How to handle email authentication for ESP customers without their own domains?
Summary
What email marketers say6Marketer opinions
Email marketer from Reddit explains that shared IPs can hurt deliverability because of other senders on the IP. Suggests to use authentication even without domains to help control reputation and provide isolation. You can do this through subdomains.
Email marketer from Email Geeks shares their approach to managing domains for small companies in Sarbacane, including the use of mutualized domains (being phased out), delegated domains with NS system, internal domain purchases with a DNS tool, and manual configuration with provided SPF/DKIM/DMARC records. They are also moving towards individual DKIM for each customer.
Email marketer from StackOverflow suggests that having the DNS server dynamically synthesize records when requested allows serving of records without maintenance. This can be plugged into the same CNAME framework used for bigger customers.
Email marketer from Gmass explains that you will need to still set up the SPF, DKIM and DMARC records as it's still important for authentication.
Email marketer from Quora shares that when customers don't own domains, ESPs can create and manage subdomains for them. The subdomain inherits the ESP's domain reputation, which helps in establishing initial trust. SPF/DKIM records are configured for the subdomain itself.
Email marketer from EmailonAcid warns that you will have to use shared IPs. This has a chance of damaging your domain if a bad user marks your domain as spam, this can be helped with subdomains and authentication.
What the experts say5Expert opinions
Expert from Email Geeks references an article about how to implement customer subdomain authentication, including a PowerDNS backend hack: <https://wordtothewise.com/2023/10/customer-subdomain-authentication/>.
Expert from Email Geeks mentions that generating huge DNS zone files, so there are records for each customer is possible, but maintenance is a pain and could be costly with outsourced DNS providers.
Expert from Email Geeks explains that having your DNS server synthesize those records when they’re requested gives a clean way of serving all those records without needing to maintain them. This means you can plug the authentication maintenance for all those tiny customers into the same CNAME-based framework you use for your bigger customers.
Expert from Word to the Wise explains the process of setting up customer subdomain authentication, including generating synthetic DNS records for each subdomain and linking authentication maintenance to a CNAME-based framework.
Expert from Email Geeks explains that authenticating with customer-specific subdomains of an ESP-owned domain seems to be the best way to set up DKIM/SPF/DMARC for tiny customers without their own domains. This approach offers squeaky clean authentication and isolated reputation, preventing spammers from poisoning delivery for legitimate customers.
What the documentation says4Technical articles
Documentation from SparkPost shares that allocating dedicated IPs to customers gives you much more control over reputation management, regardless of whether they have their own domains. You'd then set the authentication up on those dedicated IPs.
Documentation from Mailgun explains that using subdomains for your sending domain is a common practice. ESPs can create subdomains for each customer (e.g., customer1.youresp.com) and configure SPF, DKIM, and DMARC records for these subdomains, providing authentication even if the customer lacks their own domain.
Documentation from Microsoft explains that you can use SenderID to help with the lack of authentication. In this setup, you set up a senderID on their behalf so mail servers will know it's an authentic email.
Documentation from AWS explains that using Bring Your Own IP (BYOIP) addresses in Amazon SES allows you to control your sending reputation. You can authenticate these IPs using SPF and DKIM, even if the customer doesn't have their own domain, by setting up appropriate DNS records for subdomains you control.