DMARC/SPF configuration error

2019-07-01 17:55发布

I have a domain registered at domains.google.com that I use with a G Suite account and also to send email from SES and mailchimp.

My DNS records look correct to me (Mailchimp instructions):

@ TXT "v=spf1 include:_spf.google.com include:amazonses.com include:servers.mcsv.net ~all"

_dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:re+aml1ryadtn7@dmarc.postmarkapp.com; sp=none; aspf=r;"

I use postmark's nifty service to get a weekly DMARC digest, and they report this error for mailchimp emails:

mcsv.net is authorized to send on behalf of mydomain.com, however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.

Here are relevant headers from a mailchimp email:

Return-Path: <bounce-mc.us17_88978185.265251-recipient=patentbots.com@mail125.suw11.mcdlv.net>
From: me@mydomain.com

Do I have an error in setup (either DNS or Mailchimp) that causes SPF DMARC alignment to fail? Or is this something that isn't supported by Mailchimp?

2条回答
Juvenile、少年°
2楼-- · 2019-07-01 18:26

I'm not 100% sure, but I'd guess that if the domains for return-path and from header have to match, you would need to have a CNAME DNS record in your own domain pointing at MC, so that the domains could match, something like:

mc CNAME mail125.suw11.mcdlv.net

Then your return path might become <bounce-mc.us17_88978185.265251-recipient=patentbots.com@mc.mydomain.com>.

I don't know if a subdomain match like this is sufficient, i.e. whether DMARC considers mc.mydomain.com and mydomain.com to be sufficiently aligned.

I can see the management of this being a little tricky if you have lots of domains.

查看更多
疯言疯语
3楼-- · 2019-07-01 18:31

Mailchimp does not support SPF as it uses its own domain in the bounce address. Their domain authentication verification tool requires including Mailchimp, though. Mailchimp always fails DMARC's SPF alignment test because the Return-Path path doesn’t match the From address. MailChimp doesn't support custom Return-Path (even though Mandrill, which is owned by Mailchimp, does). This makes it impossible to be 100% SPF-compliant under DMARC rules with Mailchimp.

查看更多
登录 后发表回答