DMARC and Third-Party Senders: How to Authorize Safely

The Discovery Process

Step 1: Collect DMARC Reports

v=DMARC1; p=none; rua=mailto:[email protected]

Wait 2-4 weeks. Every server that processes your email sends daily reports.

Step 2: Parse Reports

Use dmarcian (free tier) or Postmark DMARC (free digest). Reports show:

Source IP	Service	Volume	SPF	DKIM	DMARC
209.85.x.x	Google Workspace	500/day	Pass	Pass	Pass ✓
167.89.x.x	SendGrid	200/day	Pass	Pass	Pass ✓
198.2.x.x	Mailgun	50/day	Pass	Fail	Fail ✗
3.x.x.x	Calendly	5/day	Fail	None	Fail ✗
52.x.x.x	Unknown	2/day	Fail	Fail	Fail ✗

Step 3: Categorize Each Sender

Authorized + Passing: Google Workspace, SendGrid — properly configured. ✓

Authorized + Failing: Mailgun (DKIM not configured), Calendly (not in SPF, no DKIM). Fix these.

Unknown + Failing: Could be spoofing (block it) or a forgotten service (investigate).

Step 4: Authorize Legitimate Services

For each legitimate service that's failing:

Option A: SPF + DKIM (best)

1. Add service's SPF include to your record
2. Configure custom DKIM in the service's settings
3. Verify both pass

Option B: SPF only (if no DKIM support)

1. Add service's SPF include to your record
2. Ensure SPF alignment (Return-Path domain matches From:)
3. May work for DMARC if alignment is correct

Option C: Subdomain (if SPF/DKIM not feasible)

1. Route through a subdomain: support.yourdomain.com
2. Configure SPF and DKIM on the subdomain
3. Service sends from [email protected]

Option D: Change From: address (last resort)

1. Configure the service to send from its own domain
2. "via zendesk.com" or "[email protected]"
3. No authentication impact on your domain

Common Third-Party Services

Service	SPF Include	Custom DKIM?	Notes
Zendesk	include:mail.zendesk.com	Yes	Support replies as your domain
Freshdesk	include:email.freshdesk.com	Yes	Support replies
HubSpot	include:spf.hubspot.com	Yes	Sales and marketing email
Salesforce	Multiple	Yes	CRM email
Calendly	Varies	Limited	Booking confirmations
Stripe	N/A	No	Receipts — usually sends from Stripe's domain
QuickBooks	Varies	Limited	Invoices
Typeform	N/A	No	Form confirmations — send from their domain
Slack	N/A	No	Notification emails from Slack's domain

Key insight: Not every service needs to send from YOUR domain. Stripe receipts from stripe.com are fine. Calendly confirmations from calendly.com are fine. Only authorize services that MUST send as your domain.

The Authorization Decision Tree

Is this service sending as my domain?
├── YES — Is it legitimate?
│   ├── YES — Does it support custom DKIM?
│   │   ├── YES → Add SPF include + configure DKIM ✓
│   │   └── NO → Can it send from a subdomain?
│   │       ├── YES → Route through subdomain ✓
│   │       └── NO → Change to send from service's own domain ✓
│   └── NO (spoofing) → DMARC at p=reject will block it ✓
└── NO → No action needed

Practitioner note: The most common surprise in DMARC reports: a booking tool (Calendly, Acuity) sending confirmation emails as your domain. Someone on the team connected it months ago and nobody updated SPF. At p=none: works fine. At p=quarantine: booking confirmations go to spam. At p=reject: customers never receive booking confirmations. Discover these before advancing DMARC.

Practitioner note: My rule for third-party authorization: if the service supports custom DKIM, configure it. If it doesn't, ask "does this really need to send from my domain?" Most services work fine sending from their own domain. Only CRM and helpdesk typically need to send as your domain for reply-handling purposes.

For the complete DMARC setup process, see the DMARC setup guide. For understanding the reports that reveal third-party senders, see DMARC report interpretation. For managing SPF across multiple senders without hitting limits, see SPF, DKIM, DMARC for multiple senders. If you need third-party senders identified and authorized for DMARC advancement, schedule a consultation.

Sources

• RFC 7489: DMARC
• dmarcian: Third-Party Senders

---

v1.0 · March 2026