Who is responsible for setting up SPF, DKIM, and DMARC, me or my ESP?

While an ESP provides the sending infrastructure, you are typically responsible for configuring SPF, DKIM, and DMARC records in your domain's DNS. Your ESP will provide the specific values you need to add to these records, such as SPF include mechanisms or DKIM selectors and public keys. Without proper configuration on your end, emails sent through the ESP may fail authentication.

Should I choose a dedicated IP or a shared IP for better deliverability?

A dedicated IP address gives you full control over your sending reputation. If you send a high volume of emails consistently, a dedicated IP can help you build a strong, independent reputation. However, it requires a careful warming-up process . For lower volumes or inconsistent sending, a shared IP might be better, as the ESP manages the collective reputation, but you are also subject to other senders' practices.

What happens if my emails fail SPF, DKIM, or DMARC authentication?

Failing authentication can lead to your emails being marked as spam or rejected entirely by receiving mail servers. This negatively impacts your sender reputation and overall deliverability. It can also open your domain to spoofing and phishing attacks , damaging your brand's trust with recipients.

Are SPF, DKIM, and DMARC a one-time setup, or do they require ongoing management?

While setting up these protocols is a critical first step, continuous monitoring is essential. This includes regularly reviewing DMARC reports to identify authentication failures and potential unauthorized use of your domain, checking for email blocklist (or blacklist) status for your IP and domain, and analyzing your ESP's deliverability reports. Proactive monitoring helps you quickly address any issues that arise and maintain a healthy sending reputation.

How do SPF, DKIM, DMARC, and dedicated IPs affect email deliverability when using a third-party ESP? - Technical - Email deliverability - Knowledge base

When you send emails through a third-party Email Service Provider (ESP), ensuring your messages reach the inbox is a top priority. It's not just about hitting send, it's about making sure your emails are delivered to the recipient's inbox, not their spam folder. A common misconception is that simply using an ESP guarantees good deliverability. While ESPs provide the infrastructure, much of the responsibility for maintaining a strong sender reputation and achieving high inbox placement still lies with you, the sender.

Understanding how various technical elements like SPF, DKIM, DMARC, and your choice of IP address (shared versus dedicated) interact with your ESP is crucial. These protocols are the foundation of email authentication, helping receiving mail servers verify that your emails are legitimate and haven't been tampered with. Without them, even the most carefully crafted messages can be flagged as suspicious and relegated to the junk folder.

This guide will walk you through each of these components, explaining their individual roles and how they collectively influence your email deliverability when leveraging a third-party ESP. We'll explore why setting them up correctly is paramount and what considerations you should keep in mind to maximize your inbox placement rates.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The impact of SPF, DKIM, and DMARC

Email authentication protocols SPF, DKIM, and DMARC are vital for establishing trust with mailbox providers. They act as digital signatures and verification checks, assuring recipients that an email truly originates from the domain it claims to be from. When sending through a third-party ESP, proper configuration of these records within your domain’s DNS is essential, as the ESP sends emails on your behalf. Implementing these protocols helps combat spoofing and phishing, which in turn significantly boosts your email deliverability.

Sender Policy Framework (SPF) allows domain owners to publish a list of authorized mail servers that can send email on their behalf. When an email is received, the recipient’s server checks the SPF record to confirm that the sending IP address is on that authorized list. If it isn't, the email might be flagged or rejected. Your ESP will provide the necessary IP addresses or include mechanisms for your SPF record to validate their sending infrastructure. It is important to avoid the SPF DNS timeout by keeping your lookups to a minimum.

DomainKeys Identified Mail (DKIM) adds a digital signature to your email headers, which is verified using a public key published in your DNS. This signature ensures that the email content hasn't been altered in transit and that the email truly originated from the signed domain. Unlike SPF, DKIM verifies the email's integrity, making it harder for malicious actors to spoof your domain. Your ESP typically handles the signing process and provides you with the DKIM record to publish. In some cases, you may need to resolve a DKIM body hash mismatch error.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM, allowing domain owners to specify how receiving servers should handle emails that fail authentication. You can set policies (none, quarantine, or reject) and receive reports on authentication failures, providing valuable insight into potential abuse of your domain. While ESPs primarily support SPF and DKIM, they play a crucial role in enabling you to implement DMARC, particularly by aligning the domains used for SPF and DKIM authentication with your DMARC policy. Proper configuration helps protect your brand and improve your overall deliverability, as seen in email authentication protocols.

DNS record example

SPF Record Example (TXT record)DNS

v=spf1 include:_spf.example.com include:sendgrid.net ~all

DKIM Record Example (TXT record)DNS

k1._domainkey.yourdomain.com TXT v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDyO...IDAQAB

DMARC Record Example (TXT record)DNS

_dmarc.yourdomain.com TXT v=DMARC1; p=none; rua=mailto:reports@yourdomain.com;

Dedicated versus shared IPs

Your IP address reputation is another critical factor in email deliverability, especially when using an ESP. ESPs generally offer two types of IP configurations: shared IP addresses and dedicated IP addresses. Each has distinct implications for your sender reputation and how your emails are perceived by receiving servers.

With a shared IP address, your emails are sent from an IP that is also used by other customers of the ESP. This can be beneficial for senders with low volume or inconsistent sending patterns, as the ESP actively manages the IP's reputation. However, your deliverability can be negatively affected by the sending practices of others on that same IP. If another user sends spam or gets blocklisted, it can impact everyone on that shared IP. This highlights why an ESP's IP pool management is important.

A dedicated IP address, conversely, is exclusively used by you. This gives you complete control over your IP reputation. While this offers more stability, it also means you bear full responsibility for warming up the IP and maintaining its reputation. Dedicated IPs are typically recommended for high-volume senders with consistent sending patterns, as they allow for the careful cultivation of a positive sending history. For a more detailed comparison, you can read about the benefits of dedicated IPs.

The choice between shared and dedicated IPs should be made in consultation with your ESP, considering your sending volume, frequency, and audience. A good ESP will guide you on the best approach and help with the initial IP warming process for dedicated IPs. Additionally, ensuring proper reverse DNS (rDNS) setup for dedicated IPs is crucial for deliverability, as it adds another layer of verification that your IP address is legitimate and associated with your domain.

Shared IP

Reputation management: ESP actively manages the IP's reputation across all users.
Impact of others: Poor sending practices by other users can negatively affect your deliverability.
Warming up: Not typically required, as the IP is already warmed up.
Best for: Senders with low or inconsistent sending volumes.

Dedicated IP

Reputation management: You are solely responsible for building and maintaining your IP's reputation.
Impact of others: No direct impact from other senders, but your own sending affects your deliverability.
Warming up: A critical initial process to build trust with mailbox providers.
Best for: High-volume senders with consistent email sending patterns.

The ESP's role in deliverability

Your choice of ESP significantly influences how effectively you can implement and manage these deliverability factors. A reputable ESP will provide robust tools and guidance to help you configure SPF, DKIM, and DMARC correctly. They should also offer clear insights into your email performance and assist in troubleshooting deliverability issues.

Many ESPs will handle the technical complexities of authentication on your behalf, especially for DKIM signing. However, you should still understand the basics and ensure your domain's DNS records are properly updated. Some ESPs might offer shared DKIM keys, which are generally acceptable, but individual keys offer more direct control over your reputation.

It's also crucial for your ESP to offer features that help you monitor your sending reputation and respond to potential issues, such as getting added to a blocklist (or blacklist). Look for ESPs that provide detailed analytics, bounce reports, and insights into why emails might be failing. This proactive monitoring is key to maintaining high deliverability rates. Remember, a robust ESP's capabilities in this area directly impact your success.

Choosing the right ESP

When evaluating a third-party ESP, consider their commitment to email authentication and deliverability support. Look for transparent reporting, clear setup instructions, and dedicated support for SPF, DKIM, and DMARC. Their handling of shared IP pools and their proactive measures against blocklistings are crucial indicators of their deliverability focus.

Views from the trenches

Best practices

Always ensure SPF and DKIM records are correctly published in your DNS and align with your ESP's sending infrastructure.

Utilize DMARC with a p=none policy initially to monitor authentication failures without impacting delivery, then gradually move to quarantine or reject.

Choose an ESP that offers clear guidance and robust features for email authentication and reputation monitoring.

Regularly monitor your domain and IP reputation using tools like Google Postmaster Tools for major mailbox providers.

Segment your audience and tailor content to minimize spam complaints, which significantly impact deliverability.

Common pitfalls

Not configuring DKIM for your domain when sending through an ESP, leading to lower authentication scores.

Assuming DMARC is automatically handled by the ESP without needing your domain's specific DNS records.

Using a dedicated IP without a proper warming-up strategy, causing initial deliverability issues.

Neglecting to monitor DMARC reports, missing opportunities to identify and fix authentication problems or domain abuse.

Ignoring spam complaints or high bounce rates, which quickly damage sender reputation on both shared and dedicated IPs.

Expert tips

Focus on content and recipient engagement before blaming IP or authentication, as these are often primary drivers of inbox placement.

Identify exactly which ISPs or domains your emails are landing in spam folders, as solutions vary for different providers.

Transactional emails often go to strict corporate or educational domains, requiring even stronger authentication and content quality.

While DMARC helps with spoofing, its direct effect on general deliverability might be marginal for well-authenticated senders.

Dedicated IPs don't guarantee inbox placement, especially with Gmail, and can hurt deliverability during warm-up if not managed correctly.

Expert view

Expert from Email Geeks says that if you are using your own domain, the ESP's main role for DMARC is to support SPF and DKIM, and DMARC itself might only have a marginal effect on delivery.

2019-01-28 - Email Geeks

Marketer view

Marketer from Email Geeks says that Recurly's documentation indicates they offer SPF and DKIM signing, which improves deliverability, but this signing happens on their domain.

2019-01-28 - Email Geeks

Final thoughts on email deliverability

Email deliverability is a multi-faceted challenge, and when using a third-party ESP, SPF, DKIM, DMARC, and your IP address choice are foundational components. These technical configurations work in tandem to build and maintain your sender reputation, ensuring that mailbox providers trust your emails and place them in the inbox rather than the spam folder (or blocklist).

Properly setting up SPF, DKIM, and DMARC, alongside an informed decision about using shared or dedicated IPs, creates a robust authentication framework. This not only improves deliverability but also protects your domain from malicious spoofing attempts. Remember to consult with your ESP's documentation and support for specific instructions tailored to their platform, and prioritize proactive monitoring of your email performance.

Ultimately, while your ESP provides the sending infrastructure, your active involvement in configuring and monitoring these critical elements is key to achieving consistent and high email deliverability. Investing time in these technical aspects will pay dividends in your overall email marketing success.