DMARC Failing: Troubleshooting and Solutions

dmarc

When sending a message from salesforce.com through my companies domain surgishop.com I am getting a DMARC fail. I believe I have SPF and DKIM correctely configured but could use some help on figureing out why DMARC fails.

Email Header:

https://pastebin.com/zbK4TFaQ

Keys:

surgishop.com. 14400 IN TXT v=spf1 mx include:_spf.google.com include:_spf.salesforce.com ~all

google._domainkey.surgishop.com. 14400 IN TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCpntjPXwGg8te96R6sBKmsUIQeIou8tgZWa8o+k0hMYnMQivNcDQG+TlZ6YHI5VfVoxrFbRoh5cDl7RXX9mc2GdO2dnqhlCEVgUY0ElxZrQ00k72KPYJ0wRJT5mSEMVO/vAn/L/yFaSRCrNeHJFbZNL6ttfX5T/1XIVo4gLf7ywIDAQAB

_dmarc.surgishop.com. 14400 IN TXT v=DMARC1; p=quarantine; sp=none; rua=mailto:aborges@surgishop.com!10m; ruf=mailto:aborges@surgishop.com!10m; rf=afrf; pct=100; ri=86400

Best Answer

DMARC will pass only if either SPF or DKIM will pass, in alignment with the FROM email address domain.
Salesforce (all except Marketing Cloud AFAIK) will add a return-path email address containing the [...].bnc.salesforce.com domain, for bounce handling. And the domain used in the return-path field is what is being checked for SPF. So there is no alignment there with your domain. Nothing you can do about that, it's just how Salesforce works.
You can add DKIM signing to Salesforce, described here. After adding DKIM to Salesforce and adding the public key to your DNS, and enabling the DKIM key pair in Salesforce, Salesforce will start signing your emails with your domain as the DKIM.d= value. That WILL align with your domain, and, therefor pass DMARC.

To conclude: Your domain's SPF is ignored because Salesforce sets its own domain as return-path for bounce handling. DKIM is absent for Salesforce and you'll need to add it.

Best Answer

Related Solutions

SPF and DKIM help: Do the FAIL reports from DMARC indicate an issue

DMARC Reports – Not Receiving from AOL, Hotmail, MSN, Outlook, Live

Related Topic