- Most organizations send email from their domain using 5-15 different services (ESP, CRM, helpdesk, billing, notifications, etc.), and every one of them needs proper authentication to pass DMARC.
- Each third-party sender must be included in your SPF record (via include: mechanisms) and configured for DKIM signing with your domain (via CNAME records pointing to the provider's DKIM keys).
- The most common DMARC failure is not an authentication failure but an alignment failure: the third-party passes SPF and DKIM using their own domain, not yours.
- Before moving your DMARC policy to p=quarantine or p=reject, you must identify and authenticate every legitimate sending source, or those unauthenticated streams will be blocked.
You have configured SPF, DKIM, and DMARC for your primary email server. Authentication passes when you send from your own infrastructure. Then you check your DMARC aggregate reports and discover that half your email volume is failing DMARC, and it is coming from legitimate services you use every day: your marketing platform, your CRM, your helpdesk, your billing system, your survey tool.
This is the most common challenge in email authentication. Modern organizations rely on dozens of third-party services that send email on their behalf, and each one must be properly configured to achieve DMARC alignment. Missing even one service means legitimate emails fail authentication, which becomes a serious problem when you enforce DMARC with p=quarantine or p=reject.
Step 1: Audit Every Email Sending Source
Before configuring anything, you need a complete inventory of every service that sends email using your domain in the From address. This is where most organizations underestimate the scope. A typical mid-size company might use:
- Marketing automation: Mailchimp, HubSpot, Marketo, ActiveCampaign, Klaviyo
- Transactional email: SendGrid, Mailgun, Amazon SES, Postmark
- CRM: Salesforce, HubSpot CRM, Zoho CRM
- Helpdesk/Support: Zendesk, Freshdesk, Intercom
- Billing/Invoicing: Stripe, QuickBooks, FreshBooks
- Project management: Jira, Asana, Monday.com (notifications)
- HR/Internal: BambooHR, Workday, Greenhouse
- Survey tools: SurveyMonkey, Typeform
- Google Workspace or Microsoft 365: Your primary corporate email
The fastest way to discover all your sending sources is to set up DMARC at p=none with reporting enabled and wait 2-4 weeks. Your DMARC aggregate reports will show every IP address and service that sends email using your domain, including ones you may have forgotten about or did not know existed.
Step 2: Configure SPF for All Senders
Your SPF record must authorize every server that sends email for your domain. Each third-party provider gives you an include: mechanism to add to your SPF record.
Here is an example of an SPF record authorizing multiple services:
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net include:mail.zendesk.com include:spf.protection.outlook.com -allThe 10 DNS Lookup Limit
SPF allows a maximum of 10 DNS lookups across all include:, a:, mx:, and redirect: mechanisms. Each include: counts as at least one lookup, and nested includes within the provider's SPF record count toward your total. With 5+ third-party services, you can easily exceed 10 lookups.
When you exceed the limit, SPF returns a PermError, and SPF fails for all messages. Use our SPF checker to count your current lookups.
Solutions for exceeding the limit:
- SPF flattening: Replace nested includes with the resolved IP addresses. This eliminates lookup chains but requires ongoing maintenance as providers change IPs.
- Subdomain delegation: Move different sending services to subdomains (e.g., marketing.example.com, support.example.com) with their own SPF records. Each subdomain gets its own 10-lookup budget.
- Rely on DKIM alignment instead: Since DMARC only requires one alignment to pass, you can configure DKIM for every sender and rely on DKIM alignment for DMARC, reducing pressure on your SPF record.
Important: Never create multiple SPF records for the same domain. DNS allows only one SPF TXT record per domain. Multiple records cause all SPF checks to fail. If you need to add a new provider, edit your existing SPF record to include the new mechanism.
Step 3: Configure DKIM for Each Sender
DKIM is where alignment matters most. Each third-party sender must sign emails with a DKIM key that uses your domain (d=yourdomain.com), not theirs. This is what enables DKIM alignment with your From address for DMARC.
The typical process for each provider:
- In the provider's dashboard, navigate to domain authentication or sender authentication settings.
- Enter your domain name.
- The provider generates DNS records (usually 2-3 CNAME records) that you need to add to your domain's DNS.
- Add the CNAME records to your DNS zone. These point a DKIM selector on your domain to the provider's DKIM key server.
- Verify the setup in the provider's dashboard.
- The provider now signs outbound email with a DKIM signature using d=yourdomain.com.
Example CNAME records for a typical ESP:
s1._domainkey.example.com CNAME s1.domainkey.u12345.wl.sendgrid.net
s2._domainkey.example.com CNAME s2.domainkey.u12345.wl.sendgrid.netAfter adding these records, emails sent through this provider will carry a DKIM signature with d=example.com, achieving DKIM alignment with your From address. Use our DKIM checker to verify each provider's DKIM configuration.
Step 4: Verify DMARC Alignment for Each Source
After configuring SPF and DKIM for all senders, verify alignment using DMARC reports. Set your DMARC policy to p=none with reporting enabled:
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; pct=100Monitor the aggregate reports for 2-4 weeks. For each sending source, check:
- Does SPF pass? (Is the provider in your SPF record?)
- Does SPF align? (Does the Return-Path domain match your From domain?)
- Does DKIM pass? (Did the provider sign with a valid DKIM key?)
- Does DKIM align? (Does the DKIM d= tag match your From domain?)
A source passes DMARC if at least one of SPF or DKIM both passes and aligns. The goal is to have every legitimate source showing dmarc=pass in the reports before moving to enforcement.
Common Provider-Specific Authentication Issues
Salesforce
By default, Salesforce uses its own domain in the Return-Path, which breaks SPF alignment. You must configure a custom Return-Path domain (Sender Authentication Package) and DKIM signing through Salesforce's domain authentication settings. Without these, Salesforce-sent emails will fail DMARC.
HubSpot
HubSpot supports custom DKIM and custom Return-Path. Navigate to Settings, then Domains & URLs, then Email Sending Domains. Add your domain and follow the DNS record instructions. HubSpot provides CNAME records for both DKIM and a custom Return-Path subdomain.
Zendesk
Zendesk supports custom DKIM via CNAME records and SPF via an include mechanism (include:mail.zendesk.com). Configure these under Admin Center, then Channels, then Email. Without custom DKIM, Zendesk signs with its own domain, failing DKIM alignment.
Amazon SES
SES supports custom DKIM (Easy DKIM or BYODKIM) and custom MAIL FROM domains. Both must be configured explicitly. The default MAIL FROM is amazonses.com, which will not align with your From address.
Using Subdomains for Third-Party Authentication
A powerful approach is to assign each sending service its own subdomain. This provides several benefits:
- SPF isolation: Each subdomain has its own SPF record, avoiding the 10-lookup limit.
- Reputation isolation: A deliverability problem with one service does not contaminate your root domain reputation.
- Simpler DKIM management: Each subdomain can have its own DKIM keys without conflicting selectors.
Example subdomain structure:
| Service | Subdomain | From Address |
|---|---|---|
| Marketing automation | marketing.example.com | news@marketing.example.com |
| Transactional email | mail.example.com | noreply@mail.example.com |
| Helpdesk | support.example.com | help@support.example.com |
| Corporate email | example.com (root) | name@example.com |
With relaxed DMARC alignment (the default), all of these subdomains align with a DMARC policy published on example.com, since they share the same organizational domain.
Step 5: Moving to DMARC Enforcement
Only after every legitimate sending source achieves DMARC pass should you move toward enforcement. The recommended path:
- p=none (monitoring): Collect reports and fix all alignment failures. Stay here for 4-8 weeks minimum.
- p=quarantine; pct=10: Quarantine 10% of failing messages. Monitor for false positives over 2-4 weeks.
- p=quarantine; pct=100: Quarantine all failing messages. Confirm no legitimate mail is affected.
- p=reject: Reject all failing messages. This is the target state for maximum protection.
Use our DMARC checker to verify your current policy and our DMARC generator to create records at each stage.
Google and Yahoo's 2024 bulk sender requirements mandate DMARC for any domain sending more than 5,000 messages per day to their users. This means that every third-party service sending from your domain must be properly authenticated before you can meet these requirements, not just your primary marketing platform.
Ongoing Maintenance
Third-party authentication is not a one-time task. Your sending infrastructure changes constantly:
- New tools get adopted and start sending email from your domain.
- Existing providers change their sending IPs or DKIM key infrastructure.
- Teams set up new SaaS tools without informing IT about email authentication requirements.
- DKIM keys should be rotated periodically for security.
Establish a process for authentication review: any new tool that sends email using your domain must go through an authentication setup checklist before it goes live. Monitor your DMARC reports weekly to catch unauthorized or misconfigured sources early.
Frequently Asked Questions
Yes, if you want DMARC to pass for that service's emails. DMARC requires at least one of SPF or DKIM to pass with alignment. Since SPF alignment often fails for third-party senders (their Return-Path uses their domain, not yours), DKIM alignment is typically the reliable path. Configure custom DKIM for every service that sends from your domain.
Any sending source that fails DMARC alignment will have its messages quarantined (sent to spam) or rejected (not delivered at all), depending on your policy. This means legitimate emails from unauthenticated services, such as helpdesk replies or billing notifications, will stop reaching recipients. Always authenticate all sources before enforcing DMARC.
Publish a DMARC record at p=none with the rua tag pointing to an email address or reporting service. Over 2-4 weeks, you will receive aggregate reports that list every IP address and sending source that uses your domain. Cross-reference these IPs with your known services to build a complete inventory.
No. Each DKIM selector must be unique within your domain's DNS. Most providers generate their own selector names (e.g., s1, k1, selector1) to avoid conflicts. If two providers use the same selector name, you will need to coordinate with one of them to use a different selector.