How do third-party senders authenticate under DMARC?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Your newsletter vendor, payment processor, or CRM can't just start sending email from your domain. They need to prove they're allowed to do it. That's where DMARC authentication comes in.

The goal: DMARC alignment. Alignment means the domain in the From header matches the domain in either your DKIM signature or your SPF record. If there's no match, mailbox providers reject or quarantine the message, even if it's legitimate.

DKIM is almost always the way. Vendors provide you with a CNAME record to add to your DNS. This CNAME points to their key server, which signs all their mail with your domain. The signing domain (the d= value) matches your From domain. Alignment happens. DKIM also survives forwarding and list management better than SPF, so most vendors prefer it.

And Here's the flow: vendor sends an email, their key server signs it with your domain, mailbox provider checks the signature, sees your domain in the signature, checks your DMARC policy, and (if aligned) respects your policy instructions.

SPF alignment is possible but fragile. It requires the vendor to send from a mail server that's listed in your SPF record under your domain (not theirs). Few vendors support this because it means using your infrastructure, which breaks when mail gets forwarded. DKIM avoids this problem because the signature stays intact.

When you onboard a vendor, ask them for their DKIM CNAME record, add it to DNS, wait for propagation, then use Review My Emails's DKIM Checker to verify they're signing correctly. Then run Review My Emails's DMARC Parser to confirm alignment. Once verified, you're protected. See also: identifier alignment.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get vendor authentication help

I'm setting up {vendor_name} for DMARC. They gave me {record_type} record. Can you walk me through the setup and verification steps?

Edit the yellow boxes, then send to the AI of your choice.