How to
Setting up Custom Domains for secure email delivery using Pendula

For marketers looking to authenticate their brand and boost credibility in client communication, sending emails from a custom domain is essential. This guide will walk you through the process of sending emails from your company’s domain using Pendula. We'll cover critical topics like SPF, DKIM, and DMARC to fortify your domain’s email security.

Understanding SPF, DKIM, and DMARC

Before setting up your custom domain, it's important to understand these key email authentication terms:

Sender Policy Framework (SPF)

SPF verifies that incoming mail from a domain comes from a host authorised by that domain's administrators. This is a must-have.

DomainKeys Identified Mail (DKIM)

DKIM uses public-key cryptography to validate a sender via a digital signature. It adds a signature to the email header that the receiving server can verify through a public key published in the sender's DNS records. This ensures that the email content has not been altered and that it indeed came from the authorised sender. This is a must-have.

Domain-based Message Authentication, Reporting, and Conformance (DMARC):

DMARC is an email authentication protocol that builds on SPF and DKIM to detect and prevent email spoofing. It allows domain owners to specify how they want email from their domain to be handled if it fails SPF or DKIM checks. With DMARC, you can instruct receiving mail servers on actions like quarantine or reject for suspicious emails. Additionally, DMARC provides reports that help you monitor potential abuse of your domain. This is optional but highly recommended.

Neither SPF nor DKIM authenticates the sender using the “From:” field that users see. DMARC uses alignment to verify the authenticity of an email by ensuring that the SPF and/or DKIM checks align with the domain in the "From" address. It checks that either or both SPF and DKIM results are not only passing but also aligned, meaning the domains match (exactly in strict mode, or at the organisational level in relaxed mode).

Here’s how DMARC considers alignment:
- SPF Alignment: Validates that the domain in the "From" address aligns with the domain in the "Return-Path".
- DKIM Alignment: Validates that the domain in the "From" address aligns with the domain in the "d=" tag of the DKIM signature.

For an email to pass DMARC validation, either SPF or DKIM must pass, and at least one of these must be aligned. This is what distinguishes DMARC from SPF and DKIM as it adds a layer of policy settings on top of these protocols to reduce phishing and spoofing.

Why use a custom domain?

By default, email will be sent from a Pendula domain. This is useful for testing and getting started quickly. However, using a custom domain for email sending ensures that your emails are sent from a domain closely associated with your brand.. This approach offers several key benefits:

1. Brand Recognition: By using a domain that reflects your brand, recipients instantly recognise the source of the email, fostering familiarity and trust.
2. Professionalism: Emails coming from a custom domain project a professional image, distinguishing your communications from generic or impersonal messages.
3. Consistency: A custom domain ensures consistency across your digital communications, reinforcing brand identity.

Setting up your custom domain with Pendula

Step 1: Provide your domain

Start by providing Pendula with your desired domain name. This is the initial step to get your domain registered to send email from Pendula.

Step 2: Implementing SPF, DKIM, and DMARC Records

Email authentication is crucial for ensuring your emails are recognised as legitimate. Setting up these records will enhance your email credibility and reduce the risk of your emails being marked as spam.

SPF Setup

Pendula has SPF set up out of the box. No additional action is required from your side.

DKIM Setup

1. Obtain CNAME Records:
   • After you provide your domain, Pendula will provide a set of CNAME records.
   • These records are necessary for linking your domain with Pendula, allowing authenticated email sending.
2. Add CNAME Records to DNS Settings:

   • Log in to your domain registrar’s DNS management section.

   • Enter the CNAME records provided by Pendula. These records will reference Amazon SES, Pendula’s default email sending service. Example of CNAME Records:

     Name: [provided by Pendula]

     Type: CNAME

     Value: [provided by Pendula]

DMARC Setup

Setting up DMARC is strongly recommended to improve email security.

1. Create a TXT Record:

   • Log in to your domain registrar’s DNS management section.

   • Create a new TXT record with the following details:

     Name: _dmarc.example.com (replace example.com with your domain).

     Type: TXT

     Value: v=DMARC1; p=none; aspf=r;

The above basic configuration instructs email servers to take no action if an email fails SPF or DKIM checks. For better security, customise this value based on your organisation's needs, such as setting p=quarantine or p=reject.
None: Do nothing with the email
Quarantine: Place failed emails in the spam folder
Reject: Delete email

And additionally,
rua: This specifies the email address or addresses where you receive your DMARC Aggregate Reports. These reports give you valuable insights into how email senders use your domain.
ruf: This specifies the email address or addresses where you receive your DMARC Forensic Reports. Unlike the aggregate reports, these reports give insights into emails that fail SPF, DKIM, and DMARC authentication.

How to check if your email has passed SPF, DKIM and DMARC

To verify the status of your email authentication methods, you need to examine the full email headers. Here’s how you can do it using Gmail:

• First, send a test email to your address
• Open the email and click on the down arrow next to the sender details to view the initial headers.
• Ensure the “mailed-by” and “signed-by” headers match your domain, indicating SPF and DKIM passes.

Further, you can view full headers

• Click on the three dots in the upper right corner of the email and select “Show original” to view the full headers in HTML format.
• Look for “PASS” indicators next to SPF, DKIM, and DMARC results.

FAQs

Can I use my custom domain in the Return-Path address of the emails I send from Pendula?

Using your custom domain in the Return-Path address is generally not necessary. When properly configured, emails sent from Pendula will successfully pass SPF, DKIM, and DMARC checks, even with a custom domain.

• SPF: Pendula is designed to automatically manage SPF setup, ensuring that SPF checks are satisfied. This is achieved when the sender's IP address is authorised to send emails for the domain specified in the Return-Path header. The domain in the From header (your custom domain) does not impact SPF outcomes.
• DKIM: As long as you follow the provided setup instructions, your emails will pass DKIM validation, enabling authenticity verification.
• DMARC: Successful DMARC checks require that either SPF or DKIM passes, with **at least one** of these being aligned with the "From" domain. While SPF alignment may not be possible if the From and Return-Path domains differ, DKIM alignment is ensured if you've adhered to the instructions.

If you find it is necessary to use your custom domain in the Return-Path address, please contact your Account Manager to discuss your specific use case. They will be happy to assist you in determining the best configuration for your needs.

Can I use a dedicated IP address to send emails from Pendula?

Yes, you have the option to use a dedicated IP address for sending emails from Pendula. However, there are important considerations to weigh when deciding if it’s the right choice for you:

Advantages of Using a Dedicated IP:

• Control Over Sender Reputation: A dedicated IP offers full control over your sender reputation, preventing any impact from other users’ sending activities.
• Consistency with High Volume: If your email strategy involves a stable and high volume of emails, a dedicated IP can aid in building and maintaining a strong sending reputation.
• Industry-Specific Compliance: Dedicated IPs are ideal for organizations with specific compliance requirements, offering necessary isolation.

Considerations Against Using a Dedicated IP:

• IP Warm-Up Requirements: New dedicated IPs demand a deliberate warm-up process to gradually build a positive sending reputation.
• Management of Reputation: With a dedicated IP, you'll be responsible for monitoring and managing your IP's reputation.

When to Use the Default Sending Pool:

• Low Volume and Infrequent Sending: For senders with low volume or sporadic sending patterns, the default sending pool is more efficient. Reputation management is handled by us through monitoring of spam complaint and bounce rates.
• Simplified Sending Management: If ease and simplicity are priorities, using the default pool allows you to leverage our managed reputation without additional responsibility.
• Irregular Email Campaigns: If you’re experimenting with new campaigns or have irregular email sending requirements, use the default pool to avoid dedicated IP management complexities.

Regardless of whether you choose a dedicated IP or the default sender pool, please note that all Pendula tenants will be subject to limits on sending rates, spam complaint rates, and bounce rates to ensure high deliverability and compliance standards.

If you’re considering a dedicated IP, please discuss your needs with your Account Manager. They will help ensure that you make the best choice for your email sending strategy.