How to handle email authentication for ESP customers without their own domains?
Michael Ko
Co-founder & CEO, Suped
Published 17 Jun 2025
Updated 17 Aug 2025
9 min read
Handling email authentication for customers who don't own their own domains is a common challenge for email service providers (ESPs). Many small businesses, startups, or individual users might not have a dedicated domain, yet they need to send emails reliably. Without proper authentication, these emails risk landing in spam folders, or worse, being rejected entirely. My goal is to ensure every email reaches its intended inbox, and that means tackling this crucial deliverability hurdle.
The core issue revolves around Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). These protocols are vital for verifying a sender's legitimacy and preventing spoofing. When a customer doesn't have their own domain, they often send from a shared domain provided by the ESP, which can complicate authentication setup and impact overall sending reputation. We need to find ways to provide these users with the same authentication benefits as those with dedicated domains.
Recent changes from major mailbox providers like Gmail and Yahoo have made email authentication even more critical. They now require bulk senders to authenticate their emails, and failure to do so can lead to significant deliverability issues. This puts pressure on ESPs to ensure all their customers, regardless of domain ownership, meet these stringent requirements. It's a fundamental aspect of maintaining a healthy sending ecosystem for everyone.
When customers rely on a shared domain provided by their ESP, it introduces several challenges that can negatively affect email deliverability and sender reputation. While convenient for those without their own domains, shared domains come with inherent risks that must be managed carefully.
One primary concern is the shared reputation. If one user on a shared domain engages in spammy behavior or has poor sending practices, it can impact the deliverability of all other users on that same domain. This means even a perfectly legitimate sender can find their emails blocked or sent to the spam folder due to the actions of others. It becomes a collective problem rather than an individual one.
Furthermore, achieving proper SPF and DKIM alignment can be tricky with shared domains. When emails are sent through an ESP's shared domain, the "From" address (RFC 5322.From) might not align with the domain used in the Return-Path (RFC 5321.MailFrom) or the DKIM signature. This lack of alignment often leads to DMARC authentication failures, which significantly increases the chance of emails being marked as spam or rejected, especially by mailbox providers with strict DMARC policies. I've seen this issue cause significant headaches for many senders. For a deeper understanding of these alignment issues, explore why your emails are getting DMARC verification failed errors.
The importance of dedicated subdomains
The ideal solution for ESP customers without their own domains often involves the use of dedicated subdomains of an ESP-owned domain. This approach allows for isolated authentication and reputation management, mimicking the benefits of a customer's own domain without the need for them to purchase or manage one directly. It is how we aim to provide the best possible deliverability for these clients.
By providing each customer with a unique subdomain (e.g., "customername.espdomain.com"), the ESP can set up individual SPF, DKIM, and DMARC records for that specific subdomain. This ensures that the "From" domain aligns perfectly with the authenticated domains, leading to strong authentication passes. This method helps prevent the shared reputation issues that come with a generic shared domain. To delve deeper into the decision-making process, consider exploring whether to authenticate with your own domain or an ESP's domain.
Implementing this requires the ESP to manage a potentially large number of DNS records for these customer-specific subdomains. While challenging, this approach is crucial for optimal deliverability. It ensures that each customer's sending reputation is largely independent, protecting them from the negative sending habits of others. It also allows for much clearer reporting and troubleshooting if deliverability issues arise for a specific customer. This is especially relevant given the new Google and Yahoo email authentication policies, which heavily emphasize strong authentication.
For a comprehensive understanding, I always refer to guides that cover the basics of email authentication, such as Cisco's deployment guide for SPF, DKIM, and DMARC. These protocols are the backbone of trusted email communication.
ESP strategies for managing authentication
Managing email authentication for numerous customers, especially those without their own domains, presents significant DNS management challenges for ESPs. The key is to implement a scalable and maintainable system.
One common approach is to generate individual DNS records for each customer's subdomain. While effective for authentication, this can lead to massive DNS zone files that are cumbersome to maintain and potentially expensive if using a DNS provider that charges per record. It's a manual burden that can quickly become unmanageable as an ESP scales.
Some ESPs might consider using wildcard DNS records, but this can lead to issues where records appear in unexpected places within the DNS resolution tree. While it reduces the number of records to manage, it introduces its own set of potential problems for clean authentication and could lead to issues where records appear in unexpected places within the DNS resolution tree, making troubleshooting complex. A more robust solution involves having the DNS server synthesize these records on demand, providing a cleaner and more scalable way to manage authentication for many small customers, integrating it into existing CNAME-based frameworks for larger clients. You can read more about customer subdomain authentication to get a technical deep dive.
Ultimately, ESPs must strike a balance between ease of use for customers and robust authentication. This often means providing clear instructions and automated tools for customers to set up or delegate DNS if they wish to use their own domains, while also offering a secure, ESP-managed subdomain option for those who don't. The goal is to maximize email deliverability for all users, regardless of their technical setup. For ESPs, it's a partnership in ensuring proper email deliverability.
Best practices for ESPs and their customers
For ESPs
Offer dedicated subdomains: Provide each customer with a unique subdomain for sending, allowing for isolated authentication and reputation.
Automate DNS record generation: Implement systems to automatically generate and manage SPF, DKIM, and DMARC records for these subdomains. This can be done via CNAMEs or synthetic DNS records.
Educate customers: Clearly explain the importance of email authentication and the benefits of using an authenticated domain or subdomain.
Monitor deliverability per subdomain: Track the reputation and deliverability metrics for each customer's subdomain to identify and address issues quickly.
For customers who do not own a domain, the best practice is to rely on their ESP's robust authentication setup using a dedicated subdomain. This ensures that their emails benefit from strong authentication without the complexity of managing DNS records themselves. It streamlines the process and aligns with new sender requirements.
If a customer eventually acquires their own domain, the ESP should provide clear guidance on how to migrate to full domain authentication, including setting up their own SPF, DKIM, and DMARC records. This transition is crucial for long-term brand building and deliverability control. Remember that for smaller senders, the question of "whether they need their own SPF/DKIM records" is often best answered by relying on a good ESP.
Scenario: ESP using a shared domain
Deliverability impact: High risk of emails landing in spam or being rejected due to poor authentication alignment or shared reputation issues.
Authentication setup: SPF, DKIM, and DMARC may not align with the "From" domain, leading to authentication failures.
Reputation management: Reputation is shared across all users of the domain, making it vulnerable to others' poor sending practices.
Scenario: ESP providing dedicated subdomains
Deliverability impact: Significantly improved deliverability due to proper authentication alignment and isolated reputation.
Authentication setup: SPF, DKIM, and DMARC can be set up specifically for each subdomain, ensuring full alignment.
Reputation management: Each subdomain maintains its own reputation, reducing the risk of being affected by other users.
Views from the trenches
Best practices
Actively encourage and educate customers on the benefits of using their own authenticated domains, even if small.
Implement synthetic DNS record generation for customer subdomains, rather than relying on wildcards or huge zone files, for scalable authentication.
Monitor authentication success rates and DMARC reports for each customer subdomain to proactively address issues and maintain a healthy sending reputation.
Provide clear, step-by-step guides for customers on delegating their domain's DNS to the ESP or adding necessary authentication records manually.
Common pitfalls
Allowing paying customers to use mutualized or generic shared domains, leading to unaligned DKIM/SPF and poor deliverability.
Over-reliance on wildcard DNS records, which can introduce hidden complexities and make troubleshooting authentication issues difficult.
Neglecting to provide individual DKIM keys for each customer or subdomain, which weakens authentication strength and reputation isolation.
Failing to crawl and update authentication records across all owned domains when SPF/DKIM changes are needed, leading to outdated configurations.
Expert tips
Consider automating DNS changes for client-specific authentication. This simplifies management and ensures consistency.
Educate clients on the value of a dedicated sending domain, even if it's a subdomain provided by your service.
Actively monitor DMARC reports for all domains to catch authentication issues quickly.
Regularly review your authentication setup against industry best practices and new mailbox provider requirements.
Marketer view
Marketer from Email Geeks says our company used to primarily serve small businesses. We have a small number of customers using a mutualized domain, but it causes problems because DKIM and SPF cannot be aligned. We are in the process of prohibiting mutualized domain usage for paying customers, reserving it only for freemium users testing the tool.
2024-03-18 - Email Geeks
Marketer view
Marketer from Email Geeks says those customers who delegate their domain use the NS system. For those who purchase and delegate the domain inside our ESP, we use a DNS tool that automatically prints the SPF, DKIM, DMARC, and tracking/pictures CNAMEs.
2024-03-19 - Email Geeks
Ensuring deliverability for all customers
For ESPs serving customers without their own domains, strong email authentication is not just a best practice, it is a necessity. The landscape of email deliverability continues to evolve, with mailbox providers increasing their scrutiny on authenticated mail. Ensuring that every email sent through your platform is properly authenticated protects your sending reputation and, by extension, the deliverability of all your customers.
Implementing a scalable solution, such as providing dedicated subdomains with robust SPF, DKIM, and DMARC records, is paramount. This not only improves inbox placement but also builds trust with mailbox providers and recipients alike. It's an investment in the long-term success of both the ESP and its customers. I always advocate for proactive measures to maintain a clean sending reputation and avoid being caught on an email blacklist (or blocklist, as some prefer).
Ultimately, the goal is seamless, reliable email delivery for everyone. By embracing advanced authentication strategies for all customer segments, ESPs can ensure their users' messages reach the inbox, fostering better communication and business outcomes. This commitment to deliverability is what truly sets an ESP apart.
