0

We're in the midst of a project to make all of our mail sources, including third parties that send on our behalf, DMARC compliant. We've run into a snag, namely an entire data center full of servers that send mail (usually just status updates or errors). If the mail's from address is <user@hostname.domain.tld> and we have many of them, and there are new ones added almost weekly, then how do get these compliant?

My understanding of DKIM and SPF, is that we'd need a DNS entry per host, because the receiving mail server checks on those records based on the FQDN of the from address.

Is there a reasonable way to keep using <user@hostname.domain.tld> as the from addresses and still make these 200+ (and changing) servers DMARC compliant?

Stephen Jarjoura
  • 17
  • 5

1 Answers1

2

Yes, this is what DMARC's "relaxed" mode is for. You can set that for both SPF and DKIM matching by adding these elements to your DMARC record:

aspf=r; adkim=r

However, this is the default behaviour, so you don't actually need to add them at all!

In this mode, a message from user@hostname.domain.tld would be a relaxed match for domain.tld.

Synchro
  • 35,538
  • 15
  • 81
  • 104