From) domain. It does not directly authenticate the From domain.
• DKIM signing: DKIM attaches a digital signature to the email, verified against a public key published in the DNS record of the DKIM signing domain. This signing domain can be a subdomain or entirely different from the From domain, as long as it's properly configured and publicly accessible.
• DMARC alignment rules: For an email to pass DMARC, either the SPF-authenticated domain or the DKIM-signed domain must align with the organizational domain of the RFC5322.From (Header From) address. Email authentication is built on SPF, DKIM, DMARC.
• Relaxed vs. strict alignment: Relaxed alignment allows a subdomain (e.g., mail.example.com) to align with its organizational domain (e.g., example.com). Strict alignment requires an exact match. Relaxed alignment is common for third-party senders.

Key considerations

• DNS record management: Proper DNS entries (TXT records for SPF, TXT or CNAME for DKIM) are fundamental for correct authentication. Misconfigurations or incorrect publication can lead to authentication failures.
• Multiple DKIM records: It is permissible to have multiple DKIM records for a single domain, each identified by a unique selector. This is often necessary when using different email service providers.
• From domain DMARC: The DMARC policy must be applied to the domain in the RFC5322.From header (the sender domain visible to the recipient). If this domain does not have a DMARC record, or it is set to p=none, DMARC will not apply enforcement actions (quarantine/reject).
• Subdomain SPF: While SPF typically applies to the Mail From (Return-Path) domain, configurations involving subdomains require careful planning to ensure the SPF record correctly authorizes all sending IPs. This is crucial for scenarios like sending from a subdomain with a different 'from' email domain.