How to authenticate Aftership with am-sns.com to pass SPF and DKIM for DMARC?

Key findings

• Unexpected domain: am-sns.com appearing in DMARC reports is unusual, especially when the sender is not directly using AWS SES.
• Authentication failures: am-sns.com records show SPF and DKIM failures, indicating messages sent via this domain are not properly authenticated on behalf of the user's domain.
• No direct amazon link: Despite initial assumptions due to am-sns, there's no clear evidence that this domain is an official Amazon sending service.
• Third-party services: The domain appears to be routing through SendGrid IPs, which could be associated with other e-commerce platforms or apps like Shopify or Omnisend (which uses Mailgun).

Key considerations

• Spoofing vs. legitimate sender: Distinguish between actual spoofing attempts and unauthenticated legitimate emails from third-party services. Spoofed emails often fail DMARC but require deeper analysis.
• Detailed DMARC reports: A DMARC reporting tool that provides more granular data (beyond simple pass/fail) is essential for identifying the source and nature of these emails. You may need to troubleshoot DMARC failures and alignment issues.
• Third-party authentication: For legitimate third-party senders, ensure SPF and DKIM are properly configured and aligned with your sending domain to achieve DMARC compliance.
• Service provider policies: Always check documentation for all integrated services (e.g., Shopify apps) to ensure they are set up to send mail on your behalf with proper authentication.

Key opinions

• Confusing DMARC reports: Marketers frequently find unexpected domains in their DMARC reports, leading to confusion about the source of unauthenticated emails.
• Third-party service impact: Many email failures (like those from am-sns.com) are attributed to emails sent by applications connected to platforms like Shopify, especially for order and delivery notifications.
• Spam folder issues: Unauthenticated emails, particularly those with DMARC failures, are highly prone to landing in the spam or junk folder, affecting customer communication.
• Seeking detailed insights: There's a strong desire among marketers for more detailed DMARC reports to properly diagnose authentication issues beyond simple pass/fail statuses.

Key considerations

• Comprehensive DMARC analysis: Utilize DMARC reporting tools that offer in-depth visibility into email sources, authentication results, and policy actions to identify legitimate vs. unauthorized traffic. Consider how to troubleshoot and fix SPF and DMARC settings.
• Authenticating all senders: Ensure every third-party service sending email on your domain's behalf is properly configured with SPF and DKIM. Authenticating AfterShip emails is a common example.
• Aligning authentication: Beyond just passing SPF and DKIM, ensure these mechanisms align with your DMARC policy for legitimate emails to pass DMARC successfully. This is crucial if your emails are going to spam.
• Policy progression: Carefully manage the progression of your DMARC policy from p=none to p=quarantine or p=reject, ensuring all legitimate traffic is authenticated before moving to stricter policies.

Key opinions

• Likely abuse or misconfiguration: The appearance of am-sns.com with authentication failures is likely due to abuse or an unauthenticated third-party sending on behalf of the domain.
• No amazon connection: It is highly unlikely that Amazon services would send emails through domains like am-sns.com that appear to use other cloud sending platforms when Amazon has its own.
• Sendgrid usage: Observations suggest am-sns.com is sending mail from dedicated IPs at SendGrid, which could be linked to services like Omnisend or Shopify.
• AfterShip authentication: The domain am-sns.com is recognized as AfterShip, and official documentation is available for its authentication.

Key considerations

• Detailed DMARC reports are key: Without detailed DMARC reports, it's challenging to accurately diagnose authentication issues and pinpoint the exact source of problematic emails. This is important for fixing DMARC authentication failures.
• Investigate third-party senders: Always review and authenticate all third-party services used for sending emails (e.g., e-commerce apps, marketing platforms) to ensure they are properly configured with SPF and DKIM. Consider where SPF, DKIM, and DMARC records should be placed.
• Cloudflare and DNS records: Verify DNS records, especially SOA and PTR, to confirm the legitimate ownership and sending pathways of domains like am-sns.com, particularly if Cloudflare is involved.
• DMARC policy application: Before enforcing a DMARC reject policy, ensure all legitimate email sources are correctly authenticated to avoid blocking critical communications. Read more on DMARC reject policies and mail flow.

Key findings

• DMARC leverages SPF and DKIM: DMARC acts as a policy layer, using the results of SPF and DKIM authentication to determine how receiving mail servers should handle emails from your domain.
• SPF authorizes sending servers: An SPF record lists the IP addresses and domains that are permitted to send emails on behalf of your domain, reducing email spoofing.
• DKIM provides digital signatures: DKIM adds a digital signature to emails, allowing recipients to verify that the message content hasn't been tampered with and comes from an authorized sender.
• AfterShip authentication: AfterShip provides specific instructions on how to verify your sending domain (including setting up SPF and DKIM) to ensure delivery notifications avoid spam filters.

Key considerations

• Consult official documentation: Always refer to the official support documentation of all third-party services you use for email sending (e.g., AfterShip, Shopify, Omnisend) to correctly configure their respective SPF and DKIM records.
• Domain alignment for DMARC: Ensure that the domains used for SPF and DKIM authentication align with your DMARC policy to pass DMARC checks, as this is often where authentication failures occur even if SPF or DKIM individually pass.
• Monitoring DMARC reports: Actively monitor DMARC aggregate and forensic reports to identify unauthorized sending or misconfigured legitimate senders, allowing for timely adjustments to your DNS records. This is critical for setting up DMARC with multiple senders.
• PTR records for reputation: While not directly part of SPF or DKIM, ensuring proper PTR (pointer) records for sending IPs can contribute to overall sender reputation and deliverability.