--- title: "Learning to Send DMARC-Compliant Emails on Behalf of Others | DMARC Report" description: "DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header." image: "https://dmarcreport.com/og/blog/sending-dmarc-compliant-emails-on-behalf-of-others.png" canonical: "https://dmarcreport.com/blog/sending-dmarc-compliant-emails-on-behalf-of-others/" --- Quick Answer DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible \`From\` header. According to Google's February 2024 bulk sender requirements, a DMARC policy of at least \`p=none\` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fsending-dmarc-compliant-emails-on-behalf-of-others%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Learning%20to%20Send%20DMARC-Compliant%20Emails%20on%20Behalf%20of%20Others&url=undefined%2Fblog%2Fsending-dmarc-compliant-emails-on-behalf-of-others%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fsending-dmarc-compliant-emails-on-behalf-of-others%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fsending-dmarc-compliant-emails-on-behalf-of-others%2F&title=Learning%20to%20Send%20DMARC-Compliant%20Emails%20on%20Behalf%20of%20Others "Share on Reddit") [ ](mailto:?subject=Learning%20to%20Send%20DMARC-Compliant%20Emails%20on%20Behalf%20of%20Others&body=Check out this article: undefined%2Fblog%2Fsending-dmarc-compliant-emails-on-behalf-of-others%2F "Share via Email") ![Learning to Send DMARC-Compliant Emails on Behalf of Others](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) ![Dmarc check 6782 1 150x150](https://media.mailhop.org/dmarcreport/images/2024/03/dmarc-check-6782-1-150x150.jpg) > Email authentication isn’t just about preventing spoofing - it’s about trust, says Vasile Diaconu, Operations Lead at DuoCircle. Every email your organization sends either builds trust or erodes it. SPF, DKIM, and DMARC are the foundation of that trust. Without them, receivers have no way to distinguish your legitimate email from an attacker’s. DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report Learning to Send DMARC-Compliant Emails on Behalf of Others ```

00:00 ``` / ``` 2:18 ``` RSS Feed ``` Share Link Embed ``` /\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-12037” readonly/> ``` ``` This guide is intended for [email service providers](https://www.activecampaign.com/glossary/email-service-provider) and businesses involved in sending emails using their own customer’s domains for marketing, PR, billing, **talent management**, etc. Sending [DMARC](https://dmarcreport.com/)\-compliant emails is beneficial for both parties, significantly optimizing email identification. If you aim to get the best of the \*\*best email delivery and visibility, consider the following practices- - _Ensure email links appear to originate from your customer’s domain while still being serviceable by your own infrastructure_. - Modify server names associated with email delivery to align with your customer’s domain. - Ensure images and other objects appear to originate from your \*\*customer’s domain while still being serviceable by your infrastructure. There are a few ways that allow you to send DMARC-compliant emails on behalf of others so that legitimate conversations don’t get marked as spam or [bounce back](https://www.smartlead.ai/blog/email-bounce-back-what-it-means-and-how-to-fix-it). ## How to Send an Email Using Your Customer’s Domain? As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. ## Domain Delegation _When your [customer delegates a subdomain](https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-08266) for your part of the job, you can send emails from that, and they will be authenticated back to the subdomain_. So, in such a case, you will have the control to manage the subdomain on **behalf of your customer**. There are two ways to implement subdomain delegation- ## Full Delegation You get an entire subdomain delegated to you, making you responsible for the subdomain and everything associated with it. In this scenario, your customer only has to delegate a subdomain to you, and you have to take care of the rest; probably that’s why it’s the **most preferred approach**. ## CNAMEs _The customer creates \*\*multiple CNAMEs pointing back to your own domain, and individual services are delegated by each CNAME_. The only factor that makes it different from full delegation is that the customer has to create more \*\*DNS entries in the beginning. You will notice that CNAMEs are usually created for [SPF](https://dmarcreport.com/what-is-spf/) and bounce handling, DKIM, and \*\*mapping links in an email to the customer’s domain. ## Relaying Relaying is a preferred approach when \*\*only a few emails have to be sent on behalf of the customer. This is done by letting customers configure emails to be relayed through a different email server. This can be done in two ways- ## SMTP Relay For this, you simply have to \*\*allow your customer to set up an [SMTP relay](https://www.socketlabs.com/blog/smtp-relay/) for all the emails you send on their behalf. In this case, whoever manages the relay will also be responsible for [DMARC compliance](https://dmarcreport.com/blog/mandatory-requirement-dmarc-compliance-included-in-pci-dss-version-4-0/). Its drawbacks are- - [Bounce handling](https://debounce.io/glossary/bounce-handling/) doesn’t take place unless the relay forwards bounce back to you for management. - The **relay operator is responsible for email delivery**, which means your customers now have access to your email service. ![Dmarc office 365](https://media.mailhop.org/dmarcreport/images/2024/03/dmarc-office-365-42.jpg) ## User Credential Configuration Let your customers **configure user credentials**. They must provide you with an account for your service. _After this, they must configure your services so that you can use the new user’s credentials to send emails as if you were the user_. Its drawbacks are- - You will be managing user-level access to other [email platforms](https://www.wisestamp.com/blog/email-marketing-platforms/) as well. - You have to use your \*\*customer’s resource to send an email on their behalf. ## Manual Configuration If you want to ditch the **delegation approach**, then the process can be done manually, too. ## SPF Ask your customer to add your netblocks to their SPF record. However, ensure the customer’s domain is used in the \*\*bounce address of emails you sent. Its drawbacks are: - _Bounced emails will be routed to your customer rather than you, leaving you with zero visibility into performance and delivery issues_. - Your customers always have to consider the impact on your work whenever they have to make some changes to their [SPF record](https://dmarcreport.com/tools/spf-record-generator/). And if they have **multiple third-party senders**, it becomes more challenging for them. ## DKIM Just ask your customer to add your \*\*DKIM-related keys to their domain. Its drawbacks are- - There can be errors when cutting and pasting long strings of DKIM keys. - It can be \*\*burdensome and annoying for customers when [DKIM](https://dmarcreport.com/what-is-dkim/) keys have to be rotated, as the process requires some action from their sides. ## Required Capabilities _Some of the approaches shared above will be easier for you and some for the customers_. Since there is a certain amount of configuration and operational work to perform, you can take responsibility on behalf of your customers, split the work between \*\*both parties or have the customers take care of everything. Here’s how the responsibilities will be split between you and your customers in the above-shared approaches- ## Subdomain Delegation ## Customers They just have to perform **single-time** [domain configuration](https://www.ibm.com/docs/en/tfim/6.2.1?topic=configuring-domain-configuration) to implement subdomains or CNAMEs. ## You - Managing the domain system, involving overseeing, validating, and monitoring subdomain delegation and CNAMEs. - Utilizing [email server](https://www.one.com/en/email/what-is-an-email-server) functionalities to incorporate the \*\*customer’s subdomain in bounce addresses and DKIM signatures. - **Regular upkeep of SPF record**s. ## Relaying ## Customers They have to provide their \*\*relay source and perform a one-time configuration to add relay details to your system. ## You You have to handle email server features and **bounce processing**. ## Manual Configuration ## Customers Customers will be taking care of the one-time domain configuration process to add SPF records and DKIM signing keys. Apart from this, they are responsible for \*\*additional configurations if SPF records have to be updated or [DKIM keys](https://dmarcreport.com/blog/the-role-of-dkim-public-and-private-keys-email-security/) need to be rotated or replaced. ## You You will manage email server functions for adding the customer’s domain to bounce addresses and DKIM signatures. _You also have to regularly maintain SPF records while ensuring the customer updates their SPF records when infrastructure changes happen_. This process can vary in complexity depending on whether customers include your \*\*infrastructure via SPF or manually add elements like ip4: to their records. Regardless of the approach taken, email server features are necessary in all scenarios. However, there is an overlap in the required capabilities among non-relay approaches\*\*, with differences specifically lying in the way customers set their domains to authorize sending emails on their behalf. _Therefore, we emphasize that you prioritize making this easier for customers, especially if you are committed to sending emails on their behalf_. ![Dmarc record](https://media.mailhop.org/dmarcreport/images/2024/03/dmarc-record-8716.jpg) If all this sounds like a \*\*complicated deal for you, our team of [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) experts can make things simpler for you. Click [here](https://dmarcreport.com/book-a-demo/) to book yourself a demo! ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Learning to Send DMARC-Compliant Emails on Behalf of Others","description":"DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header.","url":"https://dmarcreport.com/blog/sending-dmarc-compliant-emails-on-behalf-of-others/","datePublished":"2024-03-28T13:56:36.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2024-03-28T13:56:36.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/sending-dmarc-compliant-emails-on-behalf-of-others/"},"articleSection":"foundational","keywords":"dkim, DMARC, email security, SPF","wordCount":1340,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Learning to Send DMARC-Compliant Emails on Behalf of Others","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Learning to Send DMARC-Compliant Emails on Behalf of Others","item":"https://dmarcreport.com/blog/sending-dmarc-compliant-emails-on-behalf-of-others/"}]} ```