we are implementing DMARC and are close to completing the process. We have one use case, we do not know how to handle. Let me explain it:
We use MS365 and have SPF, DKIM and DMARC in place for
our.domain.com. Everything works as expected. But we have an external user using Google Workplace with an own domain. He should be able to send mails with Google Workspace from
their.domain.com with a Header From of
These Google Mails pass SPF and DKIM, but don’t align with DMARC due to the header-from.
Would it be possible to resolve this? How to tell DMARC that it is okay sending from their.domain.com with header-from our.domain.com?
What you are asking for sounds like a bad idea since it would allow this sender to impersonate your domain. Let’s ignore that for the moment and proceed. Since the envelope sender is not going to match your domain, you cannot use SPF to pass DMARC. You will need to publish a DKIM record in your DNS and your Google Workspace sender will need to sign messages with the corresponding private key. You will need to add your domain to their Google Workspace to get Google to generate a DKIM keypair.
I strongly reccomend against implementing this method. You will create significantly less risk by requiring that sender to use a mailer that is under your control.