DMARC/SPF configuration error

Asked 22/5, 2018 at 14:1 Answered 26/9, 2018 at 13:26

Solved dns spf google-workspace postmark dmarc

I have a domain registered at domains.google.com that I use with a G Suite account and also to send email from SES and mailchimp.

My DNS records look correct to me (Mailchimp instructions):

@ TXT "v=spf1 include:_spf.google.com include:amazonses.com include:servers.mcsv.net ~all"

_dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:[email protected]; sp=none; aspf=r;"

I use postmark's nifty service to get a weekly DMARC digest, and they report this error for mailchimp emails:

mcsv.net is authorized to send on behalf of mydomain.com, however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.

Here are relevant headers from a mailchimp email:

Return-Path: <bounce-mc.us17_88978185.265251-recipient=patentbots.com@mail125.suw11.mcdlv.net>
From: [email protected]

Do I have an error in setup (either DNS or Mailchimp) that causes SPF DMARC alignment to fail? Or is this something that isn't supported by Mailchimp?

Fatality answered 22/5, 2018 at 14:1 Comment(0)

Mailchimp does not support SPF as it uses its own domain in the bounce address. Their domain authentication verification tool requires including Mailchimp, though. Mailchimp always fails DMARC's SPF alignment test because the Return-Path path doesn’t match the From address. MailChimp doesn't support custom Return-Path (even though Mandrill, which is owned by Mailchimp, does). This makes it impossible to be 100% SPF-compliant under DMARC rules with Mailchimp.

Samson answered 26/9, 2018 at 13:26 Comment(3)

Thanks, very helpful, but then why does Mailchimp instruct users to add SPF records? – Fatality 26/9, 2018 at 13:29

Jeff O'Neill, Clarification: Mailchimp DOES support SPF. Mailchimp's implementation of SPF DOES NOT support SPF in a way that will pass DMARC. – Samson 27/9, 2018 at 14:9

This means that if you set your DNS record with hardfail -all, your messages won't deliver. Pleasant. – Pruter 13/4, 2020 at 16:50

I'm not 100% sure, but I'd guess that if the domains for return-path and from header have to match, you would need to have a CNAME DNS record in your own domain pointing at MC, so that the domains could match, something like:

mc CNAME mail125.suw11.mcdlv.net

Then your return path might become <bounce-mc.us17_88978185.265251-recipient=patentbots.com@mc.mydomain.com>.

I don't know if a subdomain match like this is sufficient, i.e. whether DMARC considers mc.mydomain.com and mydomain.com to be sufficiently aligned.

I can see the management of this being a little tricky if you have lots of domains.

Tyndale answered 22/5, 2018 at 15:52 Comment(2)

This is correct. If you take a look at how SendGrid achieve this, they ask you to add a CNAME record to whitelabel your domain, and point it to sendgrid.net. I chose email (ie. email.mydomain.com). Then in emails the return path appears as Return-Path: [email protected], even though the From does not include subdomain. ie: From: "My Domain" <[email protected]> I also use PostMark and get 100% alignment with emails sent via SendGrid. – Afrikaans 11/6, 2018 at 5:4

Thanks. I’ve since learned more about this. You can only use subdomains like this in DMARC "relaxed” mode; “strict” mode does require an exact match. – Tyndale 11/6, 2018 at 5:10

Recommended topics

Hot tags