How do hybrid setups handle authentication?

Authentication in hybrid environments must work regardless of which path a message takes. Plan SPF, DKIM, and DMARC for all sending sources.

SPF configuration:

Include all legitimate sending sources: v=spf1 ip4:your-mta-ip include:esp-spf.com -all

Custom MTAs need their IPs listed

ESPs need their include mechanisms

Stay under 10 DNS lookup limit

DKIM configuration:

Both custom MTAs and ESPs should sign with your domain

Use different selectors for each source: esp1._domainkey, mta._domainkey

Publish all public keys in DNS

Consistent signing domain enables DMARC alignment

DMARC alignment:

Ensure From domain matches either SPF domain (envelope) or DKIM signing domain

Custom bounce domains may be needed for SPF alignment

All paths should achieve alignment for DMARC pass

Testing:

Send test messages through each path

Verify authentication passes for all sources

Check alignment specifically, not just individual mechanism pass

Monitor DMARC aggregate reports for failures

Hybrid authentication is more complex. Document thoroughly and monitor continuously. One misconfigured path can undermine overall deliverability.