We host our own e-mail but use Sendgrid to send mail on behalf of a few internal PHP services that can't easily handle our mail configuration (e.g. they disallow self-signed certs by default, so getting them to connect to our server to send out things like account activation e-mails is a PITA, like to the point of having to hack the functions of a CMS to pass in an array of config overrides – for the handful of emails this would be, I thought the heck with it and just used Sendgrid's free tier).
I was able to set up our SPF to explicitly allow Sendgrid to send emails on our behalf:
ourdomain.com. IN TXT "v=spf1 mx a ip4:OUR.IP.GOES.HERE/32 include:sendgrid.net -all"
And so there are parallel paths for both mail sent by us and mail sent by Sendgrid to pass both SPF and DKIM. (I didn't do anything special setting up DKIM for ourselves, but it was a bit of a process – FWIW, here's the tutorial I followed.)
But now I want to wrap everything up with DMARC, and Sendgrid emails are failing, even though they pass SPF and DKIM:
Authentication-Results: mx.google.com;
dkim=pass header.i=@sendgrid.net header.s=smtpapi header.b=eI2rawkZ;
spf=pass (google.com: domain of bounces+15288543-43bf-mygmailaccount=gmail.com@sendgrid.net designates SENDGRID.IP.GOES.HERE as permitted sender) smtp.mailfrom="bounces+15288543-43bf-mygmailaccount=gmail.com@sendgrid.net";
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ourdomain.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net; h=from:subject:content-type:content-transfer-encoding:mime-version: x-feedback-id:to; s=smtpapi; bh=AZ+8LE7VkXTKxox/rLn7opOhEWv+baJWKr9E5fUOSKs=; b=eI2rawkZeMvtcJXThu7pufwbVPjRHa5xx46txJj0j9gNNDxNs68y8bcPlj1T9r7rxDK4 oi6e19GMvtdyttXR5WKjg2T+w0p5Ep3Ni6YRQhxq4ZsGcO0mZiRXyNf4BdZ3cOgLKXwECh dMSOaHyK0lR91Xp6eTnOYE7bT9hcRVrWA=
E-mail sent by us is passing:
Authentication-Results: mx.google.com;
dkim=pass header.i=@ourdomain.com header.s=default header.b=fySBSueO;
spf=pass (google.com: domain of ourlocaluser@ourdomain.com designates OUR.IP.GOES.HERE as permitted sender) smtp.mailfrom=ourlocaluser@ourdomain.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ourdomain.com
Our DMARC record is set up like this:
_dmarc.ourdomain.com. 299 IN TXT "v=DMARC1\; p=none\; pct=100\; rua=mailto:postmaster@ourdomain.com"
Is there a way we can adjust our DNS (or something else?) to permit Sendgrid e-mails to pass the DMARC check? Then we could safely up the recommended 'p' action to 'quarantine' or 'reject'. Although, if it wouldn't be a great drain on our reputation, I'd be happy to leave it at 'none'. It would just be nice to get everything all neatly tied-up, following on from the difficulties I was having before I embarked on the SPF / DKIM / DMARC journey.
Best Answer
The DKIM signs with
d=sendgrid.netand the envelope sender i.e.Return-Pathismygmailaccount=gmail.com@sendgrid.net. As both DKIM and SPF validations are usingsendgrid.com, it's not aligned with your domain: that's the requirement for DMARC alignment.Luckily, Sendgrid supports custom domain authentication for both custom DKIM selector and custom return path.
DMARC is not about gaining a better reputation. It's about preventing someone else from using your domain in the
Fromheader, which could lead to bad reputation or worse.