Summary
Configuring DNS records to send emails from two different ESPs using the same subdomain is complex and generally discouraged. It requires careful management of SPF, DKIM, and DMARC records. Best practices involve using a single SPF record with 'include' mechanisms, ensuring it stays within the 10 DNS lookup limit, and employing distinct DKIM selectors for each ESP. Proper alignment of the Return-Path and active monitoring of DMARC reports are also crucial. Alternatives like dedicated subdomains are often recommended for simplicity and better deliverability.
Key findings
- Complexity & Risk: Sharing a subdomain for multiple ESPs introduces significant complexity and increases the risk of deliverability issues.
- Single SPF Record Required: You must combine all ESPs into a single SPF record (using 'include' mechanisms) as multiple SPF records are invalid.
- SPF 10 DNS Lookup Limit: The SPF record cannot exceed 10 DNS lookups across all included domains; exceeding it will cause SPF to fail.
- Unique DKIM Selectors: Each ESP must use different DKIM selectors to prevent key conflicts and ensure proper signing.
- Return-Path Alignment is Critical: The Return-Path (MAIL FROM) must be correctly aligned with each ESP to handle bounces and feedback loops effectively.
- Active DMARC Monitoring is a Must: DMARC reporting should be enabled and actively monitored to identify authentication failures, spoofing attempts, and ensure overall email security.
Key considerations
- Consider Alternatives: Seriously consider using dedicated subdomains for each ESP, as this simplifies DNS management and reduces the risk of deliverability problems.
- Flatten SPF if Needed: If the number of DNS lookups approaches the limit, flatten the SPF record (resolve includes to IPs) to stay within the limit. This requires ongoing maintenance.
- DKIM Key Rotation is Important: Establish and maintain DKIM key rotation procedures for each ESP.
- Validate SPF Records Regularly: Use tools like Kitterman's SPF validator to ensure your SPF record is valid and doesn't exceed the lookup limit.
- Monitor IP Reputation: Monitor the IP reputation of each ESP to ensure they are not negatively impacting your domain's deliverability.
- Warm up New IPs: If using dedicated IPs, properly warm them up to establish a sending reputation.
- Don't Forget Sender ID: While less important than SPF/DKIM/DMARC, ensure Sender ID is consistent with your sending domain.
What email marketers say
13 marketer opinions
Configuring DNS records to send emails from two different ESPs using the same subdomain involves complexities around SPF, DKIM, and DMARC authentication. While possible, it's generally advised against due to increased complexity, troubleshooting challenges, and potential deliverability issues. Alternatives such as dedicated subdomains or Sender Rewriting Scheme (SRS) are often recommended. If pursuing the same subdomain, careful management of SPF records (avoiding exceeding the 10 DNS lookup limit), DKIM selectors, and Return-Path configuration is essential, along with continuous monitoring of deliverability and IP reputation.
Key opinions
- Complexity: Using the same subdomain for multiple ESPs significantly increases DNS configuration complexity and troubleshooting efforts.
- SPF Limit: The SPF 10 DNS lookup limit is a critical constraint; exceeding it will invalidate SPF and impact deliverability.
- DKIM Selectors: Using different DKIM selectors for each ESP is crucial to avoid key conflicts.
- Return-Path: Properly configuring the Return-Path for each ESP is essential for bounce handling and feedback loops.
- Deliverability Monitoring: Continuous monitoring of deliverability metrics and authentication results is necessary to identify and resolve issues promptly.
Key considerations
- Alternatives: Consider using dedicated subdomains or Sender Rewriting Scheme (SRS) as simpler and less problematic alternatives.
- SPF Management: Carefully manage SPF records, potentially flattening them, to stay within the 10 DNS lookup limit.
- IP Reputation: Monitor IP reputation for each ESP, as poor reputation can negatively impact deliverability.
- IP Warm-up: Warm up new IP addresses gradually to build a positive sending reputation.
- Tooling: Use SPF validation tools (e.g., Kitterman's) to ensure SPF records are valid and within limits.
- DMARC Reporting: Implement and monitor DMARC reporting to identify authentication failures and potential spoofing attempts.
- Sender ID: Although less important than SPF/DKIM/DMARC, ensure Sender ID consistency.
Marketer view
Marketer from Email Geeks advises against using the same domain/subdomain for separate mail streams, especially when one is used for 1-to-1 communications. It complicates understanding and explaining the setup due to numerous variables and increases support time. It often adds complexity without improving anything for the sender and complicates DMARC report analysis.
7 Oct 2024 - Email Geeks
Marketer view
Email marketer from Litmus explains using tools to monitor deliverability and authentication results is critical when using multiple ESPs. This allows you to quickly identify and resolve any issues with SPF, DKIM, or DMARC.
29 Jan 2022 - Litmus
What the experts say
8 expert opinions
To configure DNS records for sending emails from two different ESPs using the same subdomain, experts emphasize the importance of distinct SPF records, MX records, and DKIM selectors for each ESP. Each ESP should have its own 5321.from domain and corresponding SPF and MX records to ensure proper bounce handling. Administrators must diligently manage the 10 DNS lookup limit within SPF records and implement robust DKIM key rotation procedures. Careful Return-Path management, aligning it correctly with each ESP's sending domain, is crucial. Finally, proper configuration and monitoring of DMARC reporting are essential for identifying authentication failures and improving email security.
Key opinions
- Separate SPF Records: Each ESP requires its own unique SPF record associated with its 5321.from domain. Avoid using the same SPF record for multiple ESPs or including multiple ESPs in a single SPF include statement.
- Distinct MX Records: Each ESP needs its own MX record to manage bounces effectively. The 5321.from domain should align with the correct MX record for each ESP to route bounces back to the appropriate system.
- Unique DKIM Selectors: Employ distinct DKIM selectors for each ESP to differentiate signing keys and avoid conflicts.
- Return-Path Alignment: Ensure the Return-Path (MAIL FROM) is correctly aligned with each ESP's sending domain to properly handle bounces and feedback loops. Incorrect Return-Path configuration can lead to deliverability issues.
- DMARC Reporting: Properly configure DMARC reporting to actively monitor authentication results, identify failures, and address potential spoofing attempts. Regular analysis of DMARC reports is crucial for maintaining email security.
- SPF include Limit: Administrators must remain vigilant about the 10 DNS lookup limit, which can impact deliverability if exceeded.
Key considerations
- DNS Lookup Limit: Be mindful of the 10 DNS lookup limit when using 'include:' mechanisms in SPF records and use tools to validate SPF records.
- Key Rotation: Ensure proper DKIM key rotation procedures are in place for each ESP. Keys need to be updated periodically, and proper management helps maintain authentication integrity.
Expert view
Expert from Email Geeks shares that for DKIM, it’s easy to use different selectors.
14 Feb 2023 - Email Geeks
Expert view
Expert from SpamResource explains that while using multiple 'include:' mechanisms in SPF records is common for multiple ESPs, administrators must remain vigilant about the 10 DNS lookup limit, which can impact deliverability if exceeded. They advise to use tools to validate SPF records.
20 Jan 2023 - SpamResource
What the documentation says
4 technical articles
When configuring DNS records to use two different ESPs with the same subdomain, documentation emphasizes leveraging 'include' mechanisms for SPF records while adhering to the 10 DNS lookup limit. Distinct DKIM selectors are crucial for each ESP to prevent conflicts. Proper SPF and DKIM configuration is paramount, followed by aligning the DMARC policy to ensure effective authentication and security.
Key findings
- Single SPF Record: Multiple SPF records for a domain are not supported; combine them into a single record.
- SPF 'include' Mechanism: Use the 'include' mechanism to reference other domains' SPF records.
- 10 DNS Lookup Limit: Be aware of the 10 DNS lookup limit for SPF records when using multiple 'include' mechanisms.
- Distinct DKIM Selectors: Configure different DKIM selectors for each ESP.
- DMARC Alignment: Align DMARC policy with correctly configured SPF and DKIM for each ESP.
Key considerations
- SPF Record Validation: Validate the combined SPF record to ensure it's valid and within the DNS lookup limit.
- DKIM Key Management: Properly manage and rotate DKIM keys for each ESP based on their individual guidelines.
- DMARC Monitoring: Monitor DMARC reports to ensure compliance and address any potential authentication issues.
Technical article
Documentation from Google Workspace Admin Help explains that having multiple SPF records for a domain is not supported and can cause deliverability issues. It recommends combining multiple SPF records into a single record using include mechanisms.
19 Jan 2022 - Google Workspace Admin Help
Technical article
Documentation from AWS SES answers that when configuring DKIM with multiple ESPs, using different selectors for each ESP to avoid conflicts is important. Each selector should correspond to a unique DKIM key.
9 Nov 2022 - AWS SES Documentation
Can a sender modify SPF records to alter SPF checking behavior?
Can I use the same sending domain with multiple ESPs?
Can I use the same subdomain for multiple email sending platforms?
Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?
How can I optimize my SPF record to stay within the lookup limit when using multiple email sending services?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
