Domain verification/DKIM

Ethnio uses two industry-standard providers, Mailgun, and Amazon SES, to send emails with maximum deliverability, using any email from/sender/reply-to addresses our customers prefer. We offer domain verification (DKIM/SPF) for Enterprise customers. Outline of this article:

1. Getting Started
2. How Domain Verification Works (DKIM/SPF)
3. Security Best Practices
4. After you receive CSV keys: Detailed DNS Instructions

Getting Started: 3 Steps

We need three things from your team to get started on DKIM, listed below. Once we receive these three items we will send you DNS keys and instructions for your technical team. 

1. Subdomain - usually something like uxr.yourdomain.com 
2. Sender email address – typically like studies@uxr.yourdomain.com  
3. Whitelisting subdomain: Sending Ethnio emails to employees 🚨 

Step 1: Subdomain

Both the DNS records and the "sender" email that you can specify in Ethnio should use a subdomain. For example, if your email is human@yourdomain.com, your developers will more than likely prefer to create a subdomain, for example "research," so that the DKIM uses research.yourdomain.com and the emails you send in Ethnio come from human@research.yourdomain.com.

Please note that almost nobody will see this email, as you can still set the reply-to to human@yourdomain.com. Sender vs Reply-to is a confusing topic, but think of the Sender as something nobody really sees, and the From name as something that can be 100% customized within Ethnio at your discretion anytime.

Step 2: Pick a sender email address

After your technical team has chosen a subdomain for the domain verification, you'll want to pick a sender email like studies@research.yourdomain.com. The most important aspect of the sender is that nobody really sees this. It's just a single email that operates behind the scenes and is white listed and authorized to send hundreds or thousands of Ethnio emails without getting caught by spam or otherwise not reaching your recipients for invites, scheduling, incentives, or Pool emails. 

Step 3: Whitelisting subdomain to make sure Ethnio emails reach employees

Make sure the same team that implements the DNS changes for domain verification also whitelists your new subdomain & sender, so that your own team and all employees will receive Ethnio emails. Because the emails will be coming from a new subdomain, many company network security settings will consider the new subdomain a suspicious sender because it could appear to be a phishing attempt (like scammer.yourdomain.com).

Please note, we assume your organization has a TLS policy that forces HTTPS on all subdomains using the HSTS header. Most organization don't use HTTP anymore for subdomain policy, and so HTTP is a safer bet all around. 

Security Bonus: Whitelist Sending IPs

Sometimes your security / IT team will want to whitelist both dedicated sending IPs, as well as the new subdomain you create to send research emails through Ethnio. We can provide dedicated IPs for both Mailgun & SES as pat of the DKIM keys. If your team would like that, just let us know.

How Domain Verification Works (DKIM/SPF)

If you’d like to increase deliverability, make sure no unnecessary spam reporting happens, and prevent any phishing concerns, you can configure your domain to verify that Ethnio is authorized to send emails for your organization.

This is only part of Enterprise plans with certain tiers, and has to be setup by your technical or security team internally to add SPF and DKIM records to your domain provider’s DNS management section. The DKIM or Domain Keys Identified Mail is an encryption authentication method that is used to ensure that the email is originated from an authorized system and it prevents spammers from stealing the identity of legitimate entities. Whereas SPF or Sender Policy Framework is used to improve email reliability and prevent spoofing.

The SPF and DKIM DNS records allow Ethnio, using either Mailgun or Amazon SES, to deliver emails for any email address at your domain. You'll always be able to set the reply-to for any email at your organization that you prefer to use per study or account (that could be uxresearch@yourdomain.com or bob@research.yourdomain.com). There are no restrictions on how many different emails can be used inside Ethnio with this level. Please note the sender concept below would be a single email and most recipients will never see that. Lots more detail below.

After you receive keys from Ethnio: Detailed DNS Instructions

These are the instructions for adding DNS records after you've received a CSV via email with your unique DNS records for DKIM. Please refer to that CSV for easy copy/paste of the values referenced below. They look something like this:

1.0 Add TXT records for sending

You should see two TXT records to verify your subdomain. Sign in to the management console for your domain host, locate the page where you update DNS records, and add the TXT records.

2.0 Add CNAME records for tracking

There should be four CNAME records for tracking opens and clicks, and add them to your DNS records as well. Many email providers also use these records to determine if an email should go to spam or not, so we highly recommend including them. 

3.0 Add MX records for receiving

There are three MX records with Priority 10. Even if you don’t receive emails at the sender email address, it’s important to add these MX records as they also drastically improve deliverability. In fact many email providers will flat-out bounce emails without MX records being present.

A Note on Sender vs Reply-to

You'll continue to be able specify any reply-to email you'd like, which show up in for most email recipients from Ethnio. The sender email might look a bit strange, but it helps deliver emails at a much higher rate, and will be in full SPF compliance.

Finally, deliverability is incredibly complex

Each domain, development environment, set of DNS rules, and organization is different. There can be restrictions at your organization for SPF/DKIM and which vendors are allowed to go through this process. Any questions? Please email help@ethn.io for more information.