Understanding the Sender Authentication Package (SAP)

Understanding the Sender Authentication Package (SAP)

Most companies sending email communications truly underestimate how much deliverability can impact their organization. A beautiful, well-constructed, and highly effective email often winds up in the junk folder of someone who subscribed and wished to convert with your company. That’s a terrible situation to be in.

Even worse, you may not even realize that your emails are being routed to junk unless you’re using an inbox monitoring tool. They do this by providing a seed list and then monitoring those inboxes, then reporting to you whether or not your email made it to each major Internet Service Provider.

Your email reputation and inbox placement can be impacted by any number of issues, but most of it comes down to five issues:

  1. Configuration – are your domain and email server configured so that ISPs can authenticate that the emails are truly coming from your company?
  2. List – are your email addresses updated, valid, and opted into your email? If not, the chances of being reported as SPAM are significantly higher
  3. Reputation – is the sending IP known for sending SPAM via junk reports? Has it been blacklisted before?
  4. Volume – are you sending a large volume of emails? Bulk email sends absolutely trigger stricter monitoring of senders.
  5. Content – do you have red flags with terminology you’re utilizing in your email? Are you sending bulk emails with bad URLs, domains that have been flagged for malware, or are you lacking an unsubscribe link in your emails?

Marketing Cloud’s Sender Authentication Package

If you’re sending more than 250,000 emails per month and a Salesforce Marketing Cloud client, you should absolutely invest in their Sender Authentication package, which is a robust configuration to ensure you maximize the deliverability of those messages to the inbox. The Sender Authentication Package offers the following:

  • Private Domain – This product enables you to configure a domain used to send email. This domain acts as the From address for your email sends. Salesforce Marketing Cloud authenticates your email sends using the Sender Policy Framework (SPF), Sender ID, and DomainKeys/DKIM authentication.
  • Dedicated IP Address – This product assigns a unique IP address to your account so that your reputation is entirely yours. All email messages sent from your account via Marketing Cloud use this IP address. This IP address represents most of your sending reputation.
  • Reply Mail Management – This product controls the replies you receive from your subscribers. You can assign filters for out-of-office messages and manual unsubscribe requests.

Additionally, the package comes with Account Branding, where Marketing Cloud brands your account with your chosen authenticated domain. This product modifies link and image wrapping and removes all references to Marketing Cloud in favor of your authenticated domain.

What If We Want To Send From Multiple Domains?

As a true enterprise platform, Marketing Cloud does have a couple of options for utilizing multiple domains if your organization has multiple brands within it:

  • Business Units – Business units can be added with each domain configured and a Sender Authentication Package implemented for each.
  • Multi-Domain Sender Profile – A little known option for Marketing Cloud is the ability to configure a main domain across an organization but specific a reply domain that’s different for each sender profile. This is useful for multi-domain brands that wish to work out of a single account. There is a cost for each domain to be configured and the customization doesn’t extend to any of the configured subdomains set up across the account… just the reply domain.

Sender Authentication Package Video Overview

Configure Your Private Domain

Your private domain enables ISPs to authenticate as well as effectively communicate issues with your subscriber through feedback loops. Within the Sender Authentication Package, you’ll have to set up your DNS to enable quite a few subdomains for sending and response, as well as authentication keys. With subdomain delegation, also called zone delegation, you’re only transferring part of your existing domain to Marketing Cloud as part of your authenticated domain configuration.

This methodology is far more advanced than a typical email service provider which you have to configure your records in your domain name server. In the case of SAP, you simply point the sending domain to Marketing Cloud and they configure everything else, including the appropriate SPF and DMARC records for email authentication.

Marketing Cloud uses the specified subdomains for appropriate activities:

Fully Qualified
Domain Name
DNS Record
@ sample.domain.com MX Allows email sends using Marketing Cloud servers
bounce bounce.sample.domain.com MX Tracks email sends and bounces
reply reply.sample.example.com MX Allows Reply Mail Management to handle filters and forwards replies to specific addresses
leave leave.sample.domain.com MX Allows subscribers to unsubscribe
image image.sample.domain.com CNAME Points to Marketing Cloud image servers
view view.sample.domain.com CNAME Points to Marketing Cloud View As a Web Page servers
click click.sample.domain.com CNAME Points to Marketing Cloud Click URL for tracking click-throughs
pages pages.sample.domain.com CNAME Points to Marketing Cloud microsite and landing page servers.
cloud cloud.sample.domain.com CNAME Points to Marketing Cloud’s cloud page servers.
mta mta.sample.domain.com A Points to your dedicated IP Address
domain._domainkey domain._domainkey.
TXT Authenticates DKIM and DK Selector
@ sample.domain.com TXT SPF1 – SPF status authorizes bounce host in mfrom identity
bounce bounce.sample.domain.com TXT SPF1 for bounce host
reply reply.sample.domain.com TXT SPF1 for reply host

Wildcard Certificate

You’ll absolutely want to get a wildcard SSL certificate for your domain for Marketing Cloud to utilize as well. Accounts configured with SAP that do not use an SSL certificate show a secure Marketing Cloud domain on the properties of images in Content Builder. When you add the image to an email, the URL in the editor shows your custom domain setup with SAP. The copy link on the image properties page copies the custom domain for use in emails, landing pages, and browsers.

IP Address Warming

Once the Sender Authentication Package is fully configured, the sending IP addresses must be warmed up. This is because the ISPs have no reputation associated with your IP address. If you just start sending everything through the new configuration, there’s a high risk of getting blocked. Most connections from new IP addresses are attempts to deliver unsolicited spam or other unwanted mail, so ISPs are suspicious of a new IP address sending mail.

The largest ISPs and webmail providers recommend that you build up a sending reputation on any new IP address by slowly and methodically sending in small volumes, then gradually increasing your volume of desirable mail to their users. This sending reputation is referred to as the warming or ramping up of your new IP address.

The goal is to build up approximately 30 days of desirable sending history and data so that ISPs have an idea of the mail coming from your new IP address. The ramp-up period can take longer than 30 days for some senders and a shorter time for others. Factors such as your overall list size, list quality, and subscriber engagement can influence the amount of time it takes for your IP address to be fully ramped up. Highbridge has launched IP Warm, a service that automates and optimizes your campaign lists and schedules to minimize any risks associated with migrating to a new IP Address.

Marketing Cloud recommends that you focus on sending to your most active and engaged subscribers during this critical period since it can be the initial basis for the ISPs to determine your sender IP addresses sending reputation. Ramp-up involves sending a limited number of messages per IP per day, so it may be necessary to further adjust your current sending practices as part of the process.

If you have questions or need assistance in implementing inbox monitoring or need help in configuring your Sender Authentication Package, we can work with your Salesforce representative and get you fully configured, warmed up, and sending emails!

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest