Suped

How to handle DMARC failures when using TrustPilot email invitations with a custom domain?

Summary

Addressing DMARC failures when using Trustpilot email invitations with a custom domain requires a multifaceted approach. Begin by verifying if the return path is aligned and understanding whether Trustpilot is using its own domain. Experts suggest that DMARC failures often stem from SPF alignment issues due to discrepancies between the 'envelope from' and 'header from' domains. Review and correct SPF and DKIM records, utilizing a DMARC record checker for validation. Consider sending Trustpilot invitations from a dedicated subdomain to isolate DMARC failures and maintain the main domain's reputation. Analyze email headers, particularly the Authentication-Results, to pinpoint SPF or DKIM failures. Other recommendations include contacting Trustpilot support, using a dedicated IP address, whitelisting Trustpilot's sending domains (with caution), and implementing feedback loops. Starting with a relaxed DMARC policy (p=none) can help monitor email flow before enforcing stricter policies. Most Trustpilot users don't use custom domain settings, potentially impacting deliverability.

Key findings

  • SPF/DKIM Alignment: DMARC failures often stem from SPF and DKIM alignment issues; ensuring the 'header from' domain matches the 'envelope from' or DKIM signature domain is crucial.
  • Subdomain Isolation: Using a dedicated subdomain for Trustpilot emails can isolate DMARC failures, protecting the main domain's reputation.
  • Header Analysis: Analyzing email headers, especially the 'Authentication-Results', helps identify the root cause of DMARC failures.
  • Trustpilot's Configuration: Understanding if Trustpilot uses its domain and whether it supports DKIM influences the troubleshooting approach.
  • DMARC Record Validation: Validating the DMARC record ensures it is correctly configured and effective.

Key considerations

  • Whitelisting Trade-off: Whitelisting Trustpilot domains or IPs reduces DMARC effectiveness and security.
  • p=none Risks: Starting with a 'p=none' policy allows monitoring but also opens the door for domain spoofing.
  • Return Path Alignment: Verifying that the return path is properly aligned is important.
  • Trustpilot Custom Domain: Most Trustpilot users don't use custom domains, potentially impacting deliverability.
  • Trustpilot Support: Contact Trustpilot support to explore custom solutions, especially for Enterprise clients.

What email marketers say

10 marketer opinions

When encountering DMARC failures with Trustpilot email invitations using a custom domain, several strategies can be employed. A common approach involves using a dedicated subdomain for Trustpilot emails to isolate any DMARC-related issues. Analyzing email headers to pinpoint SPF or DKIM failures is crucial, followed by ensuring proper SPF record configuration or exploring DKIM signing with Trustpilot. Contacting Trustpilot support may reveal tailored solutions, especially for Enterprise clients. Other recommendations include whitelisting Trustpilot's sending domains (though it reduces DMARC effectiveness), creating a relaxed DMARC policy (p=none) for monitoring, and setting up feedback loops to track recipient complaints. Additionally, using a dedicated IP address for Trustpilot emails can simplify SPF/DKIM configuration.

Key opinions

  • Subdomain Isolation: Using a dedicated subdomain for Trustpilot emails isolates DMARC failures, protecting the main domain's reputation.
  • Header Analysis: Analyzing email headers identifies the root cause of DMARC failures (SPF or DKIM issues).
  • Trustpilot Support: Contacting Trustpilot support may offer specific solutions, particularly for Enterprise clients.
  • SPF/DKIM Alignment: Proper SPF record configuration and exploring DKIM signing options are critical for DMARC compliance.
  • Feedback Loops: Setting up feedback loops helps monitor recipient complaints and identify deliverability issues.

Key considerations

  • Whitelisting Trade-off: Whitelisting Trustpilot's sending domains reduces the overall effectiveness of DMARC.
  • p=none Monitoring: Implementing a p=none DMARC policy initially allows monitoring before enforcing stricter policies but bad actors can spoof your domain.
  • Dedicated IP Control: Using a dedicated IP address provides more control over sending reputation and simplifies configuration.
  • Return Path Alignment: Ensuring the return path is aligned with the sending domain is important.
  • Custom Domain Setting: Most Trustpilot users do not set up a custom domain which could cause DMARC issues.

Marketer view

Email marketer from Mail deliverability forums suggest implementing a p=none DMARC policy to monitor sending results before implementing a quarantine or reject policy. Note that some bad actors can spoof your domain.

27 Oct 2021 - Mail deliverability forums

Marketer view

Email marketer from Email Geeks explains that they discovered most Trustpilot users don't use the 'Custom Domain' setting, resulting in emails being sent from Trustpilot's domain. The company is using their own domain, which is causing issues because TrustPilot only supports SPF records. They will revert to sending invitation emails from Trustpilot's domain until they support DMARC setup.

20 Sep 2023 - Email Geeks

What the experts say

3 expert opinions

When addressing DMARC failures with Trustpilot email invitations using a custom domain, experts highlight key aspects related to Trustpilot's email infrastructure and configuration. It's crucial to understand whether Trustpilot sends emails using their own domain, similar to services like PayPal, which would restrict custom SPF, DKIM, or DMARC setup. Despite utilizing platforms like Twilio/Sendgrid that support DKIM/DMARC, Trustpilot might be making a business decision not to fully implement these security measures. A significant cause of DMARC failures is often SPF alignment issues stemming from discrepancies between the 'envelope from' and 'header from' domains. Therefore, a careful review of SPF records and exploring DKIM signing options (if available from Trustpilot) are essential.

Key opinions

  • Trustpilot Infrastructure: Understanding if Trustpilot sends emails from their domain affects the feasibility of custom SPF, DKIM, and DMARC setup.
  • DKIM/DMARC Support Potential: Trustpilot's use of Twilio/Sendgrid indicates the technical capability to support DKIM/DMARC, suggesting a business choice against full implementation.
  • SPF Alignment Issues: SPF alignment discrepancies between 'envelope from' and 'header from' domains are a primary cause of DMARC failures.

Key considerations

  • SPF Record Review: Carefully review SPF records to ensure accurate authorization of Trustpilot's sending sources.
  • DKIM Signing Options: Explore and inquire about DKIM signing options with Trustpilot to improve authentication and DMARC compliance.
  • Business Decision Impact: Trustpilot's decision not to fully implement DKIM/DMARC requires exploring workarounds to achieve compliance.

Expert view

Expert from Email Geeks questions whether Trustpilot uses their own domain for sending emails like PayPal, making it impossible for users to set up SPF, DKIM, or DMARC. She also shares her own email headers which show that Trustpilot uses dkim and dmarc.

6 Oct 2023 - Email Geeks

Expert view

Expert from Word to the Wise explains that when using third-party senders like Trustpilot, DMARC failures often stem from SPF alignment issues because the 'envelope from' domain doesn't match the 'header from' domain. They recommend carefully reviewing SPF records and considering DKIM signing options if available from Trustpilot.

7 May 2022 - Word to the Wise

What the documentation says

4 technical articles

When addressing DMARC failures with Trustpilot email invitations using a custom domain, documentation emphasizes the importance of correct SPF and DKIM setup. DMARC failures often stem from SPF or DKIM alignment issues, where the 'header from' domain doesn't match the 'envelope from' domain (for SPF) or the DKIM signature domain (for DKIM). Crucially, analyzing email headers, particularly the `Authentication-Results` header, helps pinpoint whether SPF or DKIM is failing and why, aiding in the identification and correction of misconfigurations.

Key findings

  • SPF/DKIM Setup: Correct configuration of both SPF and DKIM records is essential for DMARC compliance.
  • DMARC Alignment: DMARC alignment requires the 'header from' domain to match the 'envelope from' domain (SPF) or the DKIM signature domain (DKIM).
  • Header Analysis: Analyzing the `Authentication-Results` header in email headers helps identify the specific cause of DMARC failures.

Key considerations

  • DMARC Record Validation: Use a DMARC record checker to ensure the DMARC record is correctly configured and valid.
  • SPF Record Verification: Verify that the SPF record includes all authorized sending sources for the domain, including Trustpilot.
  • DKIM Configuration Review: Review the DKIM configuration to ensure proper signing and alignment with the 'header from' domain.

Technical article

Documentation from DMARC Analyzer explains that DMARC failures typically occur due to SPF or DKIM alignment issues. If SPF passes but doesn't align (the 'header from' domain doesn't match the 'envelope from' domain), or if DKIM fails, DMARC will fail. They recommend checking SPF and DKIM records and alignment.

18 Feb 2022 - DMARC Analyzer

Technical article

Documentation from EasyDMARC explains that DMARC alignment is crucial. For SPF to align, the `header from` address must match the `envelope from` address. For DKIM to align, the domain in the `d=domain.com` tag of the DKIM signature must match the `header from` address. They suggest ensuring these alignments for Trustpilot emails.

28 Nov 2023 - EasyDMARC

Start improving your email deliverability today

Get a demo