0

I'm quite new to this so please excuse my ignorance, but I've been trying to enable DMARC on our domain but am encountering "fails" when I enable the TXT rule on our DNS.

For context, an MFA verification email is sent from Okta, through SendGrid to the recipient, with a "from address" of our domain.com and a "return-path" ending in @sendgrid.net. The entry I enabled was:

v=DMARC1; p=none; rua=mailto:DmarcReport@domain.com; aspf=r; fo=1

I initiated the process and sent the resulting MFA email to a personal outlook.com account for testing and found this excerpt in the header. What am I missing? Thanks in advance!!

Header contents

My original DMARC entry didn't have an ASPF value. I've added one since, but I always thought that the default was "r" if not specified anyway. Apologies, not quite sure how to display the header contents outright instead of the link.

JayMan
  • 1
  • 1

1 Answers1

0

DMARC, for SPF alignment, requires the domain used in the Return-Path address (a.k.a. bounce address or smtp.mailfrom) to be the same as the domain in the FROM address, in Strict mode. When you set the aspf tag to relaxed mode, DMARC still requires the Return-Path address and FROM address to share the same organization domain.

For example, where the Retrun-Path address is me@a.domain.com and the FROM address is you@b.domain.com, this will satisfy the alignment check for DMARC (both share the domain.com organizational domain), when the SPF alignment is set to relaxed, not when set to strict (because the domains do not exactly match).

For DMARC compliant emails via SendGrid, you should follow this guide for setting up authentication for custom domains.

Last note: For future reference, your question is better suited for the ServerFault forum than the Stack Overflow forum, where you would also have gotten (or found) a an answer to this specific question, faster.

Reinto
  • 885
  • 6
  • 9