DMARC Report Says an Email Fails SPF but the SPF Record Shows as Verified.

Issue

You receive a DMARC report from an ISP saying that your email failed to pass the SPF alignment check, but when you check your SPF listing in Admin > Email > SPF/DKIM, SPF is verified.

Solution

The SPF record in Admin > Email > SPF/DKIM  is tied to your FROM domain.  DMARC alignment (using SPF) aligns the domain in the FROM address with the domain in the “return-path” address.  This “return-path” address, usually using a '*.mktomail.com' domain, is generally unseen by recipients and directs email bounces and errors back to Marketo for processing. 

 

Failed DMARC alignment, between these two domains, is what is triggering the failure your DMARC reporting.

 

DMARC compliance requires EITHER DKIM or SPF compliance, not both in most cases.  This article reviews the two methods available for DMARC alignment - https://nation.marketo.com/docs/DOC-1202-technical-tip-set-up-dmarc-verified-domains-in-a-few-easy-s... Having DKIM DMARC alignment may be enough and you may not need to rely on full SPF DMARC alignment.

 

In order to set up SPF DMARC alignment, Branded Return-Path will allow you to align the “return-path” domain with your sending FROM address domain.  If you have a dedicated IP on the current pricing plan or are on the Trusted IP range, Marketo can brand your return path at no additional charge.  If you have a legacy Silver Dedicated IP package, or are on the Shared IP range, you can purchase the Branded Return Path as an add-on.

 

More technical info can be found here:


Labels (2)