Third-Party Email Service Configuration
SendGrid, Mailchimp, Salesforce, Zendesk - most organizations use multiple email service providers. Learn how to configure each one to pass DMARC authentication.
The Third-Party Challenge
When third-party email services send on your behalf, they can fail DMARC authentication if not configured properly:
Wrong "From" Address
ESP sends from their domain (sendgrid.net) instead of yours (yourdomain.com), causing SPF/DKIM misalignment.
Missing DKIM Configuration
DKIM keys not generated or DNS records not published, failing DKIM authentication.
SPF Not Updated
Your SPF record doesn't include the ESP's sending servers (include:sendgrid.net, etc.).
SendGrid Configuration
SendGrid is a transactional email service used for password resets, notifications, etc.
Step 1: Add Sender Authentication Domain
In SendGrid dashboard: Settings → Sender Authentication → Authenticate Your Domain
Domain: yourdomain.com (or subdomain like mail.yourdomain.com)
SendGrid will generate DNS records for you to add
Step 2: Add DNS Records
SendGrid provides 3 DNS records to publish:
# 1. DKIM record (for signing)
s1._domainkey.yourdomain.com CNAME s1.domainkey.u12345.wl123.sendgrid.net
s2._domainkey.yourdomain.com CNAME s2.domainkey.u12345.wl123.sendgrid.net
# 2. Tracking subdomain (optional)
em1234.yourdomain.com CNAME u12345.wl123.sendgrid.net
Step 3: Update SPF Record
Add SendGrid to your SPF record:
v=spf1
include:sendgrid.net
include:_spf.google.com
~all
Step 4: Verify in SendGrid
After DNS records propagate (24-48 hours), click "Verify" in SendGrid dashboard. Status should change to "Verified".
Mailchimp Configuration
Mailchimp is used for email marketing campaigns and newsletters.
Step 1: Verify Domain
In Mailchimp: Settings → Domains → Add & Verify Domain
Domain: yourdomain.com
Mailchimp will send verification email to admin@yourdomain.com
Step 2: Enable DKIM Authentication
After verification, click "Authenticate" to get DKIM records:
# Add these CNAME records:
k1._domainkey.yourdomain.com CNAME dkim.mcsv.net
k2._domainkey.yourdomain.com CNAME dkim2.mcsv.net
Step 3: Update SPF Record
Add Mailchimp servers to SPF:
v=spf1
include:servers.mcsv.net
include:sendgrid.net
include:_spf.google.com
~all
Salesforce Marketing Cloud
Enterprise marketing automation and CRM email.
Step 1: Configure SAP (Sender Authentication Package)
In Salesforce Marketing Cloud: Admin → Sender Authentication
Sending Domain: yourdomain.com
Subdomain (optional): marketing.yourdomain.com
Step 2: Add DNS Records from SAP
Salesforce provides custom DKIM and SPF records:
# DKIM selectors (provided by Salesforce)
sfmc._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=..."
# SPF include
include:cust-spf.exacttarget.com
Step 3: Update SPF Record
v=spf1
include:cust-spf.exacttarget.com
include:sendgrid.net
include:servers.mcsv.net
~all
Zendesk Configuration
Customer support ticket notifications and responses.
Step 1: Configure Support Email Address
In Zendesk: Admin → Channels → Email → Add Address
Email: support@yourdomain.com
Zendesk will verify ownership via email confirmation
Step 2: Enable Domain Authentication
In Zendesk: Admin → Channels → Email → Authentication
# DKIM record (Zendesk provides)
zendesk1._domainkey.yourdomain.com CNAME zendesk1._domainkey.zendesk.com
zendesk2._domainkey.yourdomain.com CNAME zendesk2._domainkey.zendesk.com
Step 3: Update SPF Record
v=spf1
include:mail.zendesk.com
include:sendgrid.net
include:servers.mcsv.net
~all
Quick Reference: Popular ESPs
| ESP | SPF Include | DNS Lookups | DKIM Setup |
|---|---|---|---|
| SendGrid | include:sendgrid.net | 1 | CNAME provided |
| Mailchimp | include:servers.mcsv.net | 1 | CNAME provided |
| Salesforce | include:cust-spf.exacttarget.com | 3 | TXT record (SAP) |
| Zendesk | include:mail.zendesk.com | 1 | CNAME provided |
| Postmark | include:spf.mtasv.net | 1 | TXT provided |
| Amazon SES | include:amazonses.com | 1 | Manual key generation |
| HubSpot | include:_spf.hubspotemail.net | 2 | CNAME provided |
| Intercom | include:_spf.intercom.io | 1 | CNAME provided |
Best Practices for Third-Party Services
Use Subdomains for ESPs
marketing.yourdomain.com for Mailchimp, support.yourdomain.com for Zendesk. Isolates SPF lookups and makes troubleshooting easier.
Always Enable DKIM for ESPs
Even if SPF passes, DKIM provides an extra layer of protection and improves deliverability.
Monitor SPF 10 Lookup Limit
Each include: counts toward the limit. Track total lookups across all ESPs. Use SPF flattening if approaching 10.
Test Before Production
Send test emails from each ESP to Gmail/Outlook. Check Authentication-Results header to verify SPF/DKIM pass.
Document All ESP Configurations
Keep a list of all third-party services, their SPF includes, DKIM selectors, and DNS records. Critical for troubleshooting and onboarding.
Review DMARC Reports Weekly
Check for new ESPs appearing in reports. Team members may add services without notifying IT.
- • Using ESP's default domain instead of custom domain (noreply@sendgrid.net instead of noreply@yourdomain.com)
- • Forgetting to add DNS records after configuring in ESP dashboard
- • Not waiting for DNS propagation (24-48 hours) before testing
- • Adding SPF include but not configuring DKIM (or vice versa)
- • Exceeding SPF 10 DNS lookup limit with too many ESPs
- • Not testing ESP emails after configuration
Automatic ESP Discovery & Monitoring
TrustYourInbox automatically detects all your email service providers from DMARC reports and monitors their authentication health. No manual tracking needed.