3

In my setup I have a website (example.app) hosted on Heroku.

Then, I use Sendgrid to send emails from the Heroku server to our users that forget their password. The email is registered using Google's Gsuite. So I also send emails from the Google servers.

The from email is: <Appname <noreply@example.app>

So I thought these should be my DNS records (note I don't have an A-record):

CNAMES:

example.app CNAME "example.app.herokudns.com" www.example.app CNAME "www.example.app.herokudns.com"

SPF:

example.app TXT "v=spf1 a include:_spf.google.com include:sendgrid.net ~all"

Dmarc:

_dmarc TXT v=DMARC1; p=none; rua=mailto:dmarc@example.app; ruf=mailto:dmarc-forensic@example.app; fo=0; adkim=r; aspf=r; rf=afrf; pct=100; ri=86400; sp=none

However, the Dmarc record doesn't validate as mail is send from a different domain then the To address. I think the email is send from sendgrid.com and the to-address is example.app.

Hence, I think by adding the IP-addresses of my Heroku DNS into the SPF record it should work.

But how do I do this, when these IP-addresses are dynamic?

Michael van de Waeter
  • 1,473
  • 15
  • 29

1 Answers1

4

"No" by protocol - rfc1912#section-2.4 but "yes" if using CNAME flattening.

Also, you should configure your SPF and DMARC using your email servers, in your case, sendgrid not your@example.app

Check more about how Cloudflare deals with CNAME flattening here: https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/

Community
  • 1
  • 1
nbari
  • 25,603
  • 10
  • 76
  • 131
  • Thank you it works now! I use CNAME flattening on my DNS (feature of Cloudflare). That way I can use the A record in my SPF record, while not having an A-record specified. Because Cloudflare "mimics" an A-record based on the C-name. Also I setup Sendgrid's Authentication headers using this documentation: https://sendgrid.com/docs/User_Guide/Settings/Sender_authentication/How_to_set_up_domain_authentication.html – Michael van de Waeter Jul 18 '18 at 20:30