Home / server / Questions / 1157001
Accepted
tftd
Asked: 2024-03-28 05:34:05 +0800 CST

How to get SPF alignment to pass DMARC for a subdomain?

  • 772

I have the following DNS configuration:

$ dig +noall +answer -t txt example.com
example.com.    626 IN  TXT "v=spf1 +a +mx include:sendgrid.net include:_spf.google.com -all"

$ dig +noall +answer -t txt google._domainkey.example.com
google._domainkey.example.com.  600 IN TXT "v=DKIM1; k=rsa; ......"

$ dig +noall +answer -t txt _dmarc.example.com
_dmarc.example.com. 300 IN  TXT "v=DMARC1; p=none; pct=100; rua=mailto:report@email; aspf=s; adkim=r;"

$ dig +noall +answer -t txt em1234.example.com
em1234.example.com. 358 IN  CNAME   1234.xyz.sendgrid.net.
1234.xyz.sendgrid.net. 358 IN   TXT "v=spf1 ip4:149.72.253.162 -all"

When I send emails from example.com everything is fine and DMARC are passing. Same goes for emails sent via SendGrid and the subdomain em1234.example.com. However the reporting tool to which the reports are sent is claiming 100% SPF alignment failure which is odd, because Gmail and email headers state quite the opposite:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=s1 header.b=Rv669YsQ;
       spf=pass (google.com: domain of bounces+4746099-3d38-recipient_email=recipient.com@em1234.example.com designates 149.72.253.162 as permitted sender) smtp.mailfrom="bounces+4746099-3d38-recipient_email=recipient.com@em1234.example.com";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com

So the question I'm having here is how to SPF align the subdomain that's used by SendGrid? Is the only way to fix this setting aspf to relaxed or is there another way?

spf

1 Answers

  1. Best Answer

    In this scenario DMARC is passing but SPF alignment is failing. Because sendgrid is sending email on behalf of example.com this is what the receiving mail server sees:

    • The mail.FROM address (what the recipient sees and replies to) is @example.com.
    • The Return-Path header (where delivery failures and bounce messages go to) is @em1234.example.com

    DMARC checks 3 things:

    • Does SPF pass?
    • Does DKIM pass?
    • Are EITHER SPF or DKIM aligned?

    All 3 need to be true for DMARC to pass.

    In your example, your DMARC record specifies aspf=s (strict) and adkim=r (relaxed). When the mode is strict, the two domains listed in mail.FROM and Return-Path must match exactly to pass alignment. When the mode is relaxed, then subdomains will also pass.

    Because SPF and DKIM pass, and DKIM is in alignment (due to relaxed mode), DMARC passes. However, because SPF alignment checks are in strict mode and the two domains do not match exactly, SPF alignment fails.

    DMARC only requires one of, SPF alignment, or DKIM alignment to pass. So, a passing DMARC test doesn’t mean that both SPF and DKIM are in alignment.

    Your reporting tool is correct. You need to change aspf=r in this scenario. Or, you must have sendgrid use the same header.FROM and Return-Path domains. However, it is typical with third party email systems to use a subdomain of the primary domain. So, barring any other option from sendgrid, changing SPF alignment checks to relaxed mode is required and should not pose any risk to your organization.

    More about SPF Alignment here: https://mxtoolbox.com/dmarc/spf/spf-alignment

    The problem is specifically described in this Sendgrid documentation: https://support.sendgrid.com/hc/en-us/articles/13925777447451-How-to-use-Custom-Return-Path-with-a-Strict-SPF-Identifier-Alignment-DMARC-Policy

    I note that Sendgrid:

    • Supports a custom return-path
    • Does not recommend using strict alignment
    • To use a custom return-path it will mean you actually send mail from @subdomain.example.com which is often not desired.
    • 5