How to set up email authentication for multiple ESPs on the same sending domain?
Matthew Whittaker
Co-founder & CTO, Suped
Published 6 Jun 2025
Updated 19 Aug 2025
5 min read
Managing email sending from various Email Service Providers (ESPs) using a single domain can feel like juggling. You might have different teams using different platforms for marketing, transactional, or operational emails, all under the same brand identity.
A common challenge arises when setting up email authentication, specifically SPF, DKIM, and DMARC, across all these services. Without proper authentication, your emails are at a much higher risk of landing in spam folders or being blocklisted, significantly impacting your deliverability and sender reputation.
I've navigated this situation with many organizations, and while it presents unique complexities, it's entirely manageable with a strategic approach to your DNS records. The goal is to ensure every legitimate email sent from your domain is authenticated, regardless of which ESP it originates from.
When multiple ESPs send on behalf of your domain, each one needs to be authorized through your domain's DNS records. The core authentication protocols, SPF, DKIM, and DMARC, work in concert to verify the sender's identity, preventing spoofing and improving trust with mailbox providers. The primary concern is that each ESP has its own specific requirements for setting up these records.
Understanding the challenge
A common pitfall is misunderstanding how these protocols interact. For instance, you can only have one SPF record per domain. If you add multiple, it can break your authentication. Similarly, while DKIM allows for multiple keys, each ESP will require its own unique selector and corresponding DNS entry. DMARC then ties it all together, requiring alignment for both SPF and DKIM. Incorrect configurations can lead to emails landing in spam or being rejected.
The path to better deliverability
Despite these complexities, properly authenticating your domain across all ESPs is crucial for email deliverability. It signals to mailbox providers that your emails are legitimate and can help build a strong sender reputation. Neglecting authentication is one of the quickest ways to see your emails bounce or end up in junk folders, impacting critical communications and marketing efforts.
Implementing SPF and DKIM correctly
Setting up SPF and DKIM for multiple ESPs on the same domain requires careful attention to your DNS records. For SPF, the key is to consolidate all authorized sending sources into a single TXT record. This means including all your ESPs' SPF mechanisms within that one record. Remember the 10-DNS-lookup limit for SPF, as exceeding it will cause SPF authentication to fail. Always verify your combined SPF record to ensure it remains within this limit.
SPF (Sender Policy Framework)
Purpose: Authorizes specific IP addresses or domains to send email on your behalf.
Configuration: A single TXT record in your DNS that lists all approved sending sources. Each ESP will provide its own mechanism to include in your record, such as an include statement.
Multi-ESP impact: All ESPs must share the same SPF record. Merging them correctly is vital to avoid authentication failures, especially related to DNS lookup limits.
DKIM (DomainKeys Identified Mail)
Purpose: Digitally signs outgoing emails, verifying the sender's identity and ensuring message integrity.
Configuration: Each ESP provides a unique public key to be published as a CNAME or TXT record in your DNS, often with a specific selector (e.g., s1._domainkey). Each selector links to a distinct DKIM key.
For DKIM, each ESP will generally provide its own set of unique DKIM selectors and keys to add as CNAME or TXT records in your DNS. The key here is that each ESP's DKIM record will use a different selector, ensuring they don't overwrite each other. Here’s an example of how you might consolidate your SPF record:
DMARC is the final piece of the authentication puzzle, allowing you to tell mailbox providers what to do with unauthenticated emails purporting to be from your domain and providing feedback via DMARC reports. When setting up DMARC with multiple ESPs, the main consideration is DMARC alignment. Both SPF and DKIM must align with the DMARC record's domain for DMARC to pass, which can be tricky if some ESPs use their own domains in the return-path or d= tag.
I always recommend starting with a DMARC policy of p=none. This policy monitors your email traffic without affecting delivery, providing crucial insight into all sending sources for your domain, whether authorized or not. This is particularly useful when you have multiple ESPs, as it helps identify any forgotten or rogue sending platforms. Once you're confident all legitimate mail is authenticating, you can gradually move to a more restrictive policy like p=quarantine or p=reject to enforce security and protect your brand.
While using a single domain for multiple ESPs is technically feasible, a more strategic approach for managing sender reputation and deliverability involves leveraging subdomains. Assigning different subdomains to each ESP helps isolate their sending reputations. If one ESP experiences a deliverability issue, it's less likely to negatively impact email sent from another subdomain using a different ESP.
Best practices for multi-ESP environments
Subdomain strategy: Consider using unique subdomains for each ESP, such as marketing.yourdomain.com and transactional.yourdomain.com. This provides better control over individual sending reputations.
Consistent sending practices: Ensure all teams sending email adhere to best practices for list hygiene, content quality, and recipient engagement. This collective effort is key to maintaining a healthy domain reputation, regardless of the ESP.
It's also important to periodically audit your ESP usage. Consolidating your sending to fewer ESPs, if feasible, can simplify management and streamline your authentication setup. While this isn't always possible due to diverse business needs, it's a worthwhile consideration for long-term email program health.
Views from the trenches
Best practices
Ensure that all ESPs provide custom domain authentication, not just shared authentication.
Always start DMARC with a p=none policy to safely monitor email traffic.
Use separate subdomains for different email types or ESPs to isolate sender reputation.
Common pitfalls
Creating multiple SPF records, which breaks authentication and causes deliverability issues.
Not having unique DKIM selectors for each ESP, leading to conflicts or overwrites.
Failing to monitor DMARC reports, missing unauthenticated sending sources or misconfigurations.
Expert tips
Carefully merge SPF records, ensuring you don't exceed the 10-DNS-lookup limit.
Verify DMARC alignment for all ESPs, ensuring the From domain aligns with the SPF and DKIM domains.
Proactively check for blocklist (blacklist) listings and address any reputation issues quickly.
Expert view
Expert from Email Geeks says that monitoring is crucial, especially when setting up DMARC with a reject policy, as reports help identify unauthenticated mail from older channels.
2019-09-03 - Email Geeks
Expert view
Expert from Email Geeks says that while unique DKIM selectors are needed for each group to avoid sharing private keys, SPF is usually fine as long as the 10 DNS lookup limit is not exceeded.
2019-09-03 - Email Geeks
Putting it all together for robust email deliverability
Setting up email authentication for multiple ESPs on the same sending domain is a critical step towards maximizing your email deliverability and protecting your brand reputation. It demands meticulous configuration of SPF, DKIM, and DMARC records in your DNS. While challenging, the benefits of unified authentication, including improved inbox placement and reduced risk of spoofing, are well worth the effort.
By following these guidelines and maintaining vigilant monitoring, you can ensure that all your email streams are properly authenticated, building trust with mailbox providers and ensuring your messages consistently reach their intended recipients. Remember that consistent authentication is an ongoing process that requires regular review and adjustment as your email sending infrastructure evolves.
all your ESPs' SPF mechanisms within that one record. Remember the 10-DNS-lookup limit for SPF, as exceeding it will cause SPF authentication to fail. Always verify your combined SPF record to ensure it remains within this limit.
