This is a classic pain point when scaling to multi-brand setups in Salesforce. Here's what I've seen work well:
Option 1: Salesforce Marketing Cloud + multiple SAPs In Marketing Cloud, you can configure multiple "From Addresses" per Business Unit, each linked to its own SAP (Sender Authentication Package). Each SAP handles DKIM signing and domain authentication per brand. It's native but requires careful Business Unit organization.
Option 2: Use a dedicated ESP as a sending relay Many teams add SendGrid, Postmark, or Amazon SES as a sending layer on top of Salesforce. You manage DKIM/SPF centrally in the ESP dashboard, and Salesforce just triggers sends via API. This simplifies multi-domain auth since DNS records are configured once per domain in one place.
Option 3: Shared subdomain strategy
Instead of authenticating each brand's root domain, standardize on sending subdomains like mail.brand-a.com, mail.brand-b.com. This keeps DNS configs predictable and templatable — you can even automate provisioning with Terraform or Route53 APIs.
My recommendation: For 3+ brands, go with Option 2 or 3. Native Salesforce doesn't scale gracefully beyond 2 domains without becoming a maintenance nightmare. Also, set up DMARC policies per domain early to catch misconfigs before they hurt deliverability. Hope this helps!