How to handle email authentication for ESP customers without their own domains?

Key findings

• Subdomain authentication: Using customer-specific subdomains of an ESP-owned domain is a primary method for providing clean SPF, DKIM, and DMARC authentication for clients who do not have their own domains. This approach also helps to isolate sending reputation, preventing one customer's poor practices from affecting others.
• DNS wildcard limitations: While wildcards in DNS can be considered, they often lead to configuration messes and records appearing where they shouldn't, making them less ideal for scalable and reliable authentication.
• Dynamic DNS record generation: A more robust solution involves having the ESP's DNS server dynamically synthesize DNS records for each customer upon request. This avoids the need to maintain large, static DNS zone files, which can be burdensome and costly.
• Authentication standards: Proper configuration of SPF, DKIM, and DMARC is critical for all senders, regardless of domain ownership, especially with new sender requirements from major mailbox providers.

Key considerations

• Scalability: ESPs must consider the scalability of their authentication solutions. Manual DNS record generation becomes unmanageable with a large customer base.
• Cost efficiency: Outsourced DNS providers billing per record can lead to prohibitively high costs when managing individual records for many small customers.
• Reputation management: The chosen authentication method should ensure that the actions of one client do not negatively impact the sending reputation of others on the platform.
• Compliance: The solution must comply with evolving email authentication standards and requirements from internet service providers (ISPs) like Google and Yahoo.

Key opinions

• Shared domains: Some marketers use mutualized (shared) domains for small or freemium customers, but acknowledge the inherent deliverability issues due to lack of SPF/DKIM alignment.
• Domain delegation: Delegating the domain to the ESP (via NS records) is a preferred method as it allows the ESP to manage all necessary authentication records centrally.
• In-platform DNS tools: ESPs offering in-platform DNS tools to automatically generate and manage SPF, DKIM, and DMARC records for their clients simplify the process greatly.
• Manual configuration: For clients who prefer or need manual setup, providing clear instructions for SPF, DKIM, and DMARC records is crucial, with some marketers avoiding CNAMEs for authentication records.
• Individual DKIM: Moving towards individual DKIM keys for each customer is seen as a best practice to enhance reputation isolation and overall deliverability.

Key considerations

• Deliverability impact: The choice of authentication method directly impacts email deliverability rates, making robust authentication essential for success.
• Customer ease of use: Solutions that minimize customer effort in setting up DNS records are highly valued, as many small businesses lack technical expertise.
• Reputation management: Preventing clients from being impacted by the sending behavior of other users on a shared IP or domain is a significant concern for marketers and ESPs alike. This highlights the importance of monitoring blocklists and maintaining good sender practices.
• Evolution of policies: Marketers must stay updated on changes to Gmail, Yahoo, and Microsoft's email authentication requirements, which increasingly demand proper authentication even for lower volume senders.

Key opinions

• Subdomain necessity: Authenticating with customer-specific subdomains of an ESP-owned domain is considered the primary method for achieving clean SPF, DKIM, and DMARC authentication for small customers lacking their own domains.
• Reputation isolation: This subdomain approach helps in isolating reputation, meaning that potential bad actors among small customers will not negatively impact the deliverability for legitimate customers.
• DNS wildcard issues: Experts warn that while DNS wildcards might seem like a solution, they can lead to significant operational problems and unexpected record resolutions, making them unsuitable for robust authentication.
• Dynamic DNS record synthesis: A more advanced and cleaner method involves having the ESP's DNS server synthesize (generate on-the-fly) these records when requested. This eliminates the need for manual maintenance of vast DNS zone files for each customer.
• Scalable authentication framework: This dynamic record synthesis allows ESPs to integrate authentication for small customers into the same CNAME-based framework used for larger clients, ensuring consistency and scalability.

Key considerations

• Maintenance overhead: Generating and maintaining individual DNS zone files for each customer is a significant pain point and can become extremely expensive, particularly with outsourced DNS providers who charge per record.
• Deliverability impact of shared resources: ESPs must carefully consider how shared domains and IP addresses affect the deliverability and reputation of all customers, emphasizing the need for robust isolation.
• Technical implementation: Implementing a production-ready nameserver that can dynamically serve authentication records requires specialized expertise in DNS management and potentially custom backend development (e.g., PowerDNS backend).
• Policy alignment: Ensuring DMARC alignment and proper SPF/DKIM configuration for all customers, even those without their own domains, is crucial for complying with modern email standards.

Key findings

• SPF definition: Sender Policy Framework (SPF) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on their behalf, preventing unauthorized use of their domain.
• DKIM configuration: DomainKeys Identified Mail (DKIM) involves cryptographic signatures, requiring the configuration of DKIM keys and their publication in the DNS to verify the integrity and origin of emails.
• DMARC implementation: Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds upon SPF and DKIM, allowing domain owners to specify how receiving servers should handle emails that fail authentication, as well as providing reporting mechanisms.
• Shared domain implications: Documentation often implies that using shared domains with an ESP requires careful attention to how authentication records are configured to ensure alignment and avoid deliverability issues due to misconfiguration.

Key considerations

• Compliance with new requirements: Recent updates from major mailbox providers like Gmail and Yahoo now make authentication mandatory for bulk senders, impacting even small businesses using ESPs.
• Delegated domain management: When a client delegates their domain to an ESP, the ESP assumes responsibility for managing the DNS records to ensure proper authentication, requiring robust internal systems.
• Sender authentication package (SAP): Some ESPs offer an SAP, which typically includes a dedicated IP, a private domain, and account branding (link wrapping), providing a comprehensive solution for improved authentication and branding.
• Automated setup: Documentation often encourages ESPs to provide automated or simplified processes for clients to set up domain authentication records, reducing friction and errors.