3

I have the following DNS configuration:

$ dig +noall +answer -t txt example.com
example.com.    626 IN  TXT "v=spf1 +a +mx include:sendgrid.net include:_spf.google.com -all"

$ dig +noall +answer -t txt google._domainkey.example.com
google._domainkey.example.com.  600 IN TXT "v=DKIM1; k=rsa; ......"

$ dig +noall +answer -t txt _dmarc.example.com
_dmarc.example.com. 300 IN  TXT "v=DMARC1; p=none; pct=100; rua=mailto:report@email; aspf=s; adkim=r;"

$ dig +noall +answer -t txt em1234.example.com
em1234.example.com. 358 IN  CNAME   1234.xyz.sendgrid.net.
1234.xyz.sendgrid.net. 358 IN   TXT "v=spf1 ip4:149.72.253.162 -all"

When I send emails from example.com everything is fine and DMARC are passing. Same goes for emails sent via SendGrid and the subdomain em1234.example.com. However the reporting tool to which the reports are sent is claiming 100% SPF alignment failure which is odd, because Gmail and email headers state quite the opposite:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=s1 header.b=Rv669YsQ;
       spf=pass (google.com: domain of bounces+4746099-3d38-recipient_email=recipient.com@em1234.example.com designates 149.72.253.162 as permitted sender) smtp.mailfrom="bounces+4746099-3d38-recipient_email=recipient.com@em1234.example.com";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com

So the question I'm having here is how to SPF align the subdomain that's used by SendGrid? Is the only way to fix this setting aspf to relaxed or is there another way?

1 Answer 1

5

In this scenario DMARC is passing but SPF alignment is failing. Because sendgrid is sending email on behalf of example.com this is what the receiving mail server sees:

  • The mail.FROM address (what the recipient sees and replies to) is @example.com.
  • The Return-Path header (where delivery failures and bounce messages go to) is @em1234.example.com

To pass DMARC, a message must pass at least one of these checks:

  • SPF authentication and SPF alignment
  • DKIM authentication and DKIM alignment

A message fails the DMARC check if the message fails both:

  • SPF (or SPF alignment)
  • DKIM (or DKIM alignment)

In your example, your DMARC record specifies aspf=s (strict) and adkim=r (relaxed). When the mode is strict, the two domains listed in mail.FROM and Return-Path must match exactly to pass alignment. When the mode is relaxed, then subdomains will also pass.

Because SPF and DKIM authentication passes, and DKIM is in alignment (due to relaxed mode), DMARC passes. However, because SPF alignment checks are in strict mode and the two domains do not match exactly, SPF alignment fails.

As stated, DMARC only requires one of two tests to pass, SPF authentication and alignment, or DKIM authentication and alignment. So, a passing DMARC test doesn’t mean that both SPF and DKIM are in alignment.

Your reporting tool is correct. You need to change aspf=r in this scenario. Or, you must have sendgrid use the same header.FROM and Return-Path domains. However, it is typical with third party email systems to use a subdomain of the primary domain. So, barring any other option from sendgrid, changing SPF alignment checks to relaxed mode is required and should not pose any risk to your organization.

More about SPF Alignment here: https://mxtoolbox.com/dmarc/spf/spf-alignment

The problem is specifically described in this Sendgrid documentation: https://support.sendgrid.com/hc/en-us/articles/13925777447451-How-to-use-Custom-Return-Path-with-a-Strict-SPF-Identifier-Alignment-DMARC-Policy

I note that Sendgrid:

  • Supports a custom return-path
  • Does not recommend using strict alignment
  • To use a custom return-path it will mean you actually send mail from @subdomain.example.com which is often not desired.
3
  • Thanks for this detailed answer! I was reading the RFC, but it wasn't entirely clear to me. Two more follow-up questions: 1) having the relaxed mode for aspf simply allows for less strict checks for the SPF, but the SPF record is sill enforced, right? 2) Does the same go for adkim=s | r?
    – tftd
    Commented Mar 28 at 6:30
  • 1
    @tftd relaxed / strict is only about "alignment," it does not affect the functioning of SPF or DKIM checks. They both still work the same. But, each of those (SPF & DKIM) have limitations that DMARC attempts to address - the big thing is checking alignment between different values in the message. Commented Mar 28 at 16:35
  • That's what I thought too, but wamted to be sure. Thanks very much for this awesome answer!
    – tftd
    Commented Mar 28 at 18:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .