How do hybrid setups handle authentication?

Authentication in hybrid environments must work regardless of which path a message takes. Plan SPF, DKIM, and DMARC for all sending sources.

SPF configuration:

Include all legitimate sending sources: v=spf1 ip4:your-mta-ip include:esp-spf.com -all

• Custom MTAs need their IPs listed
• ESPs need their include mechanisms
• Stay under 10 DNS lookup limit

DKIM configuration:

• Both custom MTAs and ESPs should sign with your domain
• Use different selectors for each source: esp1._domainkey, mta._domainkey
• Publish all public keys in DNS
• Consistent signing domain enables DMARC alignment

DMARC alignment:

• Ensure From domain matches either SPF domain (envelope) or DKIM signing domain
• Custom bounce domains may be needed for SPF alignment
• All paths should achieve alignment for DMARC pass

Testing:

• Send test messages through each path
• Verify authentication passes for all sources
• Check alignment specifically, not just individual mechanism pass
• Monitor DMARC aggregate reports for failures

Hybrid authentication is more complex. Document thoroughly and monitor continuously. One misconfigured path can undermine overall deliverability.