DNS for white label authentication with SproutDNS


I wrote last year about using “stunt” nameservers for customer subdomain authentication – i.e. dynamically generating all the authentication records needed in DNS for each customer as needed.

For example, if you’re an ESP that has customers who can’t or won’t use their own domains and you still need to give them unique subdomains you can generate CNAME records to support white label DKIM authentication:

selector._domainkey.customerid.espcustomer.com CNAME \

or generate white label DMARC with useful rua= reporting:

_dmarc.customerid.espcustomer.com TXT \
"v=DMARC1 p=none rua=rua+customerid@esp.com"

Once you’ve set up these DNS records once they’ll work for all your customers, you just need to put the right domains in your DKIM signature and return path.

I shared some demo code to explain the concept last year, but since then we’ve developed a robust, production-ready application to dynamically serve DNS in this way.

It’s called SproutDNS – the humble brussel sprout isn’t the flashiest vegetable, but it’s robust, tasty, easy to prepare and good for you.

The product page is at sproutdns.com and there’s documentation at docs.sproutdns.com. Take a look, and sign up for our waitlist if it’s something you’d find useful. We’ll be announcing pricing in the next few weeks, but if you’d like to deploy it before then drop us a line.

About the author

1 comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • I might have you call you out on Sprouts. Not that robust, tasteless and questionably good for you. That being said, do you find that CNAME records for DKIM are accepted globally? DMARC of course is, and that’s the default way to handle DMARC.

By steve

Recent Posts


Follow Us