I have a domain registered at domains.google.com
that I use with a G Suite account and also to send email from SES and mailchimp.
My DNS records look correct to me (Mailchimp instructions):
@ TXT "v=spf1 include:_spf.google.com include:amazonses.com include:servers.mcsv.net ~all"
_dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:re+aml1ryadtn7@dmarc.postmarkapp.com; sp=none; aspf=r;"
I use postmark's nifty service to get a weekly DMARC digest, and they report this error for mailchimp emails:
mcsv.net is authorized to send on behalf of mydomain.com, however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.
Here are relevant headers from a mailchimp email:
Return-Path: <bounce-mc.us17_88978185.265251-recipient=patentbots.com@mail125.suw11.mcdlv.net>
From: me@mydomain.com
Do I have an error in setup (either DNS or Mailchimp) that causes SPF DMARC alignment to fail? Or is this something that isn't supported by Mailchimp?
I'm not 100% sure, but I'd guess that if the domains for return-path and from header have to match, you would need to have a CNAME DNS record in your own domain pointing at MC, so that the domains could match, something like:
Then your return path might become
<bounce-mc.us17_88978185.265251-recipient=patentbots.com@mc.mydomain.com>
.I don't know if a subdomain match like this is sufficient, i.e. whether DMARC considers
mc.mydomain.com
andmydomain.com
to be sufficiently aligned.I can see the management of this being a little tricky if you have lots of domains.
Mailchimp does not support SPF as it uses its own domain in the bounce address. Their domain authentication verification tool requires including Mailchimp, though. Mailchimp always fails DMARC's SPF alignment test because the Return-Path path doesn’t match the From address. MailChimp doesn't support custom Return-Path (even though Mandrill, which is owned by Mailchimp, does). This makes it impossible to be 100% SPF-compliant under DMARC rules with Mailchimp.