How do I show 'signed by' my domain when using Amazon SES or Mailchimp?

Summary

To ensure your emails display 'signed by your domain' when using Amazon SES or Mailchimp, comprehensive email authentication is paramount. This involves correctly configuring DKIM, SPF, and DMARC. DKIM setup requires generating records and adding them to your DNS, with the 'd=' tag matching your sending domain. Authenticate your domain within Mailchimp by adding CNAME records. Ensure MAIL FROM (Return-Path) alignment, and include Mailchimp in your SPF records. Segmentation via subdomains can offer independent authentication streams. Monitor your DMARC policy and ensure DKIM and SPF alignment. The 'From' address in your emails must match the authenticating domain. Domain reputation is crucial, and testing tools can verify your configuration. Implementing an 'Authenticated Identity' using DKIM, DMARC, and SPF is essential. Be aware of DNS propagation delays.

Key findings

  • DKIM Configuration & Alignment: Properly configure DKIM with a matching 'd=' tag, ensuring alignment with your sending domain.
  • SPF Record Inclusion: Include the sending service (Mailchimp, Amazon SES) in your SPF records.
  • DMARC Policy Alignment: Align your DMARC policy with properly configured DKIM and SPF records to avoid rejection.
  • MAIL FROM (Return-Path) Alignment: Ensure the MAIL FROM address is a subdomain of your sending domain.
  • 'From' Address Matching: The 'From' address in your emails must match the domain you are authenticating.
  • Authenticated Identity: Implement and maintain a valid authenticated identity using DKIM, SPF and DMARC.

Key considerations

  • DNS Propagation: Account for potential DNS propagation delays after making DNS changes.
  • Domain Reputation: Monitor and maintain a good domain reputation to avoid deliverability issues.
  • Testing: Use email testing tools to verify your configuration and rendering across different clients.
  • Subdomain Segmentation: Consider segmenting mail streams using subdomains for independent authentication.

What email marketers say
9Marketer opinions

To ensure your emails display 'signed by your domain' when using services like Amazon SES or Mailchimp, it's crucial to focus on proper email authentication. DKIM, SPF, and DMARC are essential elements. Correct DKIM setup, ensuring the 'd=' tag matches your domain, is paramount. SPF records should include the sending service. DMARC policy alignment with DKIM and SPF is vital. The Return-Path (MAIL FROM) should be a subdomain of your sending domain. The 'From' address should match the domain you're authenticating. Domain reputation also plays a role, as a poor reputation can hinder the display. Finally, email testing tools can help verify the setup and identify any issues.

Key opinions

  • DKIM Setup: Correctly configure DKIM, ensuring the 'd=' tag in the DKIM signature matches your sending domain.
  • SPF Records: Ensure your SPF records include the sending service (e.g., Mailchimp or Amazon SES).
  • DMARC Alignment: Align your DMARC policy with your DKIM and SPF settings; a restrictive DMARC policy can cause issues if alignment fails.
  • Return-Path Configuration: Set the Return-Path (MAIL FROM) as a subdomain of your sending domain to improve alignment.
  • Domain Matching: Verify that the 'From' address in your emails matches the domain you are authenticating.
  • Testing: Use email testing tools to verify DKIM and SPF records and ensure proper rendering across different email clients.

Key considerations

  • DNS Propagation: Be aware that DNS propagation delays can affect how quickly the 'signed by' information appears after setup.
  • Domain Reputation: Maintain a good domain reputation, as a poor reputation can affect whether the 'signed by' information is displayed, even with correct authentication.
  • Authentication Priority: Prioritize DKIM alignment. If DKIM and SPF are not aligned correctly then your DMARC may be failing even if you think authentication is correct.
  • Monitor changes: Email providers are always changing things, keep on top of your security and authentication, particularly when using 3rd party providers.
Marketer view

Email marketer from EmailGeek Forum suggests verifying that the 'From' address in your emails matches the domain you're authenticating. If you're authenticating example.com, make sure the 'From' address is something like newsletter@example.com and not a generic address like @gmail.com. This helps with domain alignment.

November 2022 - EmailGeek Forum
Marketer view

Email marketer from Email on Acid explains that email authentication (SPF, DKIM, DMARC) is critical for ensuring your emails are 'signed by' your domain and not by the ESP (Amazon SES or Mailchimp). It improves deliverability by proving to ISPs that you are authorized to send emails on behalf of your domain.

April 2024 - Email on Acid Blog
Marketer view

Email marketer from SendGrid Blog says to check your DMARC policy. If your DMARC policy is set to 'reject' or 'quarantine' and your DKIM or SPF alignment is failing, your emails might not be properly 'signed by' and could be rejected by receiving mail servers. Ensure your DKIM and SPF are aligned with your DMARC policy.

May 2023 - SendGrid
Marketer view

Email marketer from Mailjet explains that DKIM alignment is critical. This means the domain used in the 'From' address of your email must match the domain used in the DKIM signature. Without proper alignment, some email clients might not display 'signed by' your domain, even if DKIM is technically valid.

November 2021 - Mailjet Blog
Marketer view

Email marketer from Campaign Monitor shares that a good domain reputation is important. If your domain has a poor sending reputation (e.g., due to spam complaints), even properly authenticated emails might not always display 'signed by' due to filters designed to protect recipients from potentially harmful senders.

September 2024 - Campaign Monitor
Marketer view

Email marketer from Stackoverflow responds that ensuring the Return-Path (the MAIL FROM address) is a subdomain of your sending domain can help. If you're sending from user@example.com, configure SES to use a Return-Path like bounces@mail.example.com. This increases the chances of your domain being properly displayed in the 'signed by' field.

January 2024 - Stackoverflow
Marketer view

Email marketer from Reddit shares that the 'signed-by' yourdomain.com' only appears when you've correctly setup DKIM records. Sometimes, DNS propagation delays can cause initial issues, but once the records are fully propagated, the 'signed by' should display correctly.

November 2024 - Reddit
Marketer view

Marketer from Email Geeks asks if Sendgrid enables the user to sign with their own domain, mentioning having configured it in the past.

November 2021 - Email Geeks
Marketer view

Email marketer from Litmus suggests using email testing tools to verify your DKIM and SPF records and check how your email is rendered in different email clients. These tools can help identify if the 'signed by' your domain is displayed correctly and highlight any configuration issues.

September 2023 - Litmus

What the experts say
4Expert opinions

To display 'signed by your domain' when using Amazon SES or Mailchimp, prioritize proper DKIM setup, ensuring the 'd=' tag matches your sending domain. Implement DKIM alignment across all services, removing 'Sent via' notices. Segmentation via subdomains can offer independent authentication streams. Establishing an 'Authenticated Identity' using DKIM, DMARC, and SPF is critical and ensure the `From:` header is aligned. Be mindful of potential DNS propagation delays affecting initial display and set up DMARC at p=none initially to identify all mail origination points.

Key opinions

  • DKIM Alignment: Ensure DKIM alignment across all sending services, matching the 'd=' tag to your domain.
  • Authenticated Identity: Establish a verified 'Authenticated Identity' via DKIM, DMARC, and SPF, ensuring header alignment.
  • Subdomain Segmentation: Utilize subdomain segmentation for independent authentication streams across different mail types.

Key considerations

  • DNS Propagation: Account for potential DNS propagation delays when initially setting up authentication.
  • Initial DMARC Setup: Begin with DMARC at 'p=none' to monitor and identify all mail sources before enforcing stricter policies.
Expert view

Expert from Word to the Wise answers that for the 'signed by' to appear correctly, proper DKIM authentication is absolutely necessary and to look into the "Authenticated Identity" as a key factor. This is the identity that has been verified through DKIM, DMARC and SPF to be able to have emails signed by the domain. Ensure the `From:` header and other headers are using the same domain so this is aligned.

September 2022 - Word to the Wise
Expert view

Expert from SpamResource explains that ensuring proper DKIM setup with third-party senders like Amazon SES or Mailchimp is crucial. They emphasize checking that the DKIM signature's 'd=' tag matches your sending domain. They also note that sometimes DNS propagation issues can prevent the 'signed-by' from appearing correctly immediately after setup.

January 2024 - SpamResource
Expert view

Expert from Email Geeks explains that implementing DKIM for each domain/service provider, aligned with the mailing domain, will remove many of the 'Sent via [service]' options.

February 2023 - Email Geeks
Expert view

Expert from Email Geeks shares that segmenting mail streams by subdomains (marketing.domain.com, support.domain.com, etc.) allows each subdomain to have its own authentication and run independently on multiple services. Suggests setting up DMARC at p=none to identify all mail originating from your domains.

December 2024 - Email Geeks

What the documentation says
5Technical articles

To display 'signed by your domain' with Amazon SES or Mailchimp, you must configure DKIM and authenticate your domain by adding DNS records. For Amazon SES, this involves generating DKIM records, adding them to your DNS, and verifying in the SES console. Mailchimp requires adding CNAME records. Ensure the MAIL FROM domain is properly configured and aligned with DKIM. While DKIM is primary, including Mailchimp in your SPF record is recommended. Verify that the 'd=' tag in the DKIM signature header matches your domain.

Key findings

  • DKIM Configuration: Proper DKIM setup is essential, involving generating records and adding them to DNS.
  • Domain Authentication: Authenticate your domain within Mailchimp by adding CNAME records to DNS.
  • MAIL FROM Alignment: Ensure the MAIL FROM domain is correctly configured and aligned with your DKIM settings.
  • SPF Record Inclusion: Include Mailchimp in your SPF record for improved deliverability, complementing DKIM.
  • DKIM 'd=' Tag Matching: Verify that the 'd=' tag in the DKIM signature header matches your sending domain.

Key considerations

  • DNS Management: Access to DNS settings is required to add and verify DKIM and SPF records.
  • SES Console Verification: Remember to verify the DKIM setup within the Amazon SES console after adding DNS records.
Technical article

Documentation from Amazon Web Services clarifies the difference between the envelope sender (MAIL FROM) and the header sender (From address). For 'signed by' to reflect your domain, ensure that the MAIL FROM domain is properly configured and aligned with your DKIM settings. If the MAIL FROM domain is not aligned, it may show 'via amazonses.com' instead.

November 2021 - Amazon Web Services
Technical article

Documentation from Amazon Web Services explains that to show 'signed by' your domain with Amazon SES, you need to configure DKIM (DomainKeys Identified Mail). This involves generating DKIM records, adding them to your DNS configuration, and then verifying the DKIM setup within the Amazon SES console. Proper DKIM configuration ensures that emails sent through SES are cryptographically signed, proving they originated from your domain.

April 2023 - Amazon Web Services
Technical article

Documentation from IETF explains that for the DKIM signature to be valid and for your domain to be properly recognized, the 'd=' tag in the DKIM signature header must match the domain you are claiming to send from. Ensure this is correctly configured in your DKIM settings.

January 2025 - ietf.org
Technical article

Documentation from Mailchimp explains that to show 'signed by' your domain in Mailchimp, you must authenticate your domain. This involves adding CNAME records provided by Mailchimp to your domain's DNS settings. Domain authentication verifies that you own the domain and gives Mailchimp permission to send emails on your behalf, improving deliverability and displaying your domain in the 'signed by' field.

December 2022 - Mailchimp
Technical article

Documentation from Mailchimp notes that while DKIM is the primary method for authentication, ensuring your SPF record includes Mailchimp is still recommended for best deliverability. While SPF alone won't guarantee 'signed by' your domain, it contributes to overall authentication strength.

September 2021 - Mailchimp

No related resources found.