How to set up email authentication for multiple ESPs on the same sending domain?

Key findings

• Complexity: Authenticating a single domain across several ESPs introduces significant complexity, particularly for SPF records due to their DNS lookup limits and for DKIM, which requires unique selectors per sender.
• DMARC visibility: Implementing DMARC, even with a policy of p=none, is crucial for gaining insights into all sending sources using your domain, helping identify both authorized and unauthorized senders.
• Authentication vs. deliverability: While proper email authentication (SPF, DKIM, DMARC) is fundamental, it does not unilaterally solve inbox placement issues. Other factors, such as sending practices, content quality, and recipient engagement, significantly influence deliverability.
• Subdomain benefits: Using subdomains for different ESPs or email types (e.g., transactional, marketing) can help isolate reputation and simplify authentication management, preventing one sending stream from negatively impacting others.

Key considerations

• Assess ESP capabilities: Before implementing changes, confirm each ESP's specific support for custom SPF, DKIM, and DMARC configurations. Some ESPs handle authentication differently than others.
• Monitor DMARC reports: Regularly monitor DMARC aggregate reports to identify any authentication failures or unauthorized email activity originating from your domain.
• DNS lookup limits: Be cautious of the 10 DNS lookup limit for SPF records. Exceeding this limit will cause SPF validation to fail.
• Strategic consolidation: Evaluate whether consolidating ESPs could simplify your email infrastructure and improve overall deliverability management.

Key opinions

• Deliverability assumption: Many marketers initially believe that custom email authentication is the primary solution for poor inbox placement issues, even when other factors are at play.
• Organic growth of ESPs: Startups often acquire multiple ESPs over time without a centralized strategy, leading to fragmented sending practices and potential deliverability challenges.
• Reputation concerns: Marketers are concerned about potential negative impacts on their sender reputation if they switch from an ESP's default authentication to custom domain authentication without proper planning.
• Need for oversight: There's a recognized need for better internal structure and alignment when multiple teams are using different ESPs under the same sending domain.

Key considerations

• Current inbox placement: It's vital to assess the current inbox placement before making any authentication changes. If deliverability is already good, changes should be approached cautiously to avoid disrupting existing success.
• Strategic conversations: Engage in internal discussions about the necessity of using numerous ESPs, potential overlaps, and opportunities for consolidation to streamline operations.
• Data consolidation: Consider using data integration tools to simplify the process of migrating data and consolidating email sending platforms, if that is the long-term strategy.
• Beyond authentication: Remember that authentication is one piece of the puzzle. Other best practices, such as list hygiene, content quality, and sending frequency, also play a significant role in deliverability.

Key opinions

• DKIM selector necessity: Experts recommend setting up different DKIM selectors for each ESP to avoid sharing private keys and maintain distinct authentication paths.
• SPF DNS lookup limit: A critical point of concern is the 10 DNS lookup limit for SPF records, which can be easily exceeded when aggregating multiple ESPs' include mechanisms.
• DMARC enforcement challenges: Achieving DMARC enforcement (e.g., p=quarantine or p=reject) is more difficult with multiple ESPs due to potential DMARC alignment issues.
• Root cause analysis: Experts often point out that deliverability issues, especially for startups with many ESPs, might stem from overly aggressive sales practices or poor permission handling rather than just authentication.

Key considerations

• Comprehensive ESP audit: Conduct a thorough audit of each ESP's platform to understand their specific authentication methods and limitations, especially concerning SPF, DKIM, and DMARC.
• DMARC as a diagnostic tool: Start with a DMARC policy of p=none to gain visibility into all email flows from your domain, which is essential for identifying all sending sources and authentication gaps.
• Consolidation strategy: Seriously consider consolidating ESPs if feasible. Reducing the number of sending platforms can significantly simplify authentication, reputation management, and overall email operations.
• Focus on core deliverability: Address underlying deliverability issues such as list hygiene, consent, and engagement. Authentication is a prerequisite, but these factors drive long-term inbox success.

Key findings

• Standard protocols: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are the established internet standards for email authentication.
• SPF record aggregation: To authorize multiple ESPs, a single SPF TXT record for a domain typically needs to include all authorized sending mechanisms (e.g., include:esp1.com include:esp2.com). This must stay within the 10 DNS lookup limit.
• DKIM setup: Each ESP will provide unique DKIM CNAME records or public keys to be published in your DNS. These typically use distinct selectors (e.g., s1._domainkey.yourdomain.com, mta._domainkey.yourdomain.com) for each service.
• DMARC policy application: A single DMARC record applies to the entire organizational domain and its subdomains, dictating how receiving mail servers should handle emails that fail SPF or DKIM authentication.

Key considerations

• DNS record management: Carefully manage DNS records to avoid conflicts or exceeding limits. This includes ensuring correct TXT records for SPF and proper CNAMEs for DKIM.
• DMARC alignment: Understand DMARC alignment requirements. For a DMARC pass, the domain in the 'From:' header must align with either the SPF domain or the DKIM signing domain. Each ESP must ensure this alignment.
• Gradual DMARC rollout: Documentation generally advises starting DMARC with a p=none policy to collect reports and understand your email ecosystem before moving to more restrictive policies like p=quarantine or p=reject.
• Subdomain recommendation: Many official guides suggest using subdomains for different email streams or ESPs to compartmentalize sender reputation and simplify authentication records.