DMARC/SPF/DKIM not authenticating with third-party mail

Question

We recently implemented a DMARC record for our domain:

"v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]"

(quarantine 100% of non-authenticated emails and send aggregate report to "me")

We use a third-party vendor to issue invites. The vendor sends email from [email protected] which is then sent through a mail relay "smtp3.mailrelaydomain.it". I also know that the mail relay uses a single ip address.

That address is included in our SPF record:

"v=spf1 ...[SNIP reference for other mail servers SNIP]... ip4:[ip address for the mail relay] ~all"

When I send an invite using the vendor's service, the message is quarantined.

When I view the aggregate DMARC report I see that the invite:

• is recognized as being from an SPF-Authorized Server
• passes raw SPF authentication for the sender's domain ([email protected]")
• passes raw DKIM authentication for the mail relay domain (smtp3.mailrelaydomain.it)
• Fails DMARC authentication for both DKIM and SPF for mydomain

Here is a sample headers from an invite.

BEGIN SAMPLE EMAIL HEADER

Delivered-To: [email protected]
Received: by 10.64.252.9 with SMTP id zo9csp100581iec;
        Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
X-Received: by 10.55.195.147 with SMTP id r19mr12995508qkl.12.1445452813709;
        Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
Return-Path: <[email protected]>
Received: from smtp3.mailrelaydomain.it (smtp3.mailrelaydomain.it. [ip for mail relay])
        by mx.google.com with ESMTP id w15si9297939qha.131.2015.10.21.11.40.13
        for <[email protected]>;
        Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates [mail relay ip] as permitted sender) client-ip=[mail relay ip];
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates [mail relay ip] as permitted sender) [email protected];
       dkim=pass [email protected];
       dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=mydomain.com
Received: from FS-S05.vendorparentdomain.com (unknown [vendor parent ip])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by smtp3.mailrelaydomain.it (Postfix) with ESMTPSA id 23387A0CBC
    for <[email protected]>; Wed, 21 Oct 2015 15:07:35 -0400 (EDT)
DKIM-Signature: [DKIM Content]
Content-Type: multipart/alternative;
 boundary="===============2166944298367943586=="
MIME-Version: 1.0
Subject: Please take our survey
From: Me <[email protected]>
To: Someone Else <[email protected]>
Cc: 
Date: Wed, 21 Oct 2015 18:39:48 -0000
Message-ID: <[email protected]>
List-Unsubscribe: [unsubscribe link],
 <mailto:[email protected]>
Reply-To: Me <[email protected]>
X-Sender: [email protected]

I believe the issue is related to the from domain in the message not matching the domain for the message envelope; however, the vendor is unable to change their settings (i.e., envelope will always be from the vendor domain) so any chance of this working with DMARC will have to come from my end.

Knowing that the SPF record can (and does) identify the invite as being from an SPF-Authorized Server, are there any other settings or records I can add to also ensure DMARC authentication for invites from the vendor?

Having read several online articles and "DMARC -spf and DKIM record queries" I suspect I am out of luck, but need to ask the question plainly/specific to my situation just to be sure.

Thanks

Answer 1

You are correct, you are out of luck unless the vendor can change something. What is failing is Identifier Alignment - https://www.rfc-editor.org/rfc/rfc7489#section-3.1 - because what is being authenticated (invites.vendordomain.com via SPF) does not align to the domain the user sees ([email protected]) and the message then, correctly, fails DMARC.

There are three options:

• Stop sending with a From: header of your domain at the vendor; you can still use a Reply-To: header with your own address.

• Have the vendor align the mail from to your domain. If they don't do this they can't pass DMARC, and at some point they will want to pass DMARC or people will find other solutions. You can have them send with an envelope from of vendorname.mydomain.com and you can set up an MX for that subdomain that points to them to support bounce processing. This has been BCP for a while.

• Have the vendor sign with DKIM and us an aligned DKIM signature. This is also best common practice. You only need SPF or DKIM to pass, and DKIM passes are more valuable (because they survive forwarding in many cases) than SPF, so this is the option I would personally prioritize if I were you.

Back in like 2012 and 2013 a lot of vendors pushed back against both of these options, but I honestly haven't seen a vendor in a long time (I spend 100% of my day job on DMARC) that won't support at least aligned DKIM.