Sending On Behalf Of Others:
Full Sub-Domain Delegation
This article expands on the “full delegation” approach described in the larger How to send DMARC-compliant email on behalf of others article. An assumption is that the reader is sending email on behalf of others, and desires to send such email in a manner compliant with DMARC.
Full delegation is when a domain owner configures one of their sub-domains to point to your own names servers. By doing so, any DNS-based questions about the sub-domain (or any sub-domains of the sub-domain!) will be referred to your own name servers for resolution. Additional explanations and examples of delegation:
- A ServerFault answer to What is a DNS delegation?
- Microsoft’s Understanding Zone Delegation
- DNS Made Easy’s tutorial on how to Create and Delegate a Subdomain
To accept delegation and manage the sub-domain, you must operate your own name servers. When in place, you can configure your name servers to respond to any DNS-based questions related to the sub-domain. This allows you to:
- Send email using the domain-owner/customer’s top-level domain in email From: headers. The delegated sub-domain provides DMARC-compliant authentication using SPF and DKIM when DMARC’s default “alignment mode” of “relaxed” is used.
- Maintain email infrastructure using the sub-domain. You can send and receive email using the sub-domain by using the sub-domain in RFC5321.MailFrom addresses (also known as bounce/return-path/envelope addresses) and by publishing MX records for the sub-domain (so that people on the Internet know where to send email that is destined for the sub-domain).
- By directly managing the sub-domain, you can publish and maintain a concise and accurate SPF record for the sub-domain that only authorizes servers that you control. You will avoid having to deal with other people’s SPF records and the resulting confusion.
- By directly managing the sub-domain, you can manage DKIM signing however you wish. You can create as many DKIM signing keys as needed, rotate them as you see fit, and avoid having to figure out how to communicate/manage keys with your customer/domain-owner.
- You can even give your own IP addresses server names using the delegated sub-domain, so that every piece of email send by you on behalf of the domain-owner/customer is thoroughly “white labeled”.
This form of delegation benefits the domain-owner/customer as it is very easy to set up, no further configuration is necessary, and maintenance of delegated sub-domains is easily managed.
This form of delegation benefits you – the one sending email on behalf of others – by giving you full control over how you send email and maintain your infrastructure. If you move servers, rotate DKIM keys, or swap out infrastructure, the domain-owner (your customer) doesn’t have to change anything.