Can emails still be delivered if SPF/DKIM are not fully aligned with my sending domain?

Mailbox providers primarily use DMARC to verify email authenticity. DMARC checks for alignment of either SPF or DKIM with the Header-From domain. Even if your SPF Return-Path or DKIM d= domain is the ESP's shared domain, as long as one of them aligns with your Header-From (in relaxed mode), DMARC passes, and your email is delivered. This means your email can still be authenticated and delivered even without full alignment.

Why don't all ESPs allow full domain alignment?

Some ESPs may not offer full domain alignment due to the significant development cost, the complexity of managing DNS for diverse customer setups, and the ongoing customer support burden from user errors. For them, the ROI may not justify the investment, especially if most of their clients do not demand it or face internal restrictions on DNS delegation. You can find more information about this in our article about whether to authenticate with your own domain or an ESP's .

When might it be a good idea to use an ESP's shared domain?

Choosing a shared domain might be beneficial if your own domain has a poor or non-existent sending reputation, if you send very low volumes of email where the effort of full alignment isn't justified, or if your organization has strict security policies preventing DNS delegation to third parties. For a deeper understanding of domain reputation, refer to our practical guide to understanding your email domain reputation .

What are the disadvantages of using an ESP's shared domain?

While using an ESP's shared domain can offer immediate deliverability benefits due to its established reputation, it means less control over your brand identity in email headers. It can also make it harder to build a dedicated sender reputation for your own domain and might limit your flexibility if you decide to switch ESPs in the future. Additionally, as mailbox providers increasingly prioritize brand alignment, relying solely on a shared domain might lead to more emails landing in spam over time. For more information, check our article on how changing ESPs and domains affects sender reputation .

Should I still use DMARC if I'm not fully aligning my domain?

Yes, even if you use a shared domain, you should still implement DMARC with a `p=none` policy at a minimum. This allows you to receive DMARC reports, which provide valuable insights into your email authentication status, potential spoofing attempts, and overall deliverability. This data helps you monitor how your emails are being authenticated by mailbox providers, even if the primary authentication domains belong to the ESP. Our guide on understanding and troubleshooting DMARC reports can provide more details.

Why might an email sender choose not to align their sending domain with their ESP's shared domain? - Sender reputation - Email deliverability - Knowledge base

When setting up email sending, most businesses face a fundamental decision: whether to fully align their sending domain with their Email Service Provider's (ESP) shared domain or use their own custom domain. While the general recommendation for deliverability and brand consistency leans heavily towards using a custom, fully aligned domain, there are specific scenarios where an email sender might choose not to align, or cannot align, their sending domain with their ESP’s shared domain.

Full domain alignment involves configuring SPF and DKIM authentication records so that the domain in the Header-From address matches or is a subdomain of the Return-Path (for SPF) and d= tag (for DKIM). While many modern ESPs facilitate this, some do not, or they make the process sufficiently complex that some senders opt for the simpler shared domain. This decision can impact deliverability, branding, and even compliance with new sender requirements from mailbox providers.

Understanding the challenges of aligning domains

The primary barrier to full domain alignment often lies in the technical complexities and the resources required from both the sender and the ESP. While ESPs like Twilio and Marketo offer robust custom domain support, including alignment for SPF, DKIM, and click-tracking links, many older or smaller platforms may not have the underlying infrastructure or development bandwidth to provide such features seamlessly. Retrofitting these capabilities into existing systems can be a significant and costly project for an ESP.

From the sender's perspective, configuring DNS records correctly can be challenging. It requires a precise understanding of SPF records, DKIM keys, and CNAMEs for click redirection. Errors are common, leading to support tickets, damaged deliverability, or even breaking existing configurations. For example, improperly adding a second ESP to an SPF record can create issues.

Even when ESPs provide detailed instructions for DNS setup, as noted in the Amazon Web Services community, senders frequently make mistakes. This high rate of user error translates into substantial customer support overhead for the ESP, further reducing the perceived return on investment (ROI) for offering complex alignment options. This often leads to ESPs not prioritizing full alignment features.

ESP's perspective on offering full alignment

From an ESP's business perspective, offering full domain alignment can be a significant investment with uncertain returns. The development cost for building and maintaining robust self-service DNS configuration tools, along with the increased customer support demand due to user errors, might outweigh the benefits if only a small segment of their customer base truly requires or understands the need for it. Many ESPs might conclude there is no compelling commercial reason to offer a service that incurs high costs and minimal ROI.

Another factor is the management of DKIM keys. For full alignment, the ESP either needs access to the sender's private DKIM key (which poses security risks) or requires the sender to delegate DNS control for DKIM to the ESP, often through NS or CNAME records. Delegating NS records allows the ESP to manage DKIM key rotation automatically, which is a security best practice, but many organizations have strict security policies that prevent delegating any DNS records to third parties. This inflexibility on the client's side can make full alignment impossible for large enterprise customers, regardless of the ESP's capabilities.

Even for ESPs that do offer custom domain setup, they often still include some of their shared domains, particularly for Feedback Loops (FBLs). This ensures they receive critical feedback from mailbox providers, even if the sender's domain is aligned. Negotiating a subdomain specifically for FBLs can add another layer of complexity that many senders find daunting, reinforcing the ESP's decision to maintain some level of shared domain involvement.

Why an ESP might offer full alignment

Competitive advantage: Attracts senders prioritizing brand consistency and advanced deliverability. More businesses are now seeking solutions that fully authenticate email with their own domain.
Improved deliverability for clients: Helps clients build a stronger sender reputation over time.
Enhanced brand trust: Emails appear more legitimate to recipients and mailbox providers.

When a shared domain might be preferred

While having a fully aligned custom domain is generally the ideal for email deliverability and branding, there are legitimate reasons why a sender might choose to use their ESP's shared domain, especially if their own domain's reputation is poor or they are new to email marketing. Shared domains, managed by reputable ESPs, often have an established, clean sending history. For a sender with a new domain or one that has experienced deliverability issues, leveraging a shared, well-regarded domain might offer better inbox placement initially than trying to build a new reputation from scratch. This is a common strategy for building a sending reputation.

For very small senders or individuals, the effort involved in setting up and maintaining proper DNS authentication can be disproportionate to the volume of email they send. In such cases, the convenience of relying on the ESP's default shared domain, even if it offers less brand control, outweighs the complexities of custom domain alignment. The trade-off is often perceived as minimal, as the volume is too low to significantly impact reputation, and the primary goal is simply to get messages delivered without extensive technical overhead.

Furthermore, some large organizations, particularly those with stringent IT security policies, may be unwilling to delegate any part of their DNS management to a third-party ESP. This can stem from concerns about data control, compliance requirements, or simply a rigid internal policy against external DNS management. In these scenarios, even if the ESP offers full alignment, the sender's internal policies might force them to use the ESP's shared domain or a partially aligned setup.

These senders may also face challenges with internal security reviews that slow down or prevent DNS record changes, as highlighted by many email professionals. This administrative burden can be a compelling reason to avoid complex DNS configurations.

Impact on authentication and deliverability

Despite the common advice to fully align, it's important to understand that SPF and DKIM don't strictly require perfect alignment for an email to pass DMARC, especially in relaxed mode. Many ESPs sign emails with a common domain (DKIM d= tag) that is not the sender's domain, yet the email still passes DMARC if either SPF or DKIM alignment is achieved. For example, Microsoft's new requirements for high-volume senders necessitate SPF and DKIM validation, but only one needs to align with the Header-From domain.

An ESP's shared domain, while not offering full alignment, still provides a layer of authentication that can be sufficient for deliverability. If the ESP maintains a good sending reputation, their shared domain can help ensure that messages aren't immediately blocklisted (or blacklisted) due to a lack of authentication. However, a sender relying solely on an ESP's shared domain might find their emails ending up in the spam folder more frequently than if they had a dedicated and aligned domain, especially as mailbox providers increasingly emphasize brand-aligned authentication.

Ultimately, the decision to align or not often boils down to a balance between technical feasibility, perceived deliverability benefits, and the sender's comfort level with DNS management. While full alignment with your own domain remains the best practice for establishing a strong domain reputation and preventing blocklisting (or blacklisting), practical constraints and a cost-benefit analysis can lead some senders to rely on their ESP's shared domains. It is always wise to monitor your email blocklist status regardless of your alignment strategy.

Aspect	Fully aligned custom domain	ESP's shared domain
Brand control	Full control over sender identity and branding	Limited brand control, may show ESP's domain in headers
Deliverability impact	Enables strongest sender reputation and inbox placement	Relies on ESP's reputation, may be sufficient for low volume
Technical setup	Requires proper DNS configuration (SPF, DKIM, DMARC)	Minimal DNS setup required for sender
Flexibility	More adaptable for multi-ESP setups or changing providers	Tied to ESP, can make switching harder

Views from the trenches

Best practices

Maintain a clean mailing list to avoid spam complaints and safeguard your domain reputation.

Regularly monitor your email blocklist (or blacklist) status to detect and resolve listing issues quickly.

Use subdomains for different email streams to isolate reputation risk, like marketing vs. transactional.

Common pitfalls

Incorrectly configuring SPF or DKIM records, leading to authentication failures and deliverability problems.

Assuming DNS settings are correct without verification, causing delays and hidden issues.

Neglecting to rotate DKIM keys, which can be a security vulnerability over time.

Expert tips

For large organizations with strict IT policies, consider NS or CNAME delegation if possible to ease DNS management.

If your ESP's shared reputation is strong, it might be beneficial for small senders or new domains temporarily.

Always verify DNS records with your ESP's tools or independent checkers after making changes.

Expert view

Expert from Email Geeks says that many ESPs do not have the necessary infrastructure to support full domain alignment easily, and retrofitting it is a significant project.

2021-08-26 - Email Geeks

Expert view

Expert from Email Geeks says that shared DKIM keys prevent proper key rotation, which is a security concern, and requires NS or CNAME delegation for proper management.

2021-08-26 - Email Geeks

Choosing the right path for your email sending

The decision to align your sending domain with your ESP's shared domain, or to use your own dedicated domain, is not always straightforward. While best practices often advocate for full alignment to maximize brand consistency and deliverability, practical considerations frequently lead senders to choose otherwise. These considerations include the technical complexity involved in managing DNS records, the ESP's capability to support comprehensive alignment, and the sender's own volume and reputation.

Ultimately, the choice depends on a thorough assessment of your specific email program, internal IT policies, and the features offered by your ESP. For some, the path of least resistance, leveraging a shared domain's established reputation, might be the most effective. For others, investing in full alignment with a dedicated domain is crucial for long-term brand integrity and inbox success. Regardless of the chosen path, consistent monitoring of your email performance and authentication is essential.