Why is DMARC failing when using 'on behalf of' sending, and how can I fix it?

Key findings

• The challenge: When an email's From: header uses a customer's domain, but the underlying authentication (SPF's Return-Path or Mail-From) and DKIM signing domains belong to the sending service, DMARC alignment typically fails.
• DMARC's requirement: For DMARC to pass, at least one of SPF or DKIM must not only pass authentication, but also align with the From: header domain. Read more about DMARC alignment in this Duocircle article.
• Dynamic SPF services: Using a dynamic SPF service does not inherently solve the DMARC alignment issue if the Return-Path domain still differs from the From: header.
• Impact of reject policies: A DMARC policy set to p=reject will cause emails to be blocked entirely if alignment fails, making troubleshooting difficult without DMARC reports.

Key considerations

• DKIM delegation: The most effective solution is for the ESP to support delegated DKIM, allowing them to sign emails with the customer's domain (e.g., customer@domain.com). This ensures DKIM alignment and DMARC passes, regardless of SPF alignment.
• SPF alignment strategies: If DKIM delegation isn't an option, work to ensure the Return-Path domain matches the From: header domain for SPF alignment. This often requires the ESP to use the customer's domain for the envelope sender.
• Subdomain usage: Suggest customers send from a subdomain they control (e.g., marketing.customerdomain.com) with a DMARC policy that allows the ESP to align SPF or DKIM. This is explored further in our article on configuring DMARC for subdomains.
• Troubleshooting: When a p=reject policy is in place, rely on DMARC reports for failure analysis or use dedicated DMARC troubleshooting tools that provide detailed header information without blocking.

Key opinions

• Shared ESP challenges: Many ESPs face similar challenges with DMARC failures when customers attempt to send using an on behalf of setup, especially when the customer's DMARC policy is set to reject.
• Crucial alignment: Marketers frequently highlight that SPF and DKIM might pass validation, but if they don't align with the From: domain, DMARC will fail. This is a common pitfall in DMARC, SPF, and DKIM alignment failures.
• Troubleshooting difficulty: When a p=reject policy is active, it becomes challenging to diagnose failures because messages are simply rejected, providing no delivery for analysis.

Key considerations

• Supporting full alignment: ESPs should offer customers the ability to fully align their domain, preferably through delegated DKIM signing, to ensure DMARC compliance.
• Customer education: Providing clear guidance to customers on DMARC requirements and how to configure their DNS records (SPF, DKIM) is essential. For more details on this, refer to Kinsta's guide on DMARC fail errors.
• Alternative sending options: Consider suggesting customers use a subdomain for sending or even the ESP's own domain in the From: address, though the latter may impact branding.
• Monitoring and reporting: Emphasize the importance of DMARC reporting to gain visibility into email authentication results and identify specific failure points. This can help with troubleshooting SPF and DMARC settings.

Key opinions

• Core problem: DMARC failure in on behalf of scenarios is almost always an alignment issue, even if SPF and DKIM themselves pass authentication.
• DKIM's role: Delegated DKIM signing, where the ESP signs with the customer's domain, is the most robust solution for ensuring DMARC alignment.
• SPF limitations: Relying solely on SPF to pass with a different Return-Path domain will not achieve DMARC alignment.
• Complexity: Configuring DMARC correctly, especially with third-party senders, can be complex and is a common source of deliverability issues. This is discussed in depth regarding why legitimate email fails DMARC.

Key considerations

• Implement delegated DKIM: ESPs should prioritize offering delegated DKIM signing as a standard feature to clients who wish to send from their own domain.
• Transparent diagnostics: When a customer has a p=reject DMARC policy, it's vital to have tools or methods that can analyze email headers and authentication results without blocking the email, providing actionable insights for troubleshooting DMARC reject policies.
• Policy guidance: Advise customers to start with a DMARC policy of p=none to monitor authentication results before moving to stricter policies like quarantine or reject.
• Stay updated: Keep abreast of industry changes, such as potential special casing of DMARC policies by major mailbox providers, as highlighted by Spam Resource on recent changes.

Key findings

• RFC 7489 standard: DMARC (RFC 7489) explicitly defines the requirement for identifier alignment between the Header From domain and either the SPF Mail-From domain or the DKIM d= domain.
• Alignment modes: DMARC supports two alignment modes: relaxed (allowing subdomains to align with the organizational domain) and strict (requiring an exact match).
• Authentication impact: If neither SPF nor DKIM achieve alignment, the DMARC record's policy (e.g., p=quarantine or p=reject) will be enforced by receiving mail servers.

Key considerations

• DKIM delegation by ESPs: ESPs are encouraged to provide customers with the ability to delegate DKIM signing, allowing the customer's domain to be used in the DKIM d= tag, ensuring DMARC alignment.
• SPF Return-Path configuration: If SPF alignment is the chosen method, the Return-Path domain must be set to the customer's domain and listed in their SPF record. More information on this can be found in the Amazon SES documentation.
• Monitoring and reporting: Leverage DMARC aggregate and forensic reports to gain insight into email authentication outcomes, helping identify specific reasons for DMARC failures and adjust configurations accordingly.