This article is to assist customers with authenticating their domain utilizing the Custom Return Path setting in a situation where there is a strict SPF Identifier Alignment (aspf=s) within the DMARC policy.
To check a domain's DMARC policy, there are many available free tools online you can use such as MXToolbox's DMARC Check Tool.
The SPF Identifier Alignment will use the "FROM" address, and compare it to the "return-path (enveloped-sender)". When the tag aspf is set to strict, this will require the “FROM” address to exactly match with the domain within the “return-path” header.
By default, an email sent through Twilio SendGrid will have a return path that includes the CNAME record of their authenticated domain; such as em1234.example.com. This will cause issues if aspf=s because the “FROM” address domain will need to strictly match to the return-path domain.
For example if the “FROM” address is “@example.com” then the return-path will be “@em1234.example.com”. This may then result in the error “550 5.7.26 Unauthenticated email from domain.com is not accepted due to domain's DMARC policy.”
Customers can resolve the issue by utilizing the Custom Return Path within Domain Authentication. Found within the Advanced Settings when authenticating a sending domain, the Custom Return Path setting allows customers to customize their SPF CNAME record so that it can match the sending domain. For example, the SPF CNAME record can be configured to subdomain.example.com instead of the default em8266.example.com.
Enabling Custom Return Path:
Result:
Default CNAME record without Custom Return Path enabled:
With a Custom Return Path CNAME record generated, this will allow customers who have asp=s to send with @subdomain.example.com and have it match the domain that will be in the return-path thus resulting in both domains matching. For example, customers will now be able to use the “FROM” address: “@subdomain.example.com” that now also matches the domain in return-path: “@subdomain.example.com”.