When sending a message from salesforce.com through my companies domain surgishop.com I am getting a DMARC fail. I believe I have SPF and DKIM correctely configured but could use some help on figureing out why DMARC fails.
Email Header:
Keys:
surgishop.com. 14400 IN TXT v=spf1 mx include:_spf.google.com include:_spf.salesforce.com ~all
google._domainkey.surgishop.com. 14400 IN TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCpntjPXwGg8te96R6sBKmsUIQeIou8tgZWa8o+k0hMYnMQivNcDQG+TlZ6YHI5VfVoxrFbRoh5cDl7RXX9mc2GdO2dnqhlCEVgUY0ElxZrQ00k72KPYJ0wRJT5mSEMVO/vAn/L/yFaSRCrNeHJFbZNL6ttfX5T/1XIVo4gLf7ywIDAQAB
_dmarc.surgishop.com. 14400 IN TXT v=DMARC1; p=quarantine; sp=none; rua=mailto:aborges@surgishop.com!10m; ruf=mailto:aborges@surgishop.com!10m; rf=afrf; pct=100; ri=86400
Best Answer
FROM
email address domain.return-path
email address containing the[...].bnc.salesforce.com
domain, for bounce handling. And the domain used in thereturn-path
field is what is being checked for SPF. So there is no alignment there with your domain. Nothing you can do about that, it's just how Salesforce works.DKIM.d=
value. That WILL align with your domain, and, therefor pass DMARC.To conclude: Your domain's SPF is ignored because Salesforce sets its own domain as return-path for bounce handling. DKIM is absent for Salesforce and you'll need to add it.