How to handle email authentication for ESP customers without their own domains?

Summary

When handling email authentication for ESP customers without their own domains, the prevailing strategy involves leveraging subdomains. ESPs can create and manage customer-specific subdomains, configuring SPF, DKIM, and DMARC records to ensure authentication. This approach offers the benefit of reputation isolation, preventing one customer's sending behavior from negatively impacting others. While dedicated IPs offer enhanced control over reputation, they require active management. For smaller customers, shared IPs are often used, but it's essential to mitigate risks by setting up authentication on subdomains. Dynamic DNS record synthesis can streamline the management of numerous subdomains. While some ESPs manage DNS zones directly, others are phasing out mutualized domains in favor of delegated domains or internal domain purchases. SenderID is an older alternative to address authentication.

Key findings

  • Subdomain Authentication: Creating and managing subdomains for each customer enables authentication via SPF, DKIM, and DMARC, even without customer-owned domains.
  • Shared IP Risks: Shared IPs carry the risk of reputation damage due to the actions of other senders; subdomains with proper authentication help mitigate this.
  • Dynamic DNS: Dynamically synthesizing DNS records reduces the maintenance burden associated with numerous subdomains.
  • Reputation Isolation: Using subdomains isolates reputation, preventing one customer's sending behavior from affecting other customers.
  • Dedicated IPs offer Enhanced control: Allocating dedicated IPs provides more granular control over reputation management but requires active oversight.

Key considerations

  • Technical Expertise: Implementing subdomain authentication, especially with dynamic DNS or PowerDNS, requires technical expertise.
  • Reputation Management: Regardless of the approach, actively managing sending reputation is crucial for ensuring deliverability.
  • Infrastructure Costs: Consider the costs associated with managing DNS infrastructure, particularly if outsourcing.
  • Domain Strategy: Evaluate the trade-offs between mutualized domains, delegated domains, and internal domain purchases to determine the best approach.
  • SenderID: Is an outdated technology that is not as well supported

What email marketers say
6Marketer opinions

When ESP customers lack their own domains, a common approach is to use subdomains. ESPs can create and manage subdomains (e.g., customer1.youresp.com), configuring SPF, DKIM, and DMARC records on these subdomains to provide authentication. For smaller customers, shared IPs are often used, but this can negatively impact deliverability if other senders on the IP have poor reputations. Setting up appropriate authentication is critical even without dedicated domains. Dynamic DNS record synthesis can automate DNS management. Some ESPs may phase out mutualized domains, opting instead for delegated domains or internal domain purchases, while others provide manual configuration options and prioritize individual DKIM setup for customers.

Key opinions

  • Subdomain Authentication: Using subdomains allows ESPs to manage authentication on behalf of customers without their own domains.
  • Shared IP Risks: Shared IPs can harm deliverability due to the actions of other senders; authentication can mitigate this.
  • Dynamic DNS: Dynamically synthesizing DNS records simplifies management for numerous subdomains.
  • Authentication Importance: SPF, DKIM, and DMARC records are essential for authentication, even without dedicated domains.

Key considerations

  • Reputation Management: Carefully manage the reputation of shared IPs and subdomains to ensure good deliverability.
  • Implementation Complexity: Setting up and maintaining DNS records (even dynamically) can be complex and require technical expertise.
  • Customer Needs: Tailor authentication strategies to the specific needs and technical capabilities of your ESP customers.
  • Phasing Out Mutualized Domains: Consider moving away from shared domains to improve customer control and reduce deliverability risks.
Marketer view

Email marketer from Reddit explains that shared IPs can hurt deliverability because of other senders on the IP. Suggests to use authentication even without domains to help control reputation and provide isolation. You can do this through subdomains.

October 2023 - Reddit
Marketer view

Email marketer from Email Geeks shares their approach to managing domains for small companies in Sarbacane, including the use of mutualized domains (being phased out), delegated domains with NS system, internal domain purchases with a DNS tool, and manual configuration with provided SPF/DKIM/DMARC records. They are also moving towards individual DKIM for each customer.

June 2022 - Email Geeks
Marketer view

Email marketer from StackOverflow suggests that having the DNS server dynamically synthesize records when requested allows serving of records without maintenance. This can be plugged into the same CNAME framework used for bigger customers.

August 2021 - StackOverflow
Marketer view

Email marketer from Gmass explains that you will need to still set up the SPF, DKIM and DMARC records as it's still important for authentication.

February 2023 - Gmass
Marketer view

Email marketer from Quora shares that when customers don't own domains, ESPs can create and manage subdomains for them. The subdomain inherits the ESP's domain reputation, which helps in establishing initial trust. SPF/DKIM records are configured for the subdomain itself.

May 2021 - Quora
Marketer view

Email marketer from EmailonAcid warns that you will have to use shared IPs. This has a chance of damaging your domain if a bad user marks your domain as spam, this can be helped with subdomains and authentication.

January 2023 - EmailonAcid

What the experts say
5Expert opinions

The best approach for handling email authentication for ESP customers without their own domains involves using customer-specific subdomains of an ESP-owned domain. This facilitates setting up DKIM, SPF, and DMARC, providing clean authentication and isolating reputation. While generating separate DNS zone files for each customer is an option, it's maintenance-intensive and potentially costly. A more efficient solution is to have the DNS server dynamically synthesize records upon request, integrating authentication maintenance into an existing CNAME-based framework. Customer subdomain authentication processes often involve generating synthetic DNS records, linking authentication maintenance to CNAMEs, and can be implemented with tools like PowerDNS.

Key opinions

  • Subdomain Authentication: Customer-specific subdomains are ideal for DKIM/SPF/DMARC setup.
  • DNS Synthesis: Dynamically synthesizing DNS records reduces maintenance overhead.
  • CNAME Integration: Authentication maintenance can be integrated into a CNAME framework.
  • Isolation: Subdomains isolate reputation, preventing spammers from poisoning delivery.

Key considerations

  • Maintenance: Avoid generating huge DNS zone files due to maintenance overhead.
  • Cost: Outsourcing DNS management can be expensive.
  • Implementation: Implementing subdomain authentication requires technical expertise and tools (e.g., PowerDNS).
Expert view

Expert from Email Geeks references an article about how to implement customer subdomain authentication, including a PowerDNS backend hack: <https://wordtothewise.com/2023/10/customer-subdomain-authentication/>.

December 2021 - Email Geeks
Expert view

Expert from Email Geeks mentions that generating huge DNS zone files, so there are records for each customer is possible, but maintenance is a pain and could be costly with outsourced DNS providers.

June 2024 - Email Geeks
Expert view

Expert from Email Geeks explains that having your DNS server synthesize those records when they’re requested gives a clean way of serving all those records without needing to maintain them. This means you can plug the authentication maintenance for all those tiny customers into the same CNAME-based framework you use for your bigger customers.

April 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains the process of setting up customer subdomain authentication, including generating synthetic DNS records for each subdomain and linking authentication maintenance to a CNAME-based framework.

September 2021 - Word to the Wise
Expert view

Expert from Email Geeks explains that authenticating with customer-specific subdomains of an ESP-owned domain seems to be the best way to set up DKIM/SPF/DMARC for tiny customers without their own domains. This approach offers squeaky clean authentication and isolated reputation, preventing spammers from poisoning delivery for legitimate customers.

April 2023 - Email Geeks

What the documentation says
4Technical articles

When ESP customers lack their own domains, several strategies can be used for email authentication. AWS suggests using Bring Your Own IP (BYOIP) addresses and authenticating them with SPF and DKIM via subdomains. Mailgun highlights the practice of creating subdomains for each customer and configuring authentication records there. SparkPost recommends allocating dedicated IPs for better reputation control and setting up authentication directly on those IPs. Microsoft suggests using SenderID, setting it up to ensure mail servers recognize emails as authentic.

Key findings

  • BYOIP with Subdomains: AWS: Using Bring Your Own IP addresses allows for controlling the sending reputation and authenticating via subdomains.
  • Subdomain Authentication: Mailgun: Creating subdomains for each customer and configuring SPF, DKIM, and DMARC is a common practice.
  • Dedicated IPs: SparkPost: Allocating dedicated IPs provides greater control over reputation management.
  • SenderID: Microsoft: Use SenderID to help indicate that an email is authentic when customers lack traditional authentication.

Key considerations

  • Reputation Management: Dedicated IPs offer more control, but require active reputation management.
  • Technical Setup: Configuring subdomains and DNS records requires technical expertise and careful setup.
  • SenderID Limitations: SenderID is an older technology, it's adoption may be less common and not as reliable as SPF, DKIM and DMARC.
Technical article

Documentation from SparkPost shares that allocating dedicated IPs to customers gives you much more control over reputation management, regardless of whether they have their own domains. You'd then set the authentication up on those dedicated IPs.

February 2022 - SparkPost Documentation
Technical article

Documentation from Mailgun explains that using subdomains for your sending domain is a common practice. ESPs can create subdomains for each customer (e.g., customer1.youresp.com) and configure SPF, DKIM, and DMARC records for these subdomains, providing authentication even if the customer lacks their own domain.

April 2024 - Mailgun Documentation
Technical article

Documentation from Microsoft explains that you can use SenderID to help with the lack of authentication. In this setup, you set up a senderID on their behalf so mail servers will know it's an authentic email.

April 2022 - Microsoft
Technical article

Documentation from AWS explains that using Bring Your Own IP (BYOIP) addresses in Amazon SES allows you to control your sending reputation. You can authenticate these IPs using SPF and DKIM, even if the customer doesn't have their own domain, by setting up appropriate DNS records for subdomains you control.

August 2021 - AWS Documentation