Summary
Franchises frequently face challenges setting up DKIM for email marketing due to centralized corporate control over DNS. The most practical and widely recommended approach involves a collaborative effort between the franchise, their Email Service Provider (ESP), and the corporate IT department. ESPs typically offer specific CNAME records that, when added to the domain's DNS by corporate IT, delegate the DKIM signing process to the ESP's infrastructure. This method allows franchises to achieve proper email authentication without needing direct access to corporate DNS. Prior to any technical implementation, it is crucial for the franchise to clarify their authorization to use the corporate brand's email address, as this is fundamentally a business policy and brand issue.
Key findings
- ESP-Provided CNAMEs Are Key: The most common and effective solution involves leveraging Email Service Providers (ESPs) that offer CNAME records. These records, when added to the domain's DNS, delegate DKIM authentication and key management directly to the ESP, simplifying setup for franchises.
- Corporate IT Collaboration is Essential: DKIM fundamentally requires publishing a public key in the sending domain's DNS. Therefore, a franchise cannot unilaterally implement DKIM for a corporate domain; direct cooperation and action from corporate IT are always necessary to add the required DNS entries.
- DKIM Benefits Outweigh Setup Hurdles: Any form of DKIM authentication, even if it's a shared DKIM provided by an ESP, is better than none. It significantly improves email deliverability and helps establish sending domain reputation.
- Delegation Simplifies Management: Many ESPs, including SendGrid, Mailchimp, HubSpot, Mailgun, and SocketLabs, provide specific CNAMEs that allow their infrastructure to handle DKIM signing on behalf of the sending domain. This method avoids the need for the franchise to have full DNS management.
Key considerations
- Clarify Brand Usage Rights: Before addressing technical steps, franchises should first clarify their right to use the corporate brand's email address for marketing purposes with the brand owner. This is a foundational business and policy issue, not solely an email deliverability problem.
- Obtain Specific DNS Records: Franchises must obtain the precise DKIM DNS records, typically CNAMEs or TXT records, directly from their Email Service Provider. These records are essential for the corporate IT team to implement.
- Formal Request to Corporate IT: A formal request to the corporate IT department is indispensable. Since franchises lack direct DNS control, they must rely on corporate IT to add the provided CNAME or TXT entries to the domain's DNS, allowing for proper email authentication.
- Consider Subdomain Delegation: For increased autonomy, franchises can explore the possibility of corporate IT delegating a specific subdomain's DNS records to their Email Service Provider. This allows the ESP to manage all necessary authentication records, including DKIM, for emails sent from that subdomain.
- Avoid Unrelated Domains: It is generally not advisable to purchase a completely separate or 'cousin' domain for email marketing if the intention is to represent the primary corporate brand. This can lead to brand confusion and potential deliverability issues.
What email marketers say
7 marketer opinions
Implementing DKIM for email marketing when a franchise lacks direct corporate DNS control necessitates a strategic approach centered on collaboration. The most effective method involves the franchise's Email Service Provider (ESP) generating the necessary DKIM DNS records, often CNAMEs, which corporate IT then adds to the main domain. This delegates the DKIM signing authority to the ESP, ensuring proper email authentication. Crucially, before any technical setup, franchises must obtain clear business authorization from the brand owner to use the corporate email address for marketing purposes, addressing the underlying business policy implications.
Key opinions
- ESP Facilitates DKIM Setup: Email Service Providers are central to the process, providing the precise CNAME or TXT records that enable DKIM authentication and often manage the signing process.
- Corporate IT's Indispensable Role: The actual publication of DKIM DNS records is exclusively controlled by corporate IT, making their cooperation and action fundamental to any successful implementation.
- Benefits of Any DKIM Implementation: Even shared DKIM from an ESP significantly enhances email deliverability and sender reputation compared to sending emails without any DKIM authentication.
- Subdomain Delegation Offers Autonomy: Delegating DNS control of a specific subdomain to the ESP allows for independent management of all email authentication records, including DKIM, for campaigns sent from that subdomain.
Key considerations
- Prioritize Business Authorization: Before technical steps, securing explicit permission from the brand owner for a franchise to use corporate email addresses in marketing is crucial, addressing the business policy aspect.
- Exact DNS Record Acquisition: Franchises must obtain the precise CNAME or TXT records directly from their Email Service Provider to provide to corporate IT for accurate and successful DNS implementation.
- Structured Corporate IT Engagement: A formal, clear request detailing the required DNS changes, submitted to corporate IT, is essential for gaining their cooperation and ensuring the records are published correctly.
- Cautious Approach to Separate Domains: While technically feasible, registering an entirely separate or 'cousin' domain for email marketing is generally discouraged, as it can dilute brand consistency and potentially impact email trust and deliverability.
Marketer view
Marketer from Email Geeks suggests that if the Email Service Provider (ESP) offers shared DKIM, it should be used, as any DKIM implementation is better than none for email authentication.
2 May 2022 - Email Geeks
Marketer view
Marketer from Email Geeks explains that a franchise's inability to set up DKIM due to corporate DNS restrictions is a deeper business problem, not solely an email issue. He advises against purchasing an unrelated or 'cousin' domain, stressing that the franchise should first clarify their right to use the corporate brand's email address in marketing with the brand owner. Only after gaining a clear business understanding and policy statement should they approach IT for DNS changes, which may involve adding TXT, CNAME, or NS records, as DKIM does not strictly require a subdomain.
23 May 2024 - Email Geeks
What the experts say
2 expert opinions
Implementing DKIM for email marketing fundamentally hinges on the ability to publish the public key within the sending domain's DNS records. Therefore, a franchise operating without direct corporate DNS control cannot unilaterally establish DKIM for a corporate domain. Successful DKIM authentication, in such scenarios, mandates direct assistance and cooperation from the corporate entity that maintains the domain's DNS.
Key opinions
- Core DNS Requirement: DKIM verification fundamentally mandates the publication of a public key within the sending domain's DNS records, serving as the essential lookup point for recipient servers to authenticate emails.
- Impossibility of Independent Setup: A franchise operating without direct corporate DNS control is technically unable to unilaterally set up DKIM for a corporate domain, as it lacks the authority to publish the necessary DNS entries.
- DNS Query Protocol: The DKIM authentication process inherently involves receiving servers querying the sending domain's DNS for the public key to validate an email's digital signature, making DNS accessibility paramount.
Key considerations
- Acknowledge DNS Constraint: Franchises must fully recognize that direct DKIM setup for a corporate domain is technically impossible without explicit corporate assistance due to the fundamental requirement of publishing the public key in the domain's DNS.
- Prioritize Corporate Engagement: Given the absolute necessity of corporate DNS control for DKIM implementation, franchises should make immediate and structured efforts to engage corporate IT for the required DNS record publication.
Expert view
Expert from Word to the Wise explains that DKIM fundamentally requires the public key to be published in the sending domain's DNS records. Therefore, a franchise without corporate DNS control cannot directly set up DKIM for a corporate domain without corporate assistance to publish the necessary DNS entry.
17 Oct 2022 - Word to the Wise
Expert view
Expert from Spam Resource shares that DKIM involves the receiving server querying DNS for the public key of the sending domain to verify the email's digital signature. This process necessitates direct access or coordination with the entity controlling the sending domain's DNS, meaning a franchise without corporate DNS control cannot unilaterally implement DKIM for a corporate-managed domain.
28 Jun 2022 - Spam Resource
What the documentation says
5 technical articles
Email Service Providers offer a streamlined method for franchises to implement DKIM without direct corporate DNS control, primarily through the use of CNAME records. This widely adopted approach enables ESPs to handle DKIM signing on behalf of the sending domain, requiring only that corporate IT departments add specific entries to their DNS. This consistent offering across major ESPs simplifies the technical task for corporate IT while ensuring robust email authentication for the franchise's marketing efforts.
Key findings
- ESPs Provide CNAME Delegation: Leading Email Service Providers, including SendGrid, Mailchimp, HubSpot, dmarcian.com, and Mailgun, consistently offer CNAME records to facilitate DKIM setup, making it a standard solution for delegated authentication.
- Simplified Corporate IT Task: The CNAME-based DKIM setup simplifies the task for corporate IT, as they only need to add specific, pre-generated entries to their DNS, rather than directly managing or publishing complex DKIM public keys.
- Delegated Key Management: Through CNAME records, the ESP takes on the responsibility of managing the DKIM public key and handling the signing process, effectively delegating email authentication for franchises without direct DNS control.
Key considerations
- Accurate Record Transfer: Franchises must accurately convey the precise CNAME records obtained from their Email Service Provider to the corporate IT department to ensure correct implementation of the DNS entries.
- Reliance on Corporate IT: Despite the simplicity of the CNAME method, the entire DKIM setup process remains dependent on the willingness and timely action of the corporate IT team to add the required DNS records.
Technical article
Documentation from SendGrid explains that users can authenticate their email sending domain by adding specific CNAME records to their DNS, which are provided by SendGrid. This method allows SendGrid to handle the DKIM signing for the domain, enabling organizations, like franchises without direct corporate DNS control, to set up DKIM by simply requesting corporate IT to add these CNAME entries.
6 Nov 2023 - SendGrid Documentation
Technical article
Documentation from Mailchimp explains that domain authentication, including DKIM, is achieved by adding two CNAME records provided by Mailchimp to the domain's DNS. This process allows Mailchimp to handle the authentication automatically, making it feasible for franchises with limited DNS access to authenticate their sending domain by providing these records to their central IT department.
20 Jun 2023 - Mailchimp Knowledge Base
How do I set up SPF and DKIM records for new subdomains when using third-party email services?
How do I sign DKIM on a sender domain that isn't the primary domain while using Hubspot?
How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
How does Klaviyo handle domain authentication without SPF, DKIM, and DMARC records?
How to add DKIM record for owned domain in Salesforce Marketing Cloud (SFMC)?
How to configure SPF, DKIM, and DMARC when sending marketing emails from a subdomain but signing with the primary domain?
