I’ve set up DMARC on a clients domain. Recently, I started seeing rejected emails from SendGrid.net associated IP 126.96.36.199. I determined for my client that it was an approved service they use sending out emails on behalf of my client.
I added “include:sendgrid.net” to my clients SPF record which used ~all, that translates to “included:188.8.131.52/17”, which covers the source IP.
In my experience, getting SPF or DKIM to at least align with ~all set will prevent DMARC reject from being applied - but I could be wrong on this point. ( We have emails from Google Calendar send out that only pass DKIM and the reject is NOT applied to those)
I considered this to just be temporary until I was able to verify SPF and DKIM and it up properly with help from SendGrid.net or the service sending the emails. However, according to dmarcian, even with the “include:sendgrid.net” in place, the emails are still failing to align and the reject policy is still being applied.
Unfortunately, neither the service sending the emails or SendGrid seem to know what I’m asking. The service doesn’t appear to know anything about DMARC as they just want to suggest Firewall rules. Since the emails are compliant with SPF and DKIM for SendGrid, I suppose it makes sense that the sending service would not know about DMARC.
SendGrid, on the other hand, is taking the position that since the emails they send are compliant to SendGrid’s SPF and DKIM, they should be passing. They seem to be completely missing the point that the emails appear to come from my client’s domain, not SendGrid and thus they ultimately fail. I’ve sent them screenshots of Dmarcian showing this, but they still do not seem to understand.
If there are any suggestions on what I’m doing or saying wrong, what I might show SendGrid to get this fixed, or if anyone has experience dealing with SendGrid, I’d appreciate the help.