Ethnio uses two industry-standard providers, Mailgun, and Amazon SES, to send emails with maximum deliverability, using any email from/sender/reply-to addresses our customers prefer. We offer domain verification (DKIM/SPF) for Enterprise customers. Outline of this article:
- Getting Started
- How Domain Verification Works (DKIM/SPF)
- Security Best Practices
- After you receive CSV keys: Detailed DNS Instructions
We need three things from your team to get started on DKIM, listed below. Once we receive these three items we will send you DNS keys and instructions for your technical team.
- Subdomain - usually something like uxr.yourdomain.com
- Sender email address – typically like firstname.lastname@example.org
- HSTS / forcing HTTPS 🚨 - does your organization force https for all subdomains?
Both the DNS records and the "sender" email that you can specify in Ethnio should use a subdomain. For example, if your email is email@example.com, your developers will more than likely prefer to create a subdomain, for example "research," so that the DKIM uses research.yourdomain.com and the emails you send in Ethnio come from firstname.lastname@example.org.
Please note that almost nobody will see this email, as you can still set the reply-to to email@example.com. Sender vs Reply-to is a confusing topic, but think of the Sender as something nobody really sees, and the From name as something that can be 100% customized within Ethnio at your discretion anytime.
2: Pick a sender email address
After your technical team has chosen a subdomain for the domain verification, you'll want to pick a sender email like firstname.lastname@example.org. The most important aspect of the sender is that nobody really sees this. It's just a single email that operates behind the scenes and is white listed and authorized to send hundreds or thousands of Ethnio emails without getting caught by spam or otherwise not reaching your recipients for invites, scheduling, incentives, or Pool emails.
⚠️ 3. HSTS settings 🚨
Check with your internal team that will be making these DNS changes on whether your organization has a TLS policy that forces HTTPS and let us know if you do that on all subdomains using the HSTS header. This can impact click-tracking and we'll need to know up front.
Security Best Practices
It's common that your security / IT team will want to white list both dedicated sending IPs, as well as the new subdomain you create to send research emails through Ethnio. More info on that here:
- Whitelist sending IPs - Ethnio can provide dedicated IPs for both Mailgun & SES
- Whitelist subdomain – ensure the new subdomain is allowed to email employees
1. Whitelisting sending IPs
If your security or technical team would like to whitelist both the Mailgun and SES sending IP, we can provide that upon request.
2. Whitelisting subdomain: Sending Ethnio emails to employees
Make sure the same team that implements the DNS changes for domain verification also whitelists your new subdomain & sender to email employees. Network security might consider the new subdomain a suspicious sender because it could appear to be a phishing attempt (like scammer.yourdomain.com).
How Domain Verification Works (DKIM/SPF)
If you’d like to increase deliverability, make sure no unnecessary spam reporting happens, and prevent any phishing concerns, you can configure your domain to verify that Ethnio is authorized to send emails for your organization.
This is only part of Enterprise plans with certain tiers, and has to be setup by your technical or security team internally to add SPF and DKIM records to your domain provider’s DNS management section. The DKIM or Domain Keys Identified Mail is an encryption authentication method that is used to ensure that the email is originated from an authorized system and it prevents spammers from stealing the identity of legitimate entities. Whereas SPF or Sender Policy Framework is used to improve email reliability and prevent spoofing.
The SPF and DKIM DNS records allow Ethnio, using either Mailgun or Amazon SES, to deliver emails for any email address at your domain. You'll always be able to set the reply-to for any email at your organization that you prefer to use per study or account (that could be email@example.com or firstname.lastname@example.org). There are no restrictions on how many different emails can be used inside Ethnio with this level. Please note the sender concept below would be a single email and most recipients will never see that. Lots more detail below.
After you receive keys from Ethnio: Detailed DNS Instructions
These are the instructions for adding DNS records after you've received a CSV via email with your unique DNS records for DKIM. Please refer to that CSV for easy copy/paste of the values referenced below. They look something like this:
1.0 Add TXT records for sending
You should see two TXT records to verify your subdomain. Sign in to the management console for your domain host, locate the page where you update DNS records, and add the TXT records.
2.0 Add CNAME records for tracking
There should be four CNAME records for tracking opens and clicks, and add them to your DNS records as well. Many email providers also use these records to determine if an email should go to spam or not, so we highly recommend including them.
3.0 Add MX records for receiving
There are three MX records with Priority 10. Even if you don’t receive emails at the sender email address, it’s important to add these MX records as they also drastically improve deliverability. In fact many email providers will flat-out bounce emails without MX records being present.
A Note on the concept of Sender
The subdomain you choose from above will also be something that appears in the sender email address, but it's really important to note yet again that the sender is not the from name or the reply-to, which show up in vastly higher priority for your respondents in Gmail or Outlook or whatever email client they use. In other words, the sender email might look a bit strange, but it helps deliver emails at a incredibly high rate, and your respondents will most likely see From / Reply to.
If you don't complete Domain Verification: “On Behalf Of”
The default method Ethnio uses to send emails to your participants for Scheduling, Incentives, or Pool requires no integration or domain verification from your organization. Out of the box, it offers about 85% deliverability. Let’s say your email is email@example.com and you want to use Ethnio for Scheduling and incentive payments, as part of your job as Research Coordinator at Acme Corporation. You would simply login to your Ethnio account, enter Acme Research / firstname.lastname@example.org, and when your respondents reply to the email it will go to you. A small percentage of users (2-12%) will see “Ethnio on behalf of Acme Research” as the from address, but the reply-to will always be email@example.com.
Finally, deliverability is incredibly complex
Each domain, development environment, set of DNS rules, and organization is different. There
can be restrictions at your organization for SPF/DKIM and which vendors are allowed to go
through this process. You could already be using Mailgun directly, which would require a new subdomain. It also typically requires a security and technical audit of Ethnio, and our pricing
for this integration add-on has to reflect that process.
Any questions? Please email firstname.lastname@example.org for more information.