DMARC – Strict vs Relaxed alignment & how to fix spf alignment failed
Should you use Strict or Relaxed alignment for your DMARC settings?
The DMARC standard enables a domain owner to allow relaxed alignment or to require strict alignment, do note however that there is no noticeable increase in protection by using Strict mode.
We do not recommend using Strict mode (unless you have a specific reason) since there is no improvement in protection but it does make configuration and management of authentication more difficult.
Relaxed alignment is achieved if the organizational domain is the same between the user-visible From address and either the Return Path (SPF) or authenticated with the DKIM signature.
Strict alignment on the other hand requires an EXACT match between the Fully Qualified Domain Name (FQDN) of the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).
If strict alignment is required and the email does not pass strict alignment, the email is considered to have failed DMARC authentication for that method (SPF or DKIM).
Strict vs Relaxed alignment is specified in the DMARC record using the following tags:
- aspf (SPF)
- adkim (DKIM)
The default setting, if it is not specified in the DMARC record, is relaxed alignment. For example, the following DMARC records are equivalent:
v=DMARC1; p=none; rua=mailto:[email protected]; aspf=r; adkim=r
v=DMARC1; p=none; rua=mailto:[email protected];
Examples:
A domain is set for strict SPF alignment as shown below:
v=DMARC1; p=none; rua=mailto:[email protected]; aspf=s;
If the user-visible From address is [email protected] and the Return Path is marketing.mydomain.com,
The email is strictly aligned for SPF
A domain is set for strict DKIM alignment as shown below:
v=DMARC1; p=none; rua=mailto:[email protected]; adkim=s
If the user-visible From address is [email protected] and the authenticated signing domain is mydomain.com,
The email is not strictly aligned with DKIM
What is the return-path email header?
Return-path is a hidden email header that indicates where and how bounced emails will be processed. This header, also referred to as a bounce address or reverse path, is an SMTP address that is separate from your original sending address, and is used specifically for collecting and processing bounced messages.
Having a clear return-path system in place is incredibly important for your email program. It acts as a safeguard, protecting senders by providing a separate location for processing bounced emails. Your original sending inbox isn’t crowded by those “failed delivery” emails and that bounced messages are kept organized and together. Having a clear, organized return-path for bounced messages can also help your email deliverability and maintain your sending reputation.
To test whether your emails are compliant, try the Email investigation tool over at EasyDMARC.
Why is return-path important?
Return-path is an important tool to have at your disposal, especially for mass email sends. Let’s say you’re sending an email blast about an offer your company is promoting to your entire email list. While we don’t want to see bounced emails, the reality is that messages can and do bounce for a variety of reasons.
When you’re sending to large groups, you can get tens, maybe even hundreds of bounced messages depending on the size and nature of your campaign. These “failed delivery” messages then come back to haunt and crowd your original sending inbox. Instead, by having an established return-path, those messages are processed and stored separately in their own specified inbox.
Return-path also helps with your deliverability and sending reputation by helping to validate your identity as a sender (i.e. whether or not you’re sending spam). Because return-path is an SMTP address, it can be used by servers and inbox providers to decide how or if they want to filter your messages. Having a properly set-up return-path can help provide credibility for your messages and subsequently, you, the sender, which in turn boosts your sending reputation.
This can be a particular issue when using domain aliases (send mail as) with Google Workspace (gmail), as gmail will use the primary domain in the return-path and will thus fail authentication when using strict mode. To avoid this, use relaxed mode, which will fix spf alignment failed.
Below is an example where the primary domain is michaels.me.uk and the secondary (alias) domain is kopage.com, using send email as in the gmail settings.
The above report was generated using the email investigation tool at EasyDMARC.
How return-path works
Return-path specifies where bounced messages should go when they cannot be delivered. It is usually set up by your email or other relay platform provider but can often be customized.
Servers and inbox providers validate your identity and reputation before pushing your message through to recipients’ inboxes.
To get you through these filters, return-path and DMARC work together. DMARC examines your message to confirm that the domain provided in the “sent from” field matches the domain provided in the return-path field, which helps to validate your identity as a sender. After DMARC has verified and matched these domains, servers and inbox providers will be able to filter you out more easily.
Types of bounced emails
There are two types of bounced emails: hard bounces and soft bounces.
A hard bounce occurs when you have a permanent issue with a recipient, such as an invalid email address or typo in your mailing list.
Soft bounces are more temporary and usually occur when there’s a problem with a recipient’s inbox, including file size or attachment issues or the possibility of a recipient having a full inbox.
When a message hard bounces, the general best practice is to check that there are no typos in the recipient’s address. If there are none, you should remove the address from your mailing list. Keeping email addresses that hard bounce can damage your reputation as a sender and affect your deliverability in the long run.
When an email soft bounces, you have a little bit more wiggle room than with a hard bounce. Email addresses that soft bounce can be kept in your mailing list for future campaigns, but you’ll want to watch them to see if they bounce again. If they continue to bounce, they should be removed from your mailing list.
Recent Comments