How to handle DMARC failures when using TrustPilot email invitations with a custom domain?

Key findings

• Authentication gap: TrustPilot's email invitation service, when configured with a custom domain, often only supports SPF authentication. This is insufficient for DMARC alignment, which requires either SPF or DKIM to align with the From: domain. This can lead to DMARC failures, even if SPF passes.
• Domain impact: Using your own domain for TrustPilot invitations without proper DMARC alignment (SPF and DKIM alignment) can negatively impact your domain's sending reputation and deliverability.
• Subdomain strategy: To mitigate DMARC failures, one effective strategy is to use a dedicated subdomain for sending TrustPilot invitations. This isolates any deliverability issues to the subdomain, protecting the main domain's reputation. Learn more about resolving DMARC failures with subdomains.
• Third-party limitations: Many third-party senders, including some review platforms, might not offer full DMARC support (i.e., DKIM signing from your domain or SPF alignment on the From: domain) because they prefer to control the sending process via their own domains.

Key considerations

• Review TrustPilot settings: If you are experiencing DMARC failures, verify how TrustPilot sends your invitations. If they send from their own domain (e.g., @trustpilotmail.com) with your domain in the From: header, DMARC will likely fail. Check this DMARC fail error guide for more details.
• Revert to TrustPilot domain: If TrustPilot cannot support full DMARC authentication for your custom domain, consider reverting to sending invitations from TrustPilot's default domain. While this might compromise branding, it ensures deliverability and DMARC compliance.
• Engage with TrustPilot: Communicate your DMARC concerns to TrustPilot's support or account management team. Advocating for DMARC support for custom domains can influence their roadmap, especially for enterprise-level clients.
• Monitor DMARC reports: Regularly review your DMARC reports to identify sources of failure and understand their impact. This data is critical for troubleshooting and improving your email deliverability. See our guide to troubleshooting DMARC failures.
• Understand DMARC alignment: A non-technical guide to DMARC can help you grasp the nuances of alignment. SPF aligns the Return-Path (or Mail-From) with the From: header, while DKIM aligns the d= tag in the DKIM signature with the From: header. Both are necessary for DMARC to pass, or at least one must align.

Key opinions

• Branding vs. Deliverability: Many marketers prioritize using their custom domain for branding consistency, only to discover it causes DMARC failures due to the third-party provider's (e.g., TrustPilot) lack of full DMARC support. This often leads to a tough choice between branding and ensuring emails land in the inbox.
• Impact on campaigns: DMARC failures can severely impact the effectiveness of review invitation campaigns, as emails are more likely to be sent to spam or blocked. This reduces the volume of feedback collected and can ultimately harm conversion rates.
• Reverting to default: A common workaround is to revert to sending invitations from the third-party provider's domain (e.g., TrustPilot's own domain), accepting the branding compromise to ensure deliverability.
• Advocacy for features: Marketers express hope that platforms will evolve to offer full DMARC, SPF, and DKIM authentication for custom domains, recognizing it as a critical feature for modern email deliverability.

Key considerations

• Understand the technical root: Familiarize yourself with why DMARC fails due to alignment issues. This empowers you to discuss technical limitations with third-party providers or make informed decisions about your sending strategy.
• Subdomain for safety: If a provider cannot offer DMARC alignment, using a subdomain for these specific emails can protect your main domain's reputation from the fallout of blocklisting or spam folders. This helps keep your primary transactional or marketing emails healthy.
• Alternative review methods: If email invitations from TrustPilot continue to pose deliverability problems, explore alternative methods for collecting reviews (e.g., direct links on your website, in-app prompts) that bypass email sending issues entirely.
• Proactive monitoring: Implement continuous monitoring of your email deliverability, including DMARC reports, to quickly identify and address any new issues arising from third-party sending. This is key to maintaining a good sending reputation.

Key opinions

• SPF insufficiency: Experts agree that if a third-party sender only supports SPF for your custom domain, and the return path (Mail-From) does not align with your From: header domain, then DMARC will fail. SPF's effectiveness hinges on this alignment.
• Subdomain recommendation: A prevalent expert recommendation for scenarios where third-party senders lack full DMARC/DKIM support is to move sending to a dedicated subdomain. This protects the primary domain's reputation.
• Provider control: Many providers, including those using underlying services like Twilio/SendGrid, choose not to offer full DMARC/DKIM support for customer domains. This is a business decision, not a technical limitation, as the underlying infrastructure often supports it.
• Hidden domains: Some third-party senders, like PayPal, intentionally use their own domain in the actual email sending process (e.g., in the Return-Path or DKIM signature) even if your From: header shows your domain. This makes achieving DMARC alignment challenging or impossible from your side.

Key considerations

• Verify return path: Always check the Return-Path (or Mail-From) domain of emails sent by third-party services. If it does not align with your From: header domain, SPF alignment for DMARC will fail. For more on this, review why DMARC fails even with passing SPF and DKIM.
• Understand limitations: Be aware that many providers may not support DMARC alignment for various reasons, including business choice or ignorance. This means their advice on setting up authentication might be incorrect or incomplete.
• Push for features: As DMARC adoption grows, businesses should actively request full authentication support from their third-party vendors. Collective pressure can drive necessary changes in vendor roadmaps.
• Implement DMARC monitoring: Using DMARC reports to identify all sending sources for your domain, including those from third parties, is essential. These reports help diagnose where DMARC failures are occurring and why, as explained in our guide to understanding DMARC reports from Google and Yahoo.

Key findings

• DMARC alignment rules: DMARC requires either SPF or DKIM to pass authentication AND to be in alignment with the From: header domain. If a third-party service like TrustPilot sends an email with your domain in the From: header but the underlying SPF or DKIM domains do not match, DMARC fails.
• Sender Policy Framework (SPF): SPF works by verifying the IP address of the sending server against a published list in the sender's DNS. For DMARC alignment, the domain used in the Return-Path (or Mail-From) header must be the same as, or a subdomain of, the From: header domain for SPF alignment to occur.
• DomainKeys Identified Mail (DKIM): DKIM adds a digital signature to emails, verifying the sender and ensuring message integrity. For DMARC alignment, the domain in the d= tag of the DKIM signature must match the From: header domain. Third-party services need to sign emails with your domain's DKIM key for this to pass. Our guide on DKIM selectors can provide further technical insights.
• Impact of policy: A DMARC policy of p=quarantine or p=reject means that emails failing DMARC will be treated aggressively by recipient servers, leading to delivery issues. Safely transitioning your DMARC policy is a critical step.

Key considerations

• Vendor capabilities: When choosing third-party email senders, verify their DMARC compliance capabilities. This often means they must allow you to either implement a CNAME record for their service to handle DKIM signing on your behalf, or provide their SPF include: mechanism to your SPF record.
• Authentication troubleshooting: Use DMARC aggregate reports to identify sources of non-compliant email traffic. These reports provide insights into why emails are failing authentication and from which senders, as detailed in our guide to debugging DMARC authentication and alignment issues.
• Domain reputation: Consistent DMARC failures can harm your domain reputation, potentially leading to future emails being blocklisted or sent to spam, even for perfectly legitimate sending practices from other sources. Understanding how long it takes to recover domain reputation is important for planning remediation.
• SPF DNS limitations: Be aware of the 10-lookup limit for SPF records, as adding numerous third-party includes can exceed this, leading to SPF failures. This is a common issue that documentation often highlights, and can result in hidden SPF DNS timeout failures.