search
Sender Authentication Fact Sheet

Last Updated:

What is Sender Authentication?

Sender Authentication is the process of showing mailbox providers (ISPs, O365, Gmail, etc.) that Beamery has the Sender's permission to send emails on their behalf.  This is achieved by having a Beamery customer add a few records to their own DNS that point to the servers that Beamery uses to send email.  (Note: Beamery uses SendGrid as their email delivery system.). These DNS records associate the customer's sending domain with Beamery IPs at SendGrid so that mailbox providers will process email as coming from the customer's domain instead of Beamery's domain. 

Sender Authentication at Beamery establishes multiple standard email credentials:

  • MX record - this tells mailbox providers that the mail server being used is authorized by the customer
  • SPF record - this tells mailbox providers that the specific IP used to send email is authorized by the customer
  • DKIM record - this provides a digital signature that verifies that an email message was not forged or altered
  • URL White Label - because many mailbox providers check the content of email when determining its legitimacy, links are also White Labeled

Authenticating the sending domain is done with three easy DNS records.  These three records add a Sender Policy Framework (SPF) record to establish your Beamery sending IP as legitimate for your domain, and a pair of rotating DKIM keys, they will also add an MX record for Beamery to establish a return path for message analytics. Since DKIM is a paired-key system, the keys need to be changed regularly for maximum security.  Having two DNS records for DKIM allows this change to happen with no email downtime.


TYPE: CNAME

HOST: careers.yourdomain.com

VALUE: u10101010.wl000.sendgrid.net


TYPE: CNAME

HOST: bmy._domainkey.yourdomain.com

VALUE: bmy.domainkey.u10101010.wl000.sendgrid.net


TYPE: CNAME

HOST: bmy2._domainkey.yourdomain.com

VALUE: bmy2.domainkey.u10101010.wl000.sendgrid.net


We need to use a subdomain (often careers.yourdomain.com) in order to create a way for our click and open tracking statistics to be routed back to Beamery 

Authenticating your links ensures that the domain of the links in your emails matches the domain you are sending from.  Some ISPs evaluate message content when determining whether an email is spam, so having the links match the From address can keep you in the Inbox. NOTE: If you have HSTS enabled on your domain, can be checked here. Please let us know, we will need to discuss the merits of setting up these records.


TYPE: CNAME

HOST: careerslink.yourdomain.com

VALUE: sendgrid.net


TYPE: CNAME

HOST: 10101010.yourdomain.com

VALUE: sendgrid.net


Emails that are sent without authentication will come from beamery.com with links from sendgrid.net. This causes all emails sent to Google Gmail to show “via beamery.com” and Microsoft Exchange to show “on behalf of beamery.com” as part of the From address.  Also, all senders who are not authenticated share reputation with all other non authenticated senders.

vs. 

We understand that getting DNS records in place can be a chore, but the increased inbox rates and reputation protection make it absolutely worth it.


FAQs

Our compliance team needs a copy of every email we send, can you facilitate this?
Absolutely, we have a BCC function that will automatically forward any outbound communications to an address of your choice.

We require a unique dedicated IP address, can you supply us with one?
Yes this is possible. However, with a unique dedicated IP address you will need to be more careful of sending patterns and work with Beamery to maintain a warm sending IP and a great sending reputation.

Why do we need to choose a subdomain?
Beamery requires the subdomain in order to create a way for our click and open tracking statistics to be routed back to Beamery. We also require it to tell ISPs that Beamery are able to send on your behalf through a specific set of IPs

Does having a subdomain mean we send through `@subdomain.yourdomain.com`?
No! You will be authenticated to send through your normal domain `@yourdomain.com`.

Having a domain name like 12345678.yourdomain.com looks suspicious - do we need to add that DNS record?
This numbered DNS record is used as a security feature for link White Labels.  It must exist for links to be converted to the White Labeled domain, but it is never seen by email recipients.

Do we have to use "careers" and "careerslink" as the subdomains for our White Labels?
No. These are the most commonly used subdomains, but you can choose subdomains that work best for you.  Customers typically use careers/careerslink or talent/talentlink, but some companies already have those in use and therefore choose something different.

We don’t allow third parties to send via our apex domain, can we still send emails?
It’s absolutely possible. It will, however, need some advanced configuration and more conversations with the Beamery technical team.