Do small email senders need their own SPF/DKIM records or can they rely on their ESP?

Key findings

• Universal Requirement: SPF and DKIM authentication are increasingly becoming mandatory for all senders, regardless of volume, to ensure email trustworthiness.
• Sender Domain Importance: Authenticating with your own sending domain, rather than solely relying on the ESP's domain, is crucial for building and maintaining your unique sender reputation. This practice aligns with evolving email authentication policies from major providers like Google and Yahoo.
• From Header: Using a custom domain in your 'From:' header is essential, as using a free email address can significantly hinder deliverability, especially for small lists.
• Future-Proofing: Even for small senders, setting up your own SPF and DKIM records prepares you for future, stricter authentication requirements, mitigating potential deliverability issues down the line.
• Reputation Management: While ESPs provide some shared IP reputation, authenticating your domain allows you to build your own specific domain reputation, which is increasingly vital for inbox placement.

Key considerations

• Effort vs. Benefit: The perceived effort of setting up SPF and DKIM should be weighed against the long-term benefits of improved deliverability and protection against spoofing, even for very small senders.
• ESP Requirements: Some ESPs may soon enforce their own authentication policies, requiring senders to have proper SPF and DKIM records for their sending domains, especially with recent changes from major mailbox providers.
• Domain vs. IP Reputation: While ESPs provide IP reputation through shared pools, domain reputation, established via SPF, DKIM, and DMARC, is increasingly critical for reaching the inbox. Learn more about how these affect deliverability when using an ESP in our guide on SPF, DKIM, DMARC, and dedicated IPs.
• Avoiding Scare Tactics: While authentication is important, avoid misleading urgent or alarmist messaging when advising small senders. Focus on long-term benefits rather than immediate panic.
• Authentication for All: The industry trend indicates that even small senders will eventually need full authentication to maintain optimal deliverability.

Key opinions

• Authentication is Essential: SPF and DKIM are now broadly required for all senders, regardless of their list size. This is not just for bulk senders.
• Domain-Specific Authentication: It is crucial to authenticate with your own sending domain, not just rely on the ESP's domain, to properly establish your identity.
• Custom From Address: Small senders must avoid using free email addresses in their 'From:' header, as this is a significant deliverability hurdle. Setting up a custom domain is a must.
• Future Readiness: While some ESPs might still handle authentication for very small senders on shared IPs, the trend is towards stricter requirements, making proactive setup a wise move.
• Beyond February 1st: While there was a lot of urgency around early 2024 changes, the need for authentication is ongoing and not tied to a single deadline for all senders.

Key considerations

• Sender Reputation: Relying solely on an ESP's shared reputation might seem easier, but building your own domain reputation through authentication provides more control and better long-term deliverability.
• Technical Debt: Delaying proper authentication creates future 'technical debt'. It's better to address it proactively when clients are open to discussing deliverability.
• ESP Policy Checks: Small senders should check their ESP's specific policies, as some providers may stop sending unauthenticated mail, regardless of volume. This aligns with broad email authentication requirements for senders.
• Holistic Approach: Authentication benefits all email channels, including one-to-one communication, not just bulk marketing emails. A complete authentication setup should consider all sending methods.
• Educational Responsibility: Marketers should educate clients on the benefits of self-authentication without resorting to fear-mongering, emphasizing long-term stability over short-term perceived ease.

Key opinions

• Self-Authentication is Best: It is always better for senders, even small ones, to authenticate with their own domain. This builds their own reputation, independent of the ESP's shared resources.
• List Size is Not the Sole Factor: The need for proper authentication is not solely determined by the volume of emails sent. Mailbox providers are increasingly applying these requirements universally.
• Reputation Complexity: Email reputation is multifaceted, encompassing both the sending IP address (managed by the ESP) and the authenticating domain (managed by the sender). Both are critical for success.
• Improved Filtering: Mailbox providers have become significantly better at evaluating sender reputation, even for small senders, moving beyond simple volume metrics.
• Future-Proofing for All: Experts anticipate that domain authentication will eventually become a universal requirement for all emails sent through an ESP, regardless of volume, making early adoption beneficial.

Key considerations

• Domain Ownership: If a small sender is genuinely too small or technically adverse to own and manage their domain authentication, they risk poorer deliverability as mailbox providers tighten authentication requirements, particularly if they are still using a freemail 'From:' address.
• Mail Classification: ISPs categorize mail differently (e.g., bulk, transactional, one-to-one). Authenticating your own domain provides more clarity and helps deliverability across all these categories.
• Getting in the Door: A legitimate ESP's shared IP pool typically provides sufficient IP reputation to get emails 'in the door,' but domain authentication via DKIM and SPF from your own domain is what truly builds and protects your domain reputation.
• Proactive vs. Reactive: It's always better to be proactive in setting up authentication rather than waiting for deliverability issues to arise. Understanding email best practices is key.
• Long-Term View: While small senders may initially benefit from an ESP's reputation, authenticating their own domain prepares them for growth and future policy changes.

Key findings

• Mandatory for Bulk Senders: Google and Yahoo have explicitly made SPF and DKIM authentication mandatory for bulk email senders as of February 2024, setting a precedent for industry-wide adoption.
• Spoofing Protection: SPF, DKIM, and DMARC are crucial technologies designed to combat email spoofing and phishing, ensuring that senders are authorized to use a chosen domain.
• Foundation for DMARC and BIMI: Both DMARC (Domain-based Message Authentication, Reporting & Conformance) and BIMI (Brand Indicators for Message Identification) protocols rely on successful SPF and DKIM authentication as a prerequisite for their functionality.
• Sender Reputation Building: These authentication tools contribute directly to a positive sender reputation by verifying the sender's domain and ensuring message integrity.
• ESP Role: While ESPs often use their own SPF and DKIM records for shared IPs, the trend is towards senders authenticating their own domains, even smaller ones.

Key considerations

• Universal Application: Documentation indicates that email authentication is becoming a universal best practice for all outgoing emails, not just marketing or bulk sends. This includes transactional emails.
• DNS Records: Implementing SPF and DKIM requires adding specific DNS TXT records to your domain's DNS settings. This is a technical step that senders, or their ESPs, must manage correctly. Our simple guide to DMARC, SPF, and DKIM provides more detail.
• Inbox Trust: Proper authentication ensures emails are perceived as real and trustworthy, which directly impacts their ability to reach the inbox rather than being flagged as spam. This is critical for overall email deliverability.
• Evolving Requirements: Documentation suggests that email authentication protocols are continually evolving. Staying updated on these requirements is essential for sustained deliverability.
• Sender Responsibility: Even when using a third-party ESP, ultimate responsibility for proper domain authentication rests with the sender to ensure their emails comply with industry standards and reach their audience. This can be complex, and resources like EmailTooltester.com's guide on DMARC vs. DKIM vs. SPF can help.