How do hybrid setups handle authentication?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A hybrid email setup, where you run your own mail transfer agent for some sending and use an ESP for others, is powerful but it doubles your authentication surface area. Every sending source needs to be covered correctly, or the whole thing falls apart at the least convenient moment.
So Start with SPF. Your SPF record needs to authorize every IP that will send on behalf of your domain. That means your custom MTA's IP addresses and your ESP's sending infrastructure, in the same record. The syntax looks something like: v=spf1 ip4:your.mta.ip include:esp-spf-domain.com -all. Watch your DNS lookup count. SPF has a hard limit of 10 DNS lookups, and if you include too many third-party services, you'll exceed it and cause failures.
DKIM needs separate attention for each sending source. Your MTA needs its own DKIM selector and keypair, and your ESP will generate its own. Both selectors need to be published in your domain's DNS. The signing domain on each DKIM signature should match your From domain for proper DMARC alignment.
DMARC alignment is where hybrid setups most commonly run into trouble. DMARC requires that at least one of SPF or DKIM passes in alignment with the visible From domain. If your custom MTA uses a different Return-Path domain than your From domain, SPF won't align. If your ESP signs with their own domain rather than yours, DKIM won't align either. Check your DMARC reports to see alignment failures by source.
Our free DMARC Parser and SPF Checker can help you verify that both your MTA and ESP paths are authenticating correctly.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.