I have an SPF record, so why is SPF failing?
You have a valid SPF record in place for the source you're sending from, so why is SPF failing? Let's dig into this together!
What you need in order to pass SPF for DMARC
There are actually two parts to SPF and both are needed in order to have it fully pass. One is having an SPF record in your DNS. SPF is a way for ISPs (like Gmail, Yahoo, etc) to verify that a mail server is authorized to send email for a domain. It is a whitelist for the services who are allowed to send email on your behalf.
Something to keep in mind: Some ESPs (email service providers), such as Postmark, automatically handle SPF for you. This means you don't have to add an SPF record to your DNS. It's best to check with your ESP on how they handle this.
Now for the second part: DMARC requires the domains in the Return-Path and From headers to match in order for the SPF check to pass. Many email providers will set the Return-Path for you, so it’s common for the Return-Path and From domains not to match and therefore SPF will not be aligned. Let's take a look at an example of this:
Return-Path: <email@example.com> From: User Name <firstname.lastname@example.org>
In the above example, SPF would fail because the domains "esp-domain.com" and "user-domain.com" don't match.
In DMARC Digests, you're able to distinguish where exactly SPF is failing:
The first bubble icon under the SPF result shows whether basic SPF passes. This is the first part that we covered. The second bubble icon shows whether SPF aligns. This is the second part we covered and checks alignment between the Return-Path and From domain. In this case, we show the domains are misaligned and also allow you to see what Return-Path domain is being used instead (here, it's "example.com" which doesn't match with "postmarkapp.com").
How to ensure that the Return-Path domain matches the From domain?
You might be wondering why you need a Return-Path record to begin with. Well, the purpose of DMARC is to align DKIM and SPF to your brand’s domain and both of these help support the effort toward domain reputation. With a custom Return-Path, you can set your own domain in place of your ESPs using a CNAME.
Something to keep in mind: Not all ESPs offer the option to set up a custom Return-Path, so you'll need to check in with them directly to see if this option is available and if yes, how to set it up.
What if my ESP doesn't offer a custom Return-Path option?
Not to worry, all is not lost. DMARC spec states that you only need SPF or DKIM in order to pass DMARC. This means if you're able to set up DKIM and it's fully passing, then that's enough to satisfy DMARC.