I have this situation again and again with different customers, and I need a good way to solve it, or a good way to solve myself.
What I want to achieve (if feasible) is to have strict alignment on both DKIM and SPF.
The issue is when the customer is using services like SendGrid, Ometria and so on, then it will always fail on the SPF alignment.
The conversation regarding strict vs relaxed alignment is an important one. Should you use one over the other? Which one to choose depends entirely on the needs, but the reality is that what is possible is entirely based on the various systems that you use to send emails on behalf of your domain.
You pointed out a very good Example: SendGrid. SendGrid only supports relaxed SPF alignment due to the use of delegated subdomains for the purpose of DMARC alignment. There is no way around this.
The idea of strict vs relaxed alignment works best when considering the email segmentation strategy., which is to delegate or isolate specific systems or third party service providers to only send from specific subdomains. If control of a subdomain is delegated or segmented for a specific purposes, they shouldn’t be able to send email as @example.com and the strict alignment option would prevent that from being possible.
One of the main concern of relaxed alignment is that it would permit anyone to send with an authenticated subdomain on behalf of the primary domain of an organization. In practice, this is not that easily achieved due to check and balances and the requirement of DNS to be involved in the authorization of emails sent from your domain. This means the external security concerns comes from compromised delegated subdomains, and the ability to control what people within your own organization should be allowed to do.
Universities are prone to this, as they often have many independent operational units with technical teams responsible of managing email sending infrastructure. This level of control could lead a relax alignment to permit them to send from the primary domain. In this case the intentions are not malicious, but mostly undesirable.
In closing, with the use of SendGrid, you have no choice but to use relaxed SPF alignment. If you are concerned regarding this mode on your primary domain, I recommend you isolate this service provider to send from a subdomain instead. A relax alignment will still be required, but should the SendGrid account become compromised, it will only be able to send from that subdomain. SendGrid can only send from specific email addresses configured as allowed senders. This means it is isolated to the subdomain, preventing impact on your primary (grey listing, domain based spam signature, etc). At this point all you need to do is to remove the DKIM and SPF records you added to authenticate SendGrid and DMARC will fail. If you have a reject policy published, these will be rejected.
Good I did not waste more time trying to get it aligned, used enough time on testing and reading articles already.
The issues with customers it that they just do stuff without asking, so the sender address is already in use and branded everywhere and will not be changed.
I will keep your advice with the subdomain as a special email domain, maybe someone one time in the future will ask before implement and then I have the solution.
Thank you for the explanation, it was easy to understand for people like me that is new to this.
