Third-Party Senders

Most organizations use multiple email services - marketing platforms, transactional email providers, helpdesk software, and more. This guide explains how to properly configure third-party email services in SpoofWard.

Understanding Third-Party Senders

When you use a service like Mailchimp, Salesforce, or Zendesk to send email from your domain, that service needs proper authentication configuration. Without it, your email fails authentication and damages deliverability.

The Authentication Challenge

Third-party services send email FROM your domain, but their mail servers are NOT your mail servers. To prevent spoofing, receiving mail servers check:

SPF Check - Is the sending IP in your SPF record?
DKIM Check - Does the email have a valid signature matching your domain?
DMARC Check - Do SPF and DKIM align with your domain?

If any check fails, the email is marked as unauthenticated.

Configuring Third-Party Services

Step 1: Identify the Service

Use SpoofWard's email source discovery to find services you use:

Go to Email Sources in your domain dashboard
Look for services you recognize (Mailchimp, SendGrid, etc.)
Note which ones show failed authentication (red status)

Step 2: Get Authentication Details from Service

Most platforms provide SPF and DKIM configuration instructions. You need:

SPF Include - Usually like include:sendgrid.net or include:mailchimp.com
DKIM Instructions - Often a selector like default._domainkey
Service Documentation - Provider-specific setup guides

Where to find it:

Mailchimp - Settings → Domains & IPs
SendGrid - Settings → Sender Verification
Office 365 - Exchange Admin Center → Mail flow
Salesforce - Email Settings → Email Configuration
HubSpot - Settings → Email Deliverability
Zendesk - Settings → Email Configuration

Step 3: Add to SPF Record

Update your SPF record to include the service.

Current SPF record:


v=spf1 include:_spf.google.com ~all

Add the service:


v=spf1 include:_spf.google.com include:sendgrid.net ~all

Multiple services example:


v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:salesforce.com ~all

SPF Lookup Limit

Keep SPF includes under 10 DNS lookups. Too many includes cause "SPF PermError." Use the SPF Flattener tool to optimize if needed.

Step 4: Add DKIM Signature

Request that the service sign emails with DKIM. Usually requires:

Generating a DKIM key in SpoofWard or your service
Publishing the public key in DNS
Configuring the service to use the key for signing

Example DKIM record:


selector1._domainkey.yourdomain.com: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa...

The service provides the public key; you publish it in DNS.

Step 5: Verify Authentication

After configuration:

Send a test email from the service
Wait 24-48 hours for DMARC reports
Check the email sources list in SpoofWard
Verify the service shows "Authenticated" status

If still failing:

Check that SPF/DKIM were added correctly
Contact service support for troubleshooting
Some services may have misconfiguration on their end

Common Third-Party Services

Email Marketing Platforms

Mailchimp

SPF: include:mailchimp.com
DKIM: Required; provided by Mailchimp
Setup: Settings → Domains & IPs

HubSpot

SPF: include:hubspot.com
DKIM: Required; provided by HubSpot
Setup: Settings → Email Deliverability

Campaign Monitor

SPF: include:cmail.com
DKIM: Required
Setup: Settings → Sending Domain

Transactional Email

SendGrid

SPF: include:sendgrid.net
DKIM: Required; provided by SendGrid
Setup: Settings → Sender Verification

Twilio Sendgrid

SPF: include:sendgrid.net
DKIM: Same as SendGrid

Amazon SES

SPF: Depends on your setup; usually not required if sending from AWS
DKIM: Required; AWS generates tokens for your domain
Setup: AWS Console → SES → Verified Identities

Cloud Email Providers

Office 365 / Microsoft 365

SPF: include:protection.outlook.com
DKIM: Required; Microsoft provides
Setup: Exchange Admin Center → Mail flow → DKIM

Google Workspace

SPF: include:_spf.google.com
DKIM: Required; Google provides
Setup: Admin Console → Custom domain → DMARC setup

Zoho Mail

SPF: include:mxzoho.com
DKIM: Required; Zoho provides
Setup: Settings → Email Deliverability

CRM & Business Tools

Salesforce

SPF: include:salesforce.com or service-specific
DKIM: May be required
Setup: Settings → Email Configuration

Pipedrive

SPF: Depends on email routing
DKIM: Required for authenticated sending
Setup: Settings → Email → Domain

Slack (email to Slack)

SPF: May not be needed (Slack receives, not sends)
DKIM: Not typically needed

Helpdesk & Support

Zendesk

SPF: Varies by implementation
DKIM: Required for support email authentication
Setup: Settings → Email Configuration

Jira Service Management

SPF: Depends on where Jira sends from
DKIM: Required if sending on your behalf
Setup: Administration → Email Notifications

Using SpoofWard's Tools

SPF Builder

Build your SPF record visually:

Go to Tools → SPF Builder
Start with existing record or blank
Add services one by one:

Select from known services dropdown
Or enter custom SPF include

Review DNS lookup count
Export final record
Copy to DNS provider

DKIM Checker

Validate DKIM records are published correctly:

Go to Tools → DKIM Checker
Enter selector name (usually default, selector1)
Enter your domain
Checker validates the published key matches what's needed

SPF Flattener

Optimize SPF if you have too many includes:

Go to Tools → SPF Flattener
Paste your SPF record
Tool expands includes and shows all IPs
Create flattened record with direct IPs instead of includes

Use Carefully

Flattening can break if service IPs change. Use includes when possible. Only flatten if necessary for DNS lookup limits.

Monitoring Third-Party Changes

Services change IP addresses or configurations over time. Monitor for issues:

Enable DNS Alerts

Go to Settings → Alerts
Enable "DNS record changes"
Get notified when SPF/DKIM records are modified

Monitor Delivery Metrics

Check weekly if third-party emails are authenticating
If authentication suddenly fails, investigate:

Did the service change IPs?
Did they update their SPF include?
Is there a service outage?

Review DMARC Reports

In DMARC → Reports, check third-party senders:

Pass Rate Trend - Is it stable or declining?
Failure Reasons - Why are some failing?
Volume - Has it changed significantly?

A sudden drop in authentication likely indicates configuration issue.

Troubleshooting Third-Party Authentication

Service says SPF is configured but it's still failing?

Verify SPF record includes the right include: (check their docs)
Check for typos in the include statement
Wait 24-48 hours for DNS propagation
Verify in DMARC reports that SPF is now passing

DKIM not validating?

Check that DKIM record is published at the right location
Verify the selector name matches what service expects
Ensure public key is complete (sometimes it gets truncated)
Contact service support if issues persist

Email still marked unauthenticated?

Send test email and wait for DMARC reports
Check forensic reports for exact failure reason
Verify both SPF and DKIM are configured
Ensure service is actually signing with DKIM (sometimes optional)

Too many DNS lookups?

Use SPF Flattener to optimize
Consider using multiple subdomains
Consolidate similar services

Best Practices

Request DKIM Support

Always ask services to sign with DKIM. SPF alone is sufficient but DKIM is more secure.

Document Your Senders

In SpoofWard's email sources, add notes about why each service is authorized.

Test Before Enforcement

Before moving to p=quarantine or p=reject, ensure all services authenticate.

Keep SPF Optimized

Regularly remove old/unused services from SPF to stay under lookup limit.

Monitor Proactively

Check authentication metrics weekly, don't wait for delivery problems.