What is Sender Authentication
Sender Authentication is the process of showing mailbox providers (ISPs, O365, Gmail, etc.) that Beamery has the Sender's permission to send emails on their behalf. This is achieved by having a Beamery customer add a few records to their own DNS that point to the servers that Beamery uses to send email. (Note: Beamery uses SendGrid as their email delivery system.). These DNS records associate the customer's sending domain with Beamery IPs at SendGrid so that mailbox providers will process email as coming from the customer's domain instead of Beamery's domain.
Sender Authentication at Beamery establishes multiple standard email credentials:
- MX record - this tells mailbox providers that the mail server being used is authorized by the customer
- SPF record - this tells mailbox providers that the specific IP used to send email is authorized by the customer
- DKIM record - this provides a digital signature that verifies that an email message was not forged or altered
- URL White Label - because many mailbox providers check the content of email when determining its legitimacy, links are also White Labeled
Authenticating the sending domain is done with three easy DNS records. These three records add a Sender Policy Framework (SPF) record to establish your Beamery sending IP as legitimate for your domain, and a pair of rotating DKIM keys, they will also add an MX record for Beamery to establish a return path for message analytics. Since DKIM is a paired-key system, the keys need to be changed regularly for maximum security. Having two DNS records for DKIM allows this change to happen with no email downtime.
| TYPE | HOST | VALUE |
| CNAME | careers.yourdomain.com | u10101010.wl000.sendgrid.net |
| CNAME | bmy._domainkey.yourdomain.com | bmy.domainkey.u10101010.wl000.sendgrid.net |
| CNAME | bmy2._domainkey.yourdomain.com | bmy2.domainkey.u10101010.wl000.sendgrid.net |
We need to use a subdomain (often careers.yourdomain.com) in order to create a way for our click and open tracking statistics to be routed back to Beamery
White labelling of links within emails
Standard Tracking Links are enabled by default for any new customer onboarding onto Campaigns. When a candidate clicks a link in an email (e.g., https://customer-name.com/job/job-id), it's automatically wrapped in a SendGrid tracking link that looks something like https://sendgrid.net/long-tracking-link. Because SendGrid has their own security certificate set up, this supports HTTPS out of the box without any additional configuration required.
Emails with and without Sender Authentication setup
Emails that are sent without authentication will come from beamery.com with links from sendgrid.net. This causes all emails sent to Google Gmail to show “via beamery.com” and Microsoft Exchange to show “on behalf of beamery.com” as part of the From address. Also, all senders who are not authenticated share reputation with all other non authenticated senders.
vs.
Sender Auth - comparison of workflow
Without sender auth - recipient sees email as coming via Beamery (see image above) and this could lead to emails not being delivered (due to mismatch between sender domain and ‘via’ domain). In other words, without sender auth the email will be sent through a Beamery domain, such as campaigns.beamery.com or campaigns.beamery.eu, rather than the customer ‘sender’ email domain (e.g. subdomain.companyname.com). As a result, email deliverability can be significantly impacted since the recipient mailbox will see this difference, e.g. email from “name@companyname.com” sent via “campaigns.beamery.com” could be marked as spam.
Customer ‘sender’ email domain ---> 2) via Beamery (through SendGrid) ---> 3) recipient
With sender auth, recipient sees email as coming directly from sender domain (as sender auth approves Beamery as a domain acknowledge by sender:
Customer ‘sender’ email domain (through Beamery) ---> 2) recipient
Sender auth allows Beamery to be an approved domain so that recipient sees email as coming via sender (step 1) , thus allowing recipient to see email as sending directly via sender email rather than via Beamery / via SendGrid.
We understand that getting sender auth, particularly DNS records in place, can be time consuming, but the increased inbox rates and reputation protection make it absolutely worth it.
FAQs
Our compliance team needs a copy of every email we send, can you facilitate this?
Absolutely, we have a BCC function that will automatically forward any outbound communications to an address of your choice.
We require a unique dedicated IP address, can you supply us with one?
Yes this is possible. However, with a unique dedicated IP address you will need to be more careful of sending patterns and work with Beamery to maintain a warm sending IP and a great sending reputation.
Why do we need to choose a subdomain?
Beamery requires the subdomain in order to create a way for our click and open tracking statistics to be routed back to Beamery. We also require it to tell ISPs that Beamery is able to send on your behalf through a specific set of IPs
Does having a subdomain mean we send through `@subdomain.yourdomain.com`?
No! You will be authenticated to send through your normal domain `@yourdomain.com`.
Having a domain name like 12345678.yourdomain.com looks suspicious - do we need to add that DNS record?
This numbered DNS record is used as a security feature for link White Labels. It must exist for links to be converted to the White Labeled domain, but it is never seen by email recipients.
Do we have to use "careers" as the subdomain?
No. These are the most commonly used subdomains, but you can choose subdomains that work best for you. Customers typically use careers or talent, but some companies already have those in use and therefore choose something different.
We don’t allow third parties to send via our apex domain, can we still send emails?
It’s absolutely possible. It will, however, need some advanced configuration and more conversations with the Beamery technical team.
What does the reply-to field contain when the contact receives an email sent from the Beamery system (i.e from a campaign)?
By default, the contact will only see the tracking email address in the reply-to field, for example: joe-bloggs-grzhw7wp7@campaign.beamery.com. If the recipient of the email responds, then whoever sent the original email will get a notification to their inbox which will provide a link to the recipients response on their contact profile timeline in Beamery.
Note that it is not advised to go against the default setting and have the recruiters actual email address in the reply-to address along with the tracking email address. This is because there is a risk that the recipient can remove the tracking email address when replying, and whilst their response would go to the recruiters inbox, it would not be captured in their contact profile timeline in Beamery. Ideally all correspondence with contacts should happen from within Beamery.