Search code examples
spfdkimdmarc

Emails with DMARC: 'FAIL' even though it passes from the https://mxtoolbox.com validator

I am using [email protected] below for privacy, but this is happening to a real domain and email address.

In the mass emails that we send, DMARC is failing:

enter image description here

In my TXT records, this is what I have for DMARC:

_dmarc 14400 IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; sp=none; aspf=r"

When I go to validate my DMARC records at https://mxtoolbox.com, this is what I get:

enter image description here

Why could DMARC be failing even when a validator says that it passes, no syntax error and everything looks right? Notice how SPF and DKIM are passing. The problem is only with DMARC for some reason that I am trying to understand.

UPDATE 1: I found this paragraph at https://support.google.com/a/answer/2466563?hl=en:

Alignment mode refers to the precision with which sender records are compared to SPF and DKIM signatures, with the two possible values being relaxed or strict. represented by "r" and "s" respectively. In short, relaxed allows partial matches, such as subdomains of a given domain, while strict requires an exact match.

Notice in my _dmarc 14400 IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; sp=none; aspf=r" how I am trying to use the relaxed mode.

Solution

  • I'd guess (because I can't tell from what you've posted) it's because your SPF sender domain is not "aligned" with your From header. You're sending through sendgrid, so I expect that sendgrid is also handling your bounces, so you probably have a return-path header on a received message something like:

    Return-path: <[email protected]>

    But your From header is in your own domain:

    From: <[email protected]>

    your SPF may give permission to send from sendgrid's IPs (via include of their SPF record), so you'll get a pass for that, but clearly example.net and sendgrid.net are not the same domain, so they are not considered aligned and you'll get a DMARC failure.

    For it to align in aspf=s more, either your from address would need to be a sendgrid.net address (probably not what you want), or your mail server needs to be at example.net (you're probably using sendgrid because you don't want to be running your own mail server), so you'd need to revert to aspf=r (relaxed) mode. This would allow you to create a CNAME in your DNS that points a name in your domain, such as mail.example.net at sendgrid's mail server, and they would need to know that arrangement is in place so that they can send messages using that envelope sender, and in relaxed mode, example.net and mail.example.net are considered aligned and you'll get a DMARC PASS.

    mxtoolbox will be giving you a pass because your DMARC record is indeed perfectly valid when considered in isolation, but unless your domains on sent messages actually align, it still won't work.