2

I am using username@example.net below for privacy, but this is happening to a real domain and email address.

In the mass emails that we send, DMARC is failing:

enter image description here

In my TXT records, this is what I have for DMARC:

_dmarc 14400 IN TXT "v=DMARC1; p=none; rua=mailto:username@example.net; sp=none; aspf=r"

When I go to validate my DMARC records at https://mxtoolbox.com, this is what I get:

enter image description here

Why could DMARC be failing even when a validator says that it passes, no syntax error and everything looks right? Notice how SPF and DKIM are passing. The problem is only with DMARC for some reason that I am trying to understand.

UPDATE 1: I found this paragraph at https://support.google.com/a/answer/2466563?hl=en:

Alignment mode refers to the precision with which sender records are compared to SPF and DKIM signatures, with the two possible values being relaxed or strict. represented by "r" and "s" respectively. In short, relaxed allows partial matches, such as subdomains of a given domain, while strict requires an exact match.

Notice in my _dmarc 14400 IN TXT "v=DMARC1; p=none; rua=mailto:username@example.net; sp=none; aspf=r" how I am trying to use the relaxed mode.

Jaime Montoya
  • 6,915
  • 14
  • 67
  • 103
  • 1
    mxtoolbox is validating the syntax of your DMARC record, which is correct. The 'DMARC Fail' in your report isn't suggesting that the DMARC is incorrect, but is telling you that the messages being reported failed to satisfy your DMARC test. – Gavin Jackson May 31 '18 at 08:00

3 Answers3

9

I'd guess (because I can't tell from what you've posted) it's because your SPF sender domain is not "aligned" with your From header. You're sending through sendgrid, so I expect that sendgrid is also handling your bounces, so you probably have a return-path header on a received message something like:

Return-path: <bounces-username=example.net@sendgrid.net>

But your From header is in your own domain:

From: <username@example.net>

your SPF may give permission to send from sendgrid's IPs (via include of their SPF record), so you'll get a pass for that, but clearly example.net and sendgrid.net are not the same domain, so they are not considered aligned and you'll get a DMARC failure.

For it to align in aspf=s more, either your from address would need to be a sendgrid.net address (probably not what you want), or your mail server needs to be at example.net (you're probably using sendgrid because you don't want to be running your own mail server), so you'd need to revert to aspf=r (relaxed) mode. This would allow you to create a CNAME in your DNS that points a name in your domain, such as mail.example.net at sendgrid's mail server, and they would need to know that arrangement is in place so that they can send messages using that envelope sender, and in relaxed mode, example.net and mail.example.net are considered aligned and you'll get a DMARC PASS.

mxtoolbox will be giving you a pass because your DMARC record is indeed perfectly valid when considered in isolation, but unless your domains on sent messages actually align, it still won't work.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • You are right. I have this: `dkim=pass header.i=@sendgrid.net header.s=smtpapi header.b=gkVXvU4U; spf=pass (google.com: domain of bounces+6635711-37aa-j.montoya=example.net@sendgrid.net designates 167.89.100.76 as permitted sender) smtp.mailfrom=bounces+6635711-37aa-j.montoya=example.net@sendgrid.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=example.net Return-Path: `. – Jaime Montoya May 29 '18 at 19:55
  • I found at https://www.klaviyo.com/docs/dns-records-for-email how they ask for the creation of two TXT records for SPF. It looks like something related to your solution about creating a CNAME in the DNS that points a name in my domain. – Jaime Montoya May 29 '18 at 20:36
  • @JaimeMontoya that link is actually broken, and has been excluded from the Wayback Machine; is there any chance you can explain what it says? I'm in a similar situation than the one you've encountered, but under a different provider, so I'm a bit stumped at what I ought to change on my configuration... – Gwyneth Llewelyn Jul 09 '22 at 18:08
  • 1
    @GwynethLlewelyn I see that link is broken. Maybe this one may help: https://help.klaviyo.com/hc/en-us/articles/115000357752-How-to-Set-Up-a-Dedicated-Sending-Domain- – Jaime Montoya Jul 10 '22 at 02:38
  • 1
    Ah! Thanks @JaimeMontoya! That link works! However, I see that it is specific to Klaviyo (and therefore skips some steps, which are done by their software automatically), while the OP seems to be using [Sendgrid](https://sendgrid.com/) instead. – Gwyneth Llewelyn Jul 26 '22 at 16:54
  • @GwynethLlewelyn I see. Yeah Klaviyo is proprietary software and it makes sense they will not share all implementation details as open source software would do it. – Jaime Montoya Jul 27 '22 at 17:15
1

An addendum to the accepted answer, specifically for Sendgrid:

If you have everything set up correctly in your main user account, that does not mean that a subuser account is able to send and have DMARC pass. You have to assign the verified domain to the subuser.

I had verified my domain and also set up a dedicated IP address and configured reverse DNS. The IP address was correctly assigned to the subuser. I thought the domain verification was also working for the subuser, because SPF and DKIM passed. But it turned out that they passed with sender domain sendgrid.com, not with my custom domain. So that's why DMARC failed.

Sendgrid offers the option to assign a verified domain to a subuser when you first set up the verified domain (it's an "advanced" option; documentation here). If the domain is already verified, there doesn't seem to be a way to assign it to a subuser from the Sender Authentication tab.

On the other hand, there does seem to be a place in the Subuser Management tab. If you edit a particular subuser, there's a "Change Sending" button; after you click that, you can choose a domain. I haven't tried it this way, but it looks like it should work. It's not mentioned in the documentation linked above.

I think it is also possible to verify a domain when logged in as the subuser, but I also haven't tried this.

I don't know if you need aspf=r or adkim=r in your DMARC record for this to work. I have them just in case, but it looks to me like the DKIM sender domain is my custom domain, not a subdomain, so I think that would be good enough.

aldel
  • 6,489
  • 1
  • 27
  • 32
  • This is a little bit misleading, first, in Sendgrid when adding Sender Authentication if you add it to the parent account, it will work for all subusers and you don't need to assign it. Second, the only way for sendgrid to send out an email with the sendgrid.com domain is for you to not specify the from address, which would be a failure utilizing their API. – Kizzim Jan 13 '21 at 15:06
  • @Kizzim I wasn't talking about a situation where the email was "from" a sendgrid.com address; sorry if that wasn't clear. The "from" address in my emails was at my own registered domain. But the DKIM would "pass with domain sendgrid.com" because the DKIM signature was for sendgrid.com, not for my domain. This is allowed by DKIM, but DMARC requires it to pass with the same domain as the "from" address. I was not able to make this happen without assigning the domain to the subuser. It may depend on other settings, I don't know. – aldel Jan 14 '21 at 16:49
-3

Simply add a txt record in your DNS settings using the subdomain _dmarc

"v=DMARC1\;p=none\;pct=100\;rua=mailto:serveradmin@mydomain.com\;ruf=mailto:serveradmin@mydomain.com"

Note: Remove other _dmarc records

To test you have the proper structure you can check with

$ dig +short txt _dmarc.mydomain.com

should return

"v=DMARC1\;p=none\;pct=100\;rua=mailto:serveradmin@mydomain.com\;ruf=mailto:serveradmin@mydomain.com"
Mez
  • 24,430
  • 14
  • 71
  • 93
Muhammad Asim
  • 1
  • 2
  • That only ensures that the DMARC _record_ is properly set in DNS; it says nothing about if the overall mail server configuration works properly or not. There is nothing 'simply' about DMARC... – Gwyneth Llewelyn Jul 26 '22 at 16:56