Should I authenticate email with my own domain or an ESP's domain?
Michael Ko
Co-founder & CEO, Suped
Published 23 Jul 2025
Updated 19 Aug 2025
6 min read
When sending emails through an email service provider (ESP), a common question arises: should I authenticate email with my own domain or rely on the ESP's domain? This choice impacts everything from brand perception to email deliverability.
For many, the sight of a via tag in the sender's name, such as sender@yourdomain.com via espservice.com, feels less professional or trustworthy. Beyond aesthetics, there are critical technical and deliverability implications to consider when making this decision.
This article explores the pros and cons, guiding you toward the best practice for authenticating your email sending. It's a fundamental aspect of maintaining a strong sender reputation and ensuring your messages reach the inbox.
Technical considerations: DMARC and alignment
Email authentication protocols like SPF, DKIM, and DMARC are designed to verify the sender's identity and prevent email spoofing. When an ESP sends emails on your behalf, these protocols need to be configured correctly to ensure your emails are seen as legitimate.
If you rely solely on your ESP's domain for authentication, your emails might pass SPF and DKIM using their records. However, DMARC requires alignment between the From header domain (your domain) and the domain used for SPF or DKIM authentication. If the ESP's domain is used for authentication and there's no alignment with your domain, DMARC will fail. This failure can lead to messages being rejected, quarantined, or sent to the spam folder, severely impacting your overall email deliverability.
To achieve DMARC alignment, you must authenticate emails using your own domain. This involves setting up specific DNS records (CNAMEs for DKIM, TXT records for SPF) that point to your ESP's sending infrastructure. This way, the authentication passes using your domain, satisfying DMARC's alignment requirements. Properly setting up DMARC, SPF, and DKIM with your domain is a critical step for modern email sending.
Understanding alignment
SPF alignment: The Return-Path domain must match or be a subdomain of the From header domain.
DKIM alignment: The domain in the DKIM signature (d= tag) must match or be a subdomain of the From header domain.
Many ESPs now offer straightforward ways to set up domain authentication, often involving CNAME records for DKIM. This setup is crucial for ensuring DMARC passes correctly, which is increasingly important for inbox placement, especially with new Gmail, Yahoo, and Microsoft requirements.
Sender reputation and brand identity
Your sending domain plays a significant role in your sender reputation. When you authenticate with your own domain, you are building a direct reputation with mailbox providers like Gmail and Yahoo. This reputation is tied to your domain, not the ESP's shared sending infrastructure. A strong, positive reputation is crucial for avoiding the spam folder and ensuring high deliverability rates.
When you use an ESP's shared domain for authentication, your sending reputation becomes intertwined with other users on that shared domain. If other users on the shared domain engage in questionable sending practices, it can negatively impact your email deliverability, even if your own sending hygiene is impeccable. This is why many recommend you use a dedicated sending domain to have full control over your reputation.
Authenticating with your own domain also strengthens your brand identity. Recipients see your familiar domain in the sender information, fostering trust and recognition. The via tag, though technically harmless if authentication passes, can detract from a professional appearance. This is particularly true for transactional or marketing emails where brand consistency is key.
ESP's domain authentication
You rely on your ESP to handle authentication records, making setup simpler initially.
Reputation: Tied to the ESP's shared IP and domain reputation, which you do not control. A blocklist (or blacklist) on a shared IP can affect you.
DMARC: Often results in DMARC failures due to lack of domain alignment, as the From header domain does not match the authenticated domain.
Branding: Emails may show via ESP.com, which can dilute brand trust and professionalism.
Own domain authentication
Requires a one-time DNS setup (e.g., CNAMEs) on your domain, giving you full control.
Reputation: You build and manage your own sending reputation directly, leading to better control and consistency.
DMARC: Enables DMARC compliance, as SPF and DKIM can align with your From header domain.
Branding: Presents your brand clearly in the From field, building trust and recognition.
From a deliverability perspective, controlling your own domain's authentication gives you direct access to valuable feedback loops and Postmaster Tools data. If you're using an ESP's shared domain, this data is often aggregated or inaccessible, limiting your ability to diagnose and fix deliverability issues. Direct authentication provides transparency and control over your sending performance.
Implementing domain authentication
While it might seem easier to let your ESP handle all authentication, the long-term benefits of authenticating with your own domain far outweigh the initial setup effort. It's an investment in your email program's reliability and brand integrity.
For DMARC to pass, either SPF or DKIM must align with your From header domain. Many ESPs offer options to self-authenticate your emails using your own domain, often through a dedicated section in their settings or by contacting their support.
You will typically be provided with CNAME records for DKIM and possibly TXT records for SPF, which you then add to your domain's DNS. Once these records propagate, your emails will be authenticated directly by your domain, removing the via tag and ensuring proper DMARC alignment.
Example DMARC record
A minimal DMARC record to start monitoring email authentication:
Setting this record ensures you receive reports on your email authentication status, helping you to identify and fix common DMARC issues.
Best practice and long-term strategy
While it's technically possible to send emails that pass SPF and DKIM using an ESP's shared domain, it's generally not the recommended best practice, especially with the increasingly strict requirements from major mailbox providers like Microsoft and Google. These providers increasingly prioritize DMARC-aligned emails, making your own domain authentication almost a necessity for reliable delivery.
Using your own domain allows you to build and control your sending reputation, ensures DMARC alignment, and reinforces your brand. This strategic choice leads to better deliverability, reduced risk of being caught by a blacklist (or blocklist), and a more professional sender appearance.
The only scenario where relying on an ESP's domain might be acceptable is for very small, non-critical email volumes where the sender is not concerned about branding or advanced deliverability monitoring. However, even in these cases, the risk of DMARC failures and associated deliverability issues makes it a less than ideal approach.
Views from the trenches
Best practices
Always authenticate with your own domain, even if your ESP offers shared domain authentication.
Implement SPF, DKIM, and DMARC for all sending domains.
Regularly monitor your DMARC reports for authentication and alignment issues.
Ensure your DNS records for email authentication are correctly published and propagated.
Common pitfalls
Relying on ESP's domain for authentication, leading to DMARC failures and lower inbox placement.
Ignoring DMARC reports, missing critical insights into authentication issues.
Incorrectly configuring SPF, DKIM, or DMARC records, causing authentication failures.
Not regularly checking blocklists (or blacklists) for your sending domains or IPs.
Expert tips
Utilize subdomains for different types of email sending (e.g., marketing.yourdomain.com, transactional.yourdomain.com) to isolate reputation.
Consider implementing BIMI for enhanced brand visibility in the inbox once DMARC is enforced.
If using multiple ESPs, ensure each is properly authenticated for your domain using appropriate subdomains or selectors.
Proactively test your email authentication setup before sending large campaigns.
Marketer view
Marketer from Email Geeks says that while it may seem okay to send via the service provider's domain, it's really important to ensure email authorization uses your own domain name.
2018-09-12 - Email Geeks
Expert view
Expert from Email Geeks says that deliverability depends on which domain DKIM is signed on, and Gmail generally prefers a whitelisted DKIM envelope for better inbox placement.
2018-09-12 - Email Geeks
The clear choice for deliverability
For serious email senders, authenticating with your own domain is not merely a preference; it's a critical best practice for ensuring email deliverability, protecting your brand, and maintaining a strong sender reputation. While using an ESP's shared domain for authentication might seem simpler, it introduces risks and limits your control over your email program's performance. By taking the time to set up proper domain authentication, you secure your sending identity and maximize your chances of reaching the inbox.
Gmail and 
Yahoo. This reputation is tied to your domain, not the ESP's shared sending infrastructure. A strong, positive reputation is crucial for avoiding the spam folder and ensuring high deliverability rates.
Microsoft and 
Google. These providers increasingly prioritize DMARC-aligned emails, making your own domain authentication almost a necessity for reliable delivery.
