Third-Party Sender Setup

Third-party services that send email on your behalf require proper configuration to pass email authentication. This guide covers setup for common email service providers.

Why Configuration Is Needed

When a third-party service sends email "from" your domain, receiving servers check:

1. SPF: Is the sender's IP authorized to send for your domain?
2. DKIM: Is the message signed with your domain's key?
3. DMARC: Do SPF or DKIM align with the From header?

Without proper configuration, legitimate email from these services will fail authentication.

Quick Reference

Provider	SPF Include	DKIM Available	Custom Domain
Google Workspace	include:_spf.google.com	✅ Yes	✅ Yes
Microsoft 365	include:spf.protection.outlook.com	✅ Yes	✅ Yes
SendGrid	include:sendgrid.net	✅ Yes	✅ Yes
Mailchimp	include:servers.mcsv.net	✅ Yes	✅ Yes
Postmark	include:spf.mtasv.net	✅ Yes	✅ Yes
Amazon SES	include:amazonses.com	✅ Yes	✅ Yes
HubSpot	include:_spf.hubspot.com	✅ Yes	✅ Yes
Salesforce	include:_spf.salesforce.com	✅ Yes	✅ Yes

Google Workspace

SPF Configuration

Add to your SPF record:

include:_spf.google.com

Full SPF example:

v=spf1 include:_spf.google.com ~all

DKIM Configuration

1. Go to Google Admin Console → Apps → Google Workspace → Gmail
2. Click Authenticate email
3. Select your domain and click Generate new record
4. Add the provided TXT record to your DNS:

google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."

5. Return to Admin Console and click Start authentication

TIP

Google's default selector is google. The full record name is google._domainkey.yourdomain.com.

Microsoft 365

SPF Configuration

Add to your SPF record:

include:spf.protection.outlook.com

Full SPF example:

v=spf1 include:spf.protection.outlook.com ~all

DKIM Configuration

1. Go to Microsoft 365 Defender → Email & collaboration → Policies & rules
2. Select Threat policies → Email authentication settings
3. Select your domain under DKIM
4. Add the provided CNAME records:

selector1._domainkey.yourdomain.com CNAME selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
selector2._domainkey.yourdomain.com CNAME selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

5. Enable DKIM signing in the portal

SendGrid

SPF Configuration

Add to your SPF record:

include:sendgrid.net

DKIM Configuration

1. Go to SendGrid Dashboard → Settings → Sender Authentication
2. Click Authenticate Your Domain
3. Enter your domain and follow the wizard
4. Add the provided CNAME records:

s1._domainkey.yourdomain.com CNAME s1.domainkey.u1234567.wl123.sendgrid.net
s2._domainkey.yourdomain.com CNAME s2.domainkey.u1234567.wl123.sendgrid.net

5. Verify in SendGrid dashboard

Link Branding (Optional)

For click tracking URLs to use your domain, add:

url1234.yourdomain.com CNAME sendgrid.net

Mailchimp

SPF Configuration

Add to your SPF record:

include:servers.mcsv.net

DKIM Configuration

1. Go to Mailchimp → Account → Settings → Verified domains
2. Click Verify a domain
3. Add the provided CNAME record:

k1._domainkey.yourdomain.com CNAME dkim.mcsv.net

4. Click Verify in Mailchimp

WARNING

Mailchimp requires domain verification before DKIM will work. Complete the verification process fully.

Postmark

SPF Configuration

Add to your SPF record:

include:spf.mtasv.net

DKIM Configuration

1. Go to Postmark → Sender Signatures → Your domain
2. View the DKIM settings
3. Add the provided TXT record:

20230601._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."

4. Click Verify in Postmark

Return Path (Optional)

For better deliverability:

pm-bounces.yourdomain.com CNAME pm.mtasv.net

Amazon SES

SPF Configuration

Add to your SPF record:

include:amazonses.com

DKIM Configuration (Easy DKIM)

1. Go to AWS SES Console → Verified identities
2. Select your domain → Authentication tab
3. Click Enable under Easy DKIM
4. Add the three provided CNAME records:

abc123._domainkey.yourdomain.com CNAME abc123.dkim.amazonses.com
def456._domainkey.yourdomain.com CNAME def456.dkim.amazonses.com
ghi789._domainkey.yourdomain.com CNAME ghi789.dkim.amazonses.com

5. Wait for verification (may take up to 72 hours)

Custom MAIL FROM Domain (Recommended)

For SPF alignment:

1. In SES, go to your domain → Custom MAIL FROM domain
2. Set a subdomain (e.g., mail.yourdomain.com)
3. Add the provided MX and TXT records:

mail.yourdomain.com MX 10 feedback-smtp.us-east-1.amazonses.com
mail.yourdomain.com TXT "v=spf1 include:amazonses.com ~all"

HubSpot

SPF Configuration

Add to your SPF record:

include:_spf.hubspot.com

DKIM Configuration

1. Go to HubSpot → Settings → Website → Domains & URLs
2. Click Connect a domain → Email sending
3. Add the provided CNAME records:

hs1._domainkey.yourdomain.com CNAME yourdomain-com.hs01a.dkim.hubspotemail.net
hs2._domainkey.yourdomain.com CNAME yourdomain-com.hs01b.dkim.hubspotemail.net

4. Verify in HubSpot

Salesforce

SPF Configuration

Add to your SPF record:

include:_spf.salesforce.com

DKIM Configuration

1. Go to Salesforce Setup → Email → DKIM Keys
2. Click Create New Key
3. Set your selector and domain
4. Add the provided CNAME or TXT record
5. Activate the key after DNS propagation

TIP

Salesforce may use different SPF includes based on your features:

• Marketing Cloud: include:cust-spf.exacttarget.com
• Pardot: include:aspmx.pardot.com

Testing Integrations Before Enforcement

Pre-Enforcement Checklist

Before moving to p=quarantine or p=reject:

• [ ] SPF record includes all services
• [ ] DKIM configured and verified for each service
• [ ] Test emails sent from each service
• [ ] Authentication results verified in MailShield

Testing Procedure

1. Send test emails from each configured service
2. Check headers for authentication results:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of bounce@yourdomain.com designates...)
       dkim=pass header.d=yourdomain.com
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com

3. Verify in MailShield that the service appears with passing authentication

Using MailShield's Test Email

1. Go to your domain in MailShield
2. Click Send Test Email
3. Check the results show SPF and DKIM passing
4. Repeat for each sending service if they support test emails

Common Issues

SPF Record Too Long

If you have many services, your SPF record may exceed the 255 character limit or 10 DNS lookup limit.

Solutions:

• Use SPF flattening (replace includes with IPs)
• Consolidate services where possible
• Use a subdomain for some services

DKIM Not Signing

Symptoms: DKIM shows none in reports

Causes:

• DKIM not enabled in service settings
• DNS record not published
• Using service's domain instead of yours

Solutions:

• Verify DKIM is enabled in service dashboard
• Check DNS record exists and is correct
• Configure custom sending domain

Alignment Failures

Symptoms: SPF/DKIM pass but DMARC fails

Cause: Service sending with different envelope/signing domain

Solutions:

• Configure custom MAIL FROM domain (for SPF alignment)
• Configure custom DKIM domain (for DKIM alignment)
• Use relaxed alignment in DMARC record

SPF Record Examples

Basic Setup

v=spf1 include:_spf.google.com ~all

Multiple Services

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ~all

Enterprise Setup

v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:_spf.salesforce.com include:amazonses.com ~all

WARNING

Monitor your SPF DNS lookup count. The limit is 10 lookups. Use dig or SPF validation tools to check.

Next Steps

• Email Source Discovery - Find all your senders
• DMARC Enforcement Roadmap - Plan your enforcement