Hi all!
I have 2 domains hosted at gmail, let’s say “zxc[.]net” and “zxc[.]com”, the second being an alias of the first. DMARC reports I receive for zxc[.]net say everything is fine, but reports for zxc[.]com say that spf “fail-unaligned” because (if I correctly understand it) when I send mail from and address at zxc[.]com, smtp header says “zxc[.]com” but HELO command says “zxc[.]net”.
Does anybody know if it’s possible to configure SPF record to accommodate this situation?
SPF is only checked against HELO if the mails doesn’t contain a Return-Path header. If Return-Path is present, it will be used for SPF check and therefore you need to look into, how you align your Return-Path with your “From: Domain”. Keep in mind that SPF can be perfectly valid, while still being unaligned from a DMARC perspective.
Regards
/Uffe
@UffeA’s feedback is mostly correct, but with a common misconception.
SPF checks do NOT perform against the ‘Return-Path’ header. They are performed against the value of the mail-from SMTP element. The Return-Path header appears amongst headers of messages simply to reflect what the mail-from was, and each hop that the message transits can change the Return-Path header value based on what actually happened during SMTP.
A source of confusion on this topic is that some people call the mail-from ‘returnpath’ interchangeably. (also ‘bounce address’, ‘rfc5321.from’, ‘rfc5321.mailfrom’)
So to resolve the stated issue, you must update the sending behaviour to actually use the same domain in mailfrom as appears in the From: header (rfc5322.From). To note, the mailfrom domain in use may be a subdomain of the From domain, so that you can usefully segregate SPF records. (This is assuming your DMARC record is set with relaxed alignment, which is the default behaviour)
e.g.
mailfrom value of tomki@support.dmarcian.com
From value of tomki@dmarcian.com
Use of a subdomain this way would mean that you must have a specific SPF allowance at the DNS TXT location for support.dmarcian.com.
Thanks Tomki!
The point is that the 2nd domain is not a sub domain of the 1st one: the addresses are me@zxc.com and me@zxc.net, both addresses belonging to the same organization.
So, you say I’ll not fix this issue making Replay-to equal to From?
Right, you cannot fix the issue by changing message headers. You must change sending server/application behaviour.
If you have correct DKIM signing on this traffic (DKIM key for the same domain as the From header), the traffic will still pass DMARC successfully.
Not really; SPF checks work by default on the mail-from, falling back to the HELO content only if the mail-from was empty.
I don’t understand that question. DMARC-DKIM will pass if a) the raw signature verification itself passes and b) the signature attached in the DKIM-Signature header was done with the same domain as the domain in the From header of the message. (subdomain relationships work too, if the DMARC default adkim=r is unchanged)
@opvind Sorry, I didn’t mean to come across that way. It is simply that I do have the impression that it is a common misconception.
Thanks for the link, that is a useful resource.