I have a weird problem with Shortsack (https://help.shortstackapp.com/). I have allow SPF configuration in our domain (montreal.ca) and yet, all email failed dmarc even if the IP is whitelist.
Dmarc failed with unaligne but SPF and Dkim Pass. Any idea?
We need to see more details, specifically the RFC 5321 (return-path) & RFC 5322 (From) email addresses. We also need to see the IP of the sending MTA and your SPF record. Your DKIM header from the message is necessary, too, so we can see what domain and selector were used.
Unaligned means that your return-path and from domains didn’t match for SPF DMARC, or your from domain and your DKIM domain don’t match to pass DKIM DMARC. How precisely they need to match depends on whether you are using relaxed or strict policies.
Shortstack uses Sendgrid as a email platform to send their email. Their default RFC 5321 Mail From (spf domain) and DKIM signing domain are “email.campaign-mail-1.com”. Domain authentication needs to be configured in order to achieve alignment, which is necessary for DMARC authentication. Without alignment, adding to your domain’s SPF record will not help with DMARC authentication, or SPF authentication for that matter.
The help articles were of no help regarding configuring domain authentication, so unless the provider coded a GUI to allow doing that, you will need to reach out to them so that they can configure your account for domain authentication in Sendgrid.
If you need more help on the steps to take, don’t hesitate to reach out to support@dmarcian.com.