To simplify the process of sending email through the SocketLabs platform we use our own domain(s) in a few important places behind the scenes. White-labeling your email is a process that masks the SocketLabs platform and related domains used in the delivery process. This allows messages to reference only your own domain. These features can be very useful for customers who want to ensure that their email is branded to appear to originate directly from their own systems. White-labeling also allows a company to entirely isolate its sender reputation and possibly improve message delivery results. SocketLabs highly recommends all customers set-up the optional white-labeling features.
The white-label set-up process involves the configuration of multiple DNS entries with your domain’s DNS provider. These entries are then verified in the corresponding SocketLabs Control Panel configuration pages. By following this guide, you will be able to white-label our service for the messages processing through your SocketLabs server.
What is a CNAME?
A custom host name or CNAME record is a DNS entry specifying that one domain name is an alias of another domain, which is referred to as the “canonical” name. This is an essential component of white-labeling email because it allows for the display of your organization's own domain name, while the actual infrastructure behind the entry is the SocketLabs platform.
What is a TXT record?
A TXT record is a DNS entry that provides text information about a domain that is human-or machine-readable. TXT records often store information for authentication at a domain. For example, Google Analytics requires that in order to use its service, site ownership must be verified through a TXT record containing a unique code that it supplies. Each time Google Analytics is accessed, it will look through the domain records and verify that a matching code is provided in a TXT record. In terms of email, TXT records can be used for DKIM and SPF authentication.
Custom Bounce Domain
The first and most important feature to establish when white-labeling your email messages is a Custom Bounce Domain. When we process a message on your behalf, in order to capture failures and bounces, we supply a bounce address, or return path address, that has been customized for that specific message. This is called a Variable Envelope Return Path (VERP). By default the domain portion of this address is a SocketLabs domain, this feature allows you to customize this and use your organization’s own domain instead. Please see our Custom Bounce Domains guide for more information.
To establish a custom bounce domain you must create a CNAME record with your DNS provider. The hostname prefix can be any value of your choosing. The most popular are
email.example.com and bounces.example.com.
HOST TYPE DATA
email.example.com CNAME tracking.socketlabs.com
Italicized text can be replaced with any value of your choosing. This may be visible to recipients of your messages in links, or in message headers.
We have documented the process of adding a CNAME record with many popular DNS service providers. Please see our guide for a provider specific walk-through.
Once you’ve create a CNAME record with your DNS provider you can enable the Custom Bounce Domain feature in the SocketLabs Control Panel. This can be found for your server by navigating to https://cp.socketlabs.com then selecting: View-> Configuration -> Settings -> Advanced Features -> Custom Bounce Domain.
Required DNS entries:
HOST TYPE DATA
bounces.example.com CNAME tracking.socketlabs.com
*dkim._domainkey.example.com CNAME dkim._domainkey.email-od.com
dkim._domainkey TXT k=rsa; p=[publickey]**
example.com TXT v=spf1 include:email-od.com ~all
Note: Italicized text can be replaced with a value of your choosing. This may be visible to recipients of your messages in links, or in message headers.
*The first option is for Custom DKIM signing, while the second is for Advanced DKIM signing. Only one of these can be used.
**The public key inside of the brackets is your public key generated from the DKIM Generation Wizard. The brackets are not included
Both the Engagement Tracking and Custom Bounce configuration require a CNAME entry to tracking.socketlabs.com. You can create a single CNAME and use the sub-domain for both features, or you can create separate records for each. Please refer to our guide for configuring DNS records for helpful information on setting up the required custom hostname.
Once a CNAME has been created to tracking.socketlabs.com, you can navigate to the Engagement Tracking settings page in the Control Panel. This page can be found for your server by navigating to https://cp.socketlabs.com, then selecting: View-> Configuration -> Settings -> Engagement Tracking. You will then need to specify the sub-domain you have configured, such as
email.example.com, in the Custom Host Name field. SocketLabs will validate the domain to ensure that this domain properly CNAMEs to tracking.socketlabs.com. Please allow up to 24 hours for DNS propagation before attempting to verify your entry.
Configuring Engagement Tracking is recommended as part of the white-labeling process, but it is not required to send mail. Please see our Engagement Tracking for more information.
The final step in white-labeling your email is the configuration of DKIM signing. The DKIM Signing page can be found for your server by navigating to https://cp.socketlabs.com, then selecting: View-> Configuration -> Settings -> Advanced Features -> DKIM Signing. It is important that your mail is authenticated with a custom DKIM signature at your organizational domain to match your custom bounce domain. There are two ways you can configure a DKIM signature: Custom and Advanced Signing.
Custom DKIM signing is the minimum requirement for white-labeling. It is a simple process that requires no management of custom DKIM keys. SocketLabs remains in control of both public and private DKIM keys, allowing you to authenticate your mail with DKIM without having to manage keys. This method of DKIM integration is less secure, but is easier to configure and does not require as much expertise. The Advanced Signing option is not required for white-labeling, but does allow users to have complete control of the DKIM signatures generated for the messages processing through their server. Users can create multiple entries that allow for multiple domains to be authenticated. Advanced Signing is the most secure method of DKIM integration, but does require a significant knowledge of DNS and DKIM.
** Note customized DKIM signatures will only be applied to messages in which DKIM Signing has been established for the domain of the Purported Responsible Address.
How to setup Custom Signing
Custom DKIM Signing involves creating a CNAME record in your top-level domain that points to dkim._domainkey.email-od.com. Once the CNAME entry has been configured, enter your organizational domain in the DKIM Settings page, with Custom Signing selected. The CNAME entry could take a period of time to become verifiable by the SocketLabs Email On-Demand Control Panel. Please allow up to 24 hours for DNS propagation before attempting to verify your entry.
How to setup Advanced Signing
In order to properly configure Advanced DKIM Signing, you will need a Selector value, a Private Key, and a DNS entries of TXT records of your public key for your domain. We recommend that you use the DKIM Key Generation Wizard to configure Advanced DKIM signing properly. On the DKIM Key Generation Wizard page, enter your domain and a Selector value of your choice, such as “dkim”. This value can only contain alphanumeric characters, and we recommend that it contain less than 10 total. The information generated in the wizard should be recorded in a safe place. We recommend that you first create a DNS entry of your public key specified under “Setting up your DNS”. This value could take a period of time to become verifiable in the SocketLabs Email On-Demand Control Panel. After creating the DNS entry, enter the generated values from the wizard under “Setting up Your Server” into the corresponding fields in your DKIM Settings page, with Advanced Signing selected. In the New Private Key field, include the header and footer. Once the public key has been verified, you will be able to save your entry. Please allow up to 24 hours for DNS propagation before attempting to update your DKIM entry. Please see our Advanced DKIM Signing Feature for more information.
For more information on how to configure DNS records for DKIM, see the DNS Configuration Guides Index.
Although the custom bounce domain automatically authenticates your mail with SPF, creating an SPF record at your domain is recommended to ensure your domain is fully authenticated to send email through our platform. For more information on SPF please reference our knowledgebase article: [ https://support.socketlabs.com/kb/98 ].Please refer to our guide for configuring DNS records for helpful information on setting up SPF and CNAME records.
Limitations of Whitelabeling
Please be aware that the custom bounce domain is on a server-level setting and applies to all email messages being processed through the server. Therefore, only one domain can be white-labeled per server. For customers who send on behalf of multiple domains and wish to be white-labeled, we recommend:
- Using multiple servers - whitelabeling a different domain on each server
- Using a central whitelabel domain - creating a single custom bounce domain that applies to all domains you are sending on behalf of.
The method you use to approach this depends on your business’s specific needs.