Strict spf and dkim alignment with 3rd party e-mail services

Hi all,

I have this situation again and again with different customers, and I need a good way to solve it, or a good way to solve myself.

What I want to achieve (if feasible) is to have strict alignment on both DKIM and SPF.
The issue is when the customer is using services like SendGrid, Ometria and so on, then it will always fail on the SPF alignment.

Let’s take 1 example:
from domain: example.com
spf domain: em9653.example.com

Result SPF Dmarc: fail-unaligned.

Question 1: Is it possible to get it aligned in strict mode when the service is sending email like this?

Question 2: Is it worth spending time on it at all or is it just stupid and I can go with relaxed mode?

Hi SinHazzard and welcome to the forums!

The conversation regarding strict vs relaxed alignment is an important one. Should you use one over the other? Which one to choose depends entirely on the needs, but the reality is that what is possible is entirely based on the various systems that you use to send emails on behalf of your domain.

You pointed out a very good Example: SendGrid. SendGrid only supports relaxed SPF alignment due to the use of delegated subdomains for the purpose of DMARC alignment. There is no way around this.

The idea of strict vs relaxed alignment works best when considering the email segmentation strategy., which is to delegate or isolate specific systems or third party service providers to only send from specific subdomains. If control of a subdomain is delegated or segmented for a specific purposes, they shouldn’t be able to send email as @example.com and the strict alignment option would prevent that from being possible.

One of the main concern of relaxed alignment is that it would permit anyone to send with an authenticated subdomain on behalf of the primary domain of an organization. In practice, this is not that easily achieved due to check and balances and the requirement of DNS to be involved in the authorization of emails sent from your domain. This means the external security concerns comes from compromised delegated subdomains, and the ability to control what people within your own organization should be allowed to do.

Universities are prone to this, as they often have many independent operational units with technical teams responsible of managing email sending infrastructure. This level of control could lead a relax alignment to permit them to send from the primary domain. In this case the intentions are not malicious, but mostly undesirable.

In closing, with the use of SendGrid, you have no choice but to use relaxed SPF alignment. If you are concerned regarding this mode on your primary domain, I recommend you isolate this service provider to send from a subdomain instead. A relax alignment will still be required, but should the SendGrid account become compromised, it will only be able to send from that subdomain. SendGrid can only send from specific email addresses configured as allowed senders. This means it is isolated to the subdomain, preventing impact on your primary (grey listing, domain based spam signature, etc). At this point all you need to do is to remove the DKIM and SPF records you added to authenticate SendGrid and DMARC will fail. If you have a reject policy published, these will be rejected.

I hope this helps.

1 Like

Hi Asher, thank you for the welcome.

Good I did not waste more time trying to get it aligned, used enough time on testing and reading articles already.

The issues with customers it that they just do stuff without asking, so the sender address is already in use and branded everywhere and will not be changed.

I will keep your advice with the subdomain as a special email domain, maybe someone one time in the future will ask before implement and then I have the solution.

Thank you for the explanation, it was easy to understand for people like me that is new to this.

1 Like

Hi again and regarding subdomains, and sorry about the formating in the domains, I get this error if I do not split the link with blank space “sorry new users can only put 2 links in a post”.

I am looking into a trust no one concept, except those that are explicitly allowed.
And if you are not explicitly allowed you will be rejected.

Anyone know if this is a supported configuration? And is it logical at all or just a perfect example of overthinking?

Primary domain is in strict alignment
Host: _dmarc.example.com
Type: TXT
Data: v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:reports@example.com; adkim=s; aspf=s;

Subdomain is in relaxed alignment
Host: _dmarc.marketing.example.com
Type: TXT
Data: v=DMARC1; p=quarantine; pct=100; rua=mailto:reports@example.com; adkim=r; aspf=r;

In this example all emails that is originating at the “marketing. example. com” subdomain should pass, no matter it’s alignment.
But if another email that is originating at a different subdomain like"support. example. com" should be rejected.

Bonus question: What if the email is originating from the “justtrash. marketing. example. com” sub-subdomain, how will that be handled? I read that the SP tag only affect the primary domain.

Hi again SinHazzard!

There may be a misunderstanding on how alignment restrictions applies to subdomain when inherited from the organizational domain. Let me try to explain with an example.

For subdomains without their DMARC policy, they inherit the policy from the organizational domain, including the alignment mode. You are also correct that the “sp” tag is only processed at the organizational domain level. In your example, an email from support.example.com would only be rejected if the SPF or DKIM signing doesn’t does not match, or fails the authentication check. Let’s assume:

From: support.example.com
Mail From: support.example.com which passed SPF

The strict alignment mode, when inherited from the organizational domain, still applies on the value of the From header of the email currently being evaluated. So in my example above, it passes alignment.

Now let’s assume:

From: support.example.com
Mail From: otherstuff.example.com which passed SPF

The above would fail DMARC, since the inherited policy has a strict alignment mode, so it doesn’t matter if SPF passed.

Hopefully this helps!