How to get SPF alignment to pass DMARC for a subdomain?

Question

I have the following DNS configuration:

$ dig +noall +answer -t txt example.com
example.com.    626 IN  TXT "v=spf1 +a +mx include:sendgrid.net include:_spf.google.com -all"

$ dig +noall +answer -t txt google._domainkey.example.com
google._domainkey.example.com.  600 IN TXT "v=DKIM1; k=rsa; ......"

$ dig +noall +answer -t txt _dmarc.example.com
_dmarc.example.com. 300 IN  TXT "v=DMARC1; p=none; pct=100; rua=mailto:report@email; aspf=s; adkim=r;"

$ dig +noall +answer -t txt em1234.example.com
em1234.example.com. 358 IN  CNAME   1234.xyz.sendgrid.net.
1234.xyz.sendgrid.net. 358 IN   TXT "v=spf1 ip4:149.72.253.162 -all"

When I send emails from example.com everything is fine and DMARC are passing. Same goes for emails sent via SendGrid and the subdomain em1234.example.com. However the reporting tool to which the reports are sent is claiming 100% SPF alignment failure which is odd, because Gmail and email headers state quite the opposite:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=s1 header.b=Rv669YsQ;
       spf=pass (google.com: domain of bounces+4746099-3d38-recipient_email=recipient.com@em1234.example.com designates 149.72.253.162 as permitted sender) smtp.mailfrom="bounces+4746099-3d38-recipient_email=recipient.com@em1234.example.com";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com

So the question I'm having here is how to SPF align the subdomain that's used by SendGrid? Is the only way to fix this setting aspf to relaxed or is there another way?

Answer 1

In this scenario DMARC is passing but SPF alignment is failing. Because sendgrid is sending email on behalf of example.com this is what the receiving mail server sees:

• The mail.FROM address (what the recipient sees and replies to) is @example.com.
• The Return-Path header (where delivery failures and bounce messages go to) is @em1234.example.com

To pass DMARC, a message must pass at least one of these checks:

• SPF authentication and SPF alignment
• DKIM authentication and DKIM alignment

A message fails the DMARC check if the message fails both:

• SPF (or SPF alignment)
• DKIM (or DKIM alignment)

In your example, your DMARC record specifies aspf=s (strict) and adkim=r (relaxed). When the mode is strict, the two domains listed in mail.FROM and Return-Path must match exactly to pass alignment. When the mode is relaxed, then subdomains will also pass.

Because SPF and DKIM authentication passes, and DKIM is in alignment (due to relaxed mode), DMARC passes. However, because SPF alignment checks are in strict mode and the two domains do not match exactly, SPF alignment fails.

As stated, DMARC only requires one of two tests to pass, SPF authentication and alignment, or DKIM authentication and alignment. So, a passing DMARC test doesn’t mean that both SPF and DKIM are in alignment.

Your reporting tool is correct. You need to change aspf=r in this scenario. Or, you must have sendgrid use the same header.FROM and Return-Path domains. However, it is typical with third party email systems to use a subdomain of the primary domain. So, barring any other option from sendgrid, changing SPF alignment checks to relaxed mode is required and should not pose any risk to your organization.

More about SPF Alignment here: https://mxtoolbox.com/dmarc/spf/spf-alignment

The problem is specifically described in this Sendgrid documentation: https://support.sendgrid.com/hc/en-us/articles/13925777447451-How-to-use-Custom-Return-Path-with-a-Strict-SPF-Identifier-Alignment-DMARC-Policy

I note that Sendgrid:

• Supports a custom return-path
• Does not recommend using strict alignment
• To use a custom return-path it will mean you actually send mail from @subdomain.example.com which is often not desired.