Re: DMARC policy fails for branded domain, even if DNS records for SPF, DMARC and DKIM are setup

ggerla
Level 4

DMARC policy fails for branding domain on dedicated IP, even if DNS records for SPF, DMARC and DKIM are setup

Hello there,

as usual, in the email marketing world, I'm trying to face the deliverability issues that afflict Marketo.

We are approaching the Reject DMARC policy for our domain, and using a DMARC reporting tool, I've encountered several emails that are failing the DMARC validation.

 

Here is a screenshot of the problem: if I've understood correctly, this shows that a SPAM filter service (Avanan) is in the middle of the communications between our domain and recipients.

ggerla_0-1718723000125.png

 

Additionally, DMARC policy validation for our branded domain is going pretty well:

ggerla_1-1718723685926.png

 

Has anyone encountered the same issue? How could I try to solve it?

For context, we are applying the DMARC quarantine policy step by step (we are at 25% of the emails), but this does not seem to impact the mentioned domain. Additionally, both SPF / DKIM DNS records are validated on the Marketo Admin side.

2 REPLIES 2
SanfordWhiteman
Level 10 - Community Moderator

Re: DMARC policy fails for branded domain, even if DNS records for SPF, DMARC and DKIM are setup

First, the term “branded domain” is inappropriate here. In Marketo, we say “branding domain” to refer to the click tracking domain. This isn’t related to the From: header domain, which is what you’re referring to.

 

It’s clearer to say “From: domain” because that has a universal meaning.

 

Since you redacted it in your screenshots, it’s not clear whether the From: domain is the same in both cases. Please explain the comparison you’re attempting to make.

ggerla
Level 4

Re: DMARC policy fails for branded domain, even if DNS records for SPF, DMARC and DKIM are setup

Thanks, @SanfordWhiteman, my bad about the term (historical heritage usage of it)!

 

I'm talking about the SPF domain, and obviously, the redacted domain is ours [anysite.com]. So the redacted ones are reply.anysite.com [branding domain for our dedicated IP and SPF domain] and Header from anysite.com

 

I'm not trying to do any comparison: it's good having the DMARC policy passes for any Marketo send, the screenshot is for context purposes. 

I'm trying to understand how I can "fix" cloud-sec-av.com and if anyone has the same issue; I'm asking here because the validation is passing through the Marketo branding domain.

Or maybe I shouldn't take care of it 🙂