Summary
The primary cause of DMARC failures when sending 'on behalf of' another domain is a lack of alignment between the 'From' domain and the domains used for SPF and DKIM authentication. While proper SPF configuration is important, experts and documentation overwhelmingly recommend implementing DKIM signing with the sending domain's private key as the most reliable solution. This allows the sending server to assert its authorization to send on behalf of the 'From' address, regardless of SPF alignment. Other suggested approaches include aligning the return-path/SMTP from with the “header from”, supporting alignment, or avoiding DMARC enforcement, but DKIM is the prevailing best practice.
Key findings
- DMARC Alignment Issue: DMARC failures stem from the misalignment between the 'From' domain and the SPF/DKIM authentication domains during 'on behalf of' sending.
- DKIM as Primary Solution: Implementing DKIM signing with the sending domain's private key is consistently highlighted as the most effective fix.
- SPF Insufficiency: Relying solely on SPF is often inadequate due to limitations with forwarding and other complexities.
- DMARC Complexity: DMARC configuration can be intricate, increasing the potential for errors if not carefully managed.
Key considerations
- DKIM Implementation: Ensure proper DKIM signing setup with the sending domain to assert authorization.
- SPF Record Management: Maintain accurate SPF records, while understanding that DKIM offers a more robust solution for 'on behalf of' scenarios.
- Alignment Options: Be aware of the strict and relaxed DMARC alignment modes and their implications.
- DMARC Policy Enforcement: Consider the impact of the DMARC policy (none, quarantine, reject) on email deliverability.
- ESP Support: Consult your ESP to ensure they fully support DKIM and DMARC configurations.
- Sign DKIM for Customer domain: Sign with a DKIM for the customer domain *in addition* to signing with your own DKIM signature.
What email marketers say
11 marketer opinions
When sending emails 'on behalf of' another domain, DMARC failures often occur due to alignment issues between the 'From' domain and the domains used for SPF and DKIM authentication. The consensus among experts is that implementing DKIM signing with the sending domain's private key is the most reliable solution. This allows the receiving server to verify the message's authenticity, even when the 'From' address belongs to a different domain. While ensuring proper SPF records can help, DKIM provides a more robust and consistent approach to resolving DMARC alignment problems in 'on behalf of' scenarios. Alternative solutions include aligning the return-path/SMTP from with the “header from” so SPF aligns for DMARC to pass, supporting alignment, or avoiding DMARC enforcement
Key opinions
- DMARC Failure Cause: DMARC failures in 'on behalf of' sending are primarily due to SPF and DKIM domains not aligning with the 'From' domain.
- DKIM as Solution: Implementing DKIM signing with the sending domain's private key is the most reliable method to resolve DMARC failures.
- SPF Insufficiency: Relying solely on SPF can be problematic due to forwarding and other factors, making DKIM the preferred solution.
- DKIM and SPF both: Alternative solutions include aligning the return-path/SMTP from with the “header from” so SPF aligns for DMARC to pass
Key considerations
- DKIM Implementation: Ensure DKIM signing is correctly implemented with the sending domain's private key to ensure proper authentication.
- SPF Records: If using SPF, ensure that the SPF record includes all authorized sending sources to prevent authentication failures.
- Alignment Mode: Understand the DMARC alignment modes (strict vs. relaxed) and how they affect 'on behalf of' sending.
- DMARC Policy: Consider the implications of the DMARC policy (none, quarantine, reject) on email delivery and sender reputation.
- ESP Support: Consult with your ESP to ensure they support DKIM signing and DMARC alignment for 'on behalf of' sending.
Marketer view
Email marketer from ExpertSender responds by recommending DKIM signing for 'on behalf of' emails to ensure authentication. This allows your domain to vouch for the email's authenticity, even when the 'From' address belongs to another domain.
24 Aug 2024 - ExpertSender
Marketer view
Email marketer from SendGrid shares that DMARC failures occur when SPF fails to authenticate the sending server for the domain in the 'From' address. Ensure SPF records include the IP addresses of servers sending on behalf of the domain, or use DKIM signing to authenticate the email.
26 Nov 2023 - SendGrid
What the experts say
3 expert opinions
Experts agree that DMARC failures when sending 'on behalf of' another domain primarily stem from alignment issues between the 'From' domain and the authenticating domains used in SPF and DKIM. The most recommended solution is to implement DKIM signing with your own domain's signing key. This creates a verifiable link between your domain and the email, bypassing the need for the 'From' domain to match the SPF record. While proper SPF records are important, DKIM is generally considered more reliable for 'on behalf of' scenarios.
Key opinions
- Alignment is Key: DMARC failures result from a lack of alignment between the 'From' domain and the domains used for SPF and/or DKIM.
- DKIM is Preferred: Implementing DKIM signing with your own domain is the most effective way to resolve DMARC issues when sending 'on behalf of'.
- Complexity of DMARC: DMARC can be complex and easy to get wrong, requiring careful configuration and monitoring.
Key considerations
- DKIM Implementation: Ensure DKIM signing is correctly implemented to assert authorization for sending on behalf of the 'From:' address.
- SPF Records: Maintain accurate SPF records, but recognize that DKIM is the more robust solution.
- DMARC Complexity: Understand the complexities of DMARC configuration to avoid misconfigurations that lead to deliverability issues.
Expert view
Expert from Word to the Wise shares that one of the main reasons for DMARC failure is a lack of proper alignment between the From: domain and either the SPF or DKIM domain. When sending on behalf of, the best approach is to implement DKIM signing with your own domain to assert that you are authorized to send on behalf of the 'From:' address.
28 Aug 2023 - Word to the Wise
Expert view
Expert from Email Geeks explains that it’s easy to get DMARC wrong because it can be so complex. An example of this issue is when there is no DKIM on from domain and SPF doesn’t align, so DMARC failed.
26 Aug 2021 - Email Geeks
What the documentation says
5 technical articles
Documentation consistently points to alignment issues between the 'From' header and the SPF/DKIM domains as the primary reason for DMARC failures when sending 'on behalf of' another domain. DMARC relies on this alignment for authentication. Configuration of both SPF and DKIM is crucial, ensuring the sending domain is authorized and signatures use the correct domain. Even with relaxed alignment modes, complete domain differences can still lead to failure. Correct DKIM setup, allowing the sending domain to vouch for the message, is the recommended approach.
Key findings
- Alignment Requirement: DMARC requires alignment between the 'From' domain and the authenticating SPF/DKIM domains.
- SPF/DKIM Importance: Proper SPF and DKIM configuration is critical for DMARC to pass, especially when sending 'on behalf of'.
- Alignment Modes: DMARC offers strict and relaxed alignment modes, but 'on behalf of' sending may still fail depending on the domain differences.
Key considerations
- Domain Authorization: Ensure the sending domain is authorized via SPF, and DKIM signatures use your domain (not the original sender's).
- DKIM Setup: Correctly set up DKIM signatures so your domain can vouch for the message, resolving alignment issues.
- RFC Specifications: Refer to RFC 7489 for detailed DMARC specifications and guidelines.
Technical article
Documentation from RFC Editor describes that DMARC policies are designed to handle cases where email is sent 'on behalf of' a domain. It specifies that either SPF or DKIM must align with the domain in the 'From' header for the message to pass DMARC authentication.
30 Jan 2024 - RFC Editor
Technical article
Documentation from AuthSMTP details that 'on behalf of' sending causes DMARC issues because the From address domain doesn't align with the authenticating domain. They advise setting up DKIM signatures correctly so your domain vouches for the message.
2 Nov 2024 - AuthSMTP
How can I use DMARC to prevent spammers from using my domain?
How do I properly set up DMARC records and reporting for email authentication?
How do SPF, DKIM, and DMARC email authentication standards work?
How to deal with a failing DMARC email authentication protocol?
What are SPF, DKIM, and DMARC, and when are they needed?
What DMARC settings should I use and what are the implications of using p=reject?
