MeridianLink (specific vendor) Questions

I have a final single vendor that is non-compliant. They only support SPF validation, and in their knowledgebase, they state this:

"Add the string below into your existing SPF record following the official SPF record syntax. There can be only one SPF record per domain or subdomain.

include: spf.meridianlink.com"

I added the include to my SPF record over a week ago. We send/receive daily mails from them to customers, however, they are still 0% compliant:

MeridianLink1130×562 86.1 KB

I added the IP (circled above) to our SPF record in hopes it would fix this, however, 24 hours later and I’m still at 0% compliance.

If I look at the meridianlink.com spf record, the IP is included:

v=spf1 ip4:12.106.86.0/24 ip4:198.185.62.0/23 ip4:208.81.32.0/24 ip4:208.81.34.0/24 include:spf.protection.outlook.com include:_spf.salesforce.com include:sent-via.netsuite.com include:70258.spf06.hubspotemail.net -all

My question(s):

1. How to I best troubleshoot this?
2. Do I need to involve the vendor to get this resolved?
3. Was adding the circled IP correct, or does that not matter and I should remove that?
4. Does the circled “mail from” host have anything to do with this?

That’s all I can think of now. Thanks for any insight so I can start moving toward reject status!

Hi jzulkeski and welcome to the forums!

DMARC requires alignment to pass. Alignment is the domain verified for SPF or DKIM must pass either check and be the same or a subdomain of the From header. Emails are sent from your domains, but the RFC5321 Mail From domain used by the vendor is @loanspq.com. This means receivers are not evaluating your domain for SPF when receiving emails from this vendor, but loanspq.com. Adding their recommended entry in your SPF record, as of right now, would make no difference.

The goal here is to contact the vendor and request that the RFC5321 Mail From address (also known as the return-path, envelope from) matches your domain. If they support that configuration, they will provide you the steps to follow in order to configure it.

I hope this helps.

Ah, ok, that makes more sense now. I’ll have them change the loanspq.com to our domain if they can. If they can’t (or won’t) should I change the from header to match loanspq.com emails subdomain to keep the emails from being rejected when I (eventually) change my DMARC rule to reject?

It truly depends on what the vendor supports. You are effectively at the mercy of how they codified their system and support the way they send on behalf of their customer’s domains. Not all 3rd parties are created equal.

From a technical perspective, either they need to align with SPF, DKIM or preferably both, or they should not spoof your domain at all. If they can’t support DMARC in anyway, but the business decides to keep this vendor, then it would need to be isolated to a subdomain for which a DMARC policy be deployed of p=none, which is not idea as you would imagine.

For now, contact the vendor, and communicate your plan and timeline for deploying a DMARC enforcement on your domain. If they need help understanding what DMARC means for them as sending on behalf of your domain, you can direct them to the following.

Hopefully they will be able to provide you with a path forward.

I hope this helps.

They changed the outbound emails to spoof our domain and the mail is now SPF DMARC compliant. This is resolved.