{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Viruses. 的问题《Emails with DMARC: 'FAIL' even though it p》','https://www.manongdao.com/q-757343.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using username@example.net below for privacy, but this is happening to a real domain and email address.
In the mass emails that we send, DMARC is failing:
In my TXT records, this is what I have for DMARC:
_dmarc 14400 IN TXT "v=DMARC1; p=none; rua=mailto:username@example.net; sp=none; aspf=r"
When I go to validate my DMARC records at https://mxtoolbox.com, this is what I get:
Why could DMARC be failing even when a validator says that it passes, no syntax error and everything looks right? Notice how SPF and DKIM are passing. The problem is only with DMARC for some reason that I am trying to understand.
UPDATE 1: I found this paragraph at https://support.google.com/a/answer/2466563?hl=en:
Alignment mode refers to the precision with which sender records are compared to SPF and DKIM signatures, with the two possible values being relaxed or strict. represented by "r" and "s" respectively. In short, relaxed allows partial matches, such as subdomains of a given domain, while strict requires an exact match.
Notice in my _dmarc 14400 IN TXT "v=DMARC1; p=none; rua=mailto:username@example.net; sp=none; aspf=r" how I am trying to use the relaxed mode.
I'd guess (because I can't tell from what you've posted) it's because your SPF sender domain is not "aligned" with your From header. You're sending through sendgrid, so I expect that sendgrid is also handling your bounces, so you probably have a return-path header on a received message something like:
But your From header is in your own domain:
your SPF may give permission to send from sendgrid's IPs (via
includeof their SPF record), so you'll get a pass for that, but clearlyexample.netandsendgrid.netare not the same domain, so they are not considered aligned and you'll get a DMARC failure.For it to align in
aspf=smore, either your from address would need to be a sendgrid.net address (probably not what you want), or your mail server needs to be at example.net (you're probably using sendgrid because you don't want to be running your own mail server), so you'd need to revert toaspf=r(relaxed) mode. This would allow you to create a CNAME in your DNS that points a name in your domain, such asmail.example.netat sendgrid's mail server, and they would need to know that arrangement is in place so that they can send messages using that envelope sender, and in relaxed mode,example.netandmail.example.netare considered aligned and you'll get a DMARCPASS.mxtoolbox will be giving you a pass because your DMARC record is indeed perfectly valid when considered in isolation, but unless your domains on sent messages actually align, it still won't work.
#
Simply ad a txt record in your DNS settings with _dmarc
"v=DMARC1\;p=none\;pct=100\;rua=mailto:serveradmin@mydomain.com\;ruf=mailto:serveradmin@mydomain.com"
Note: Remove other _dmarc records
#
To test you have the proper structure you can check with
$ dig +short txt _dmarc.mydomain.com should return Code: "v=DMARC1\;p=none\;pct=100\;rua=mailto:serveradmin@mydomain.com\;ruf=mailto:serveradmin@mydomain.com"