Sender Authentication Fact Sheet

Last Updated:

What is Sender Authentication

Sender Authentication is the process of showing mailbox providers (ISPs, O365, Gmail, etc.) that Beamery has the Sender's permission to send emails on their behalf. This is achieved by having a Beamery customer add a few records to their own DNS that point to the servers that Beamery uses to send email. (Note: Beamery uses SendGrid as their email delivery system.). These DNS records associate the customer's sending domain with Beamery IPs at SendGrid so that mailbox providers will process email as coming from the customer's domain instead of Beamery's domain.

Sender Authentication at Beamery establishes multiple standard email credentials:

  • MX record - this tells mailbox providers that the mail server being used is authorized by the customer

  • SPF record - this tells mailbox providers that the specific IP used to send email is authorized by the customer

  • DKIM record - this provides a digital signature that verifies that an email message was not forged or altered

  • URL White Label - because many mailbox providers check the content of email when determining its legitimacy, links are also White Labeled

Authenticating the sending domain is done with three easy DNS records. These three records add a Sender Policy Framework (SPF) record to establish your Beamery sending IP as legitimate for your domain, and a pair of rotating DKIM keys, they will also add an MX record for Beamery to establish a return path for message analytics. Since DKIM is a paired-key system, the keys need to be changed regularly for maximum security. Having two DNS records for DKIM allows this change to happen with no email downtime.








We need to use a subdomain (often in order to create a way for our click and open tracking statistics to be routed back to Beamery

Authenticating your links ensures that the domain of the links in your emails matches the domain you are sending from. Some ISPs evaluate message content when determining whether an email is spam, so having the links match the From address can keep you in the Inbox. NOTE: If you have HSTS enabled on your domain, can be checked here. Please let us know, we will need to discuss the merits of setting up these records.







Emails that are sent without authentication will come from with links from This causes all emails sent to Google Gmail to show “via” and Microsoft Exchange to show “on behalf of” as part of the From address. Also, all senders who are not authenticated share reputation with all other non authenticated senders.




Sender Auth - comparison of workflow

Without sender auth - recipient sees email as coming via beamery (see image above) and this could lead to email not being delivered (due to mismatch between sender domain and ‘via’ domain). In other words, without sender auth the email will be sent through a beamery domain, such as or, rather than the customer ‘sender’ email domain (e.g. As a result, email deliverability can be significantly impacted since the recipient mailbox will see this difference, e.g. email from “” sent via “” could be marked as spam.

Customer ‘sender’ email domain ---> 2) via beamery (through sendgrid) ---> 3) recipient

With sender auth, recipient sees email as coming directly from sender domain (as sender auth approves beamery as a domain acknowledge by sender:

Customer ‘sender’ email domain (through beamery) ---> 2) recipient

Sender auth allows beamery to be an approved domain so that recipient sees email as coming via sender (step 1) , thus allowing recipient to see email as sending directly via sender email rather than via beamery / via sendgrid.

We understand that getting sender auth, particularly DNS records in place, can be time consuming, but the increased inbox rates and reputation protection make it absolutely worth it.


Our compliance team needs a copy of every email we send, can you facilitate this?

Absolutely, we have a BCC function that will automatically forward any outbound communications to an address of your choice.

We require a dedicated IP address, can you supply us with one?

Yes this is possible. However, with a dedicated IP address you will need to be more careful of sending patterns and work with Beamery to maintain a warm sending IP and a great sending reputation.

Why do we need to choose a subdomain?

Beamery requires the subdomain in order to create a way for our click and open tracking statistics to be routed back to Beamery. We also require it to tell ISPs that Beamery are able to send on your behalf through a specific set of IPs

Does having a subdomain mean we send through ``?

No! You will be authenticated to send through your normal domain ``.

Having a domain name like looks suspicious - do we need to add that DNS record?

This numbered DNS record is used as a security feature for link White Labels. It must exist for links to be converted to the White Labeled domain, but it is never seen by email recipients.

Do we have to use "careers" and "careerslink" as the subdomains for our White Labels?

No. These are the most commonly used subdomains, but you can choose subdomains that work best for you. Customers typically use careers/careerslink or talent/talentlink, but some companies already have those in use and therefore choose something different.

We don’t allow third parties to send via our apex domain, can we still send emails?

It’s absolutely possible. It will, however, need some advanced configuration and more conversations with the Beamery technical team.

What does the reply-to field contain when the contact recieves an email sent from the beamery system (i.e from a campaign)?

By default, the contact will only see the tracking email address in the reply-to field, for example: If the recipient of the email responds, then whoever sent the original email will get a notification to their inbox which will provide a link to the recipients response on their contact profile timeline in beamery.

Note that it is not advised to go against the default setting and have the recruiters actual email address in the reply-to address along with the tracking email address. This is because there is a risk that the recipient can remove the tracking email address when replying, and whilst their response would go to the recruiters inbox, it would not be captured in their contact profile timeline in beamery. Ideally all correspondence with contacts should happen from within beamery.