How to use Custom Return Path with a Strict SPF Identifier Alignment DMARC Policy

This article is to assist customers with authenticating their domain utilizing the Custom Return Path setting in a situation where there is a strict SPF Identifier Alignment (aspf=s) within the DMARC policy. To check a domain's DMARC policy, there are many available free tools online you can use such as MXToolbox's DMARC Check Tool.

Critical information: In the majority of circumstances, it is advised to avoid "aspf=s" as a DMARC setting as it may not, practically speaking, protect your domain in a meaningful way.  There should be a clear and defined reasoning behind why domain admins that control a DMARC policy are using strict SPF alignment instead of a relaxed policy--which often makes management of your domain's mail send more reasonable while not significantly sacrificing security of the domain.  Please use your best judgment.

Strict SPF Alignment Overview

The SPF Identifier Alignment checks the "FROM" address and compare it to the "return-path (envelope-sender)". When the tag value for aspf is set to strict, this will require the “FROM” address to exactly match with the domain within the “return-path” header. 

Domain Authentication and Return Path

When sending an email via Twilio SendGrid, it is required to have your domain authenticated ("settings > sender authentication") when sending.  Domain authentication configuration determines how outbound emails and their "return-path" are formatted.  For instance, a domain authentication of "" will cause messages sent from that domain to also have "" as the return-path domain. This will cause issues if aspf=s because the “FROM” address domain will need to strictly match to the return-path domain. 

For example if the “FROM” address is “” then the return-path will be “”. This may then result in the following error:

 “550 5.7.26 Unauthenticated email from is not accepted due to domain's DMARC policy.”


Customers can resolve the issue by utilizing a "Custom Return Path" when making a domain authentication (note: it is not possible to edit an existing domain authentication in this way). Found within the "Advanced Settings" when creating a domain authentication, the Custom Return Path setting allows customers to customize the first CNAME record that is generated so that it can match the sending domain.

For example, the first CNAME record can be configured to instead of the default

Enabling Custom Return Path:


Result with using the custom return path setting:


Result without using custom return path setting:


With a Custom Return Path CNAME record generated, this will allow customers who have aspf=s to send with and have it match the domain that will be in the return-path thus resulting in both domains matching. For example, customers will now be able to use the “FROM” address: “” that now also matches the domain in return-path: “”.

Note that directly rewriting the return path to be the root domain while sending with Twilio SendGrid (and having SPF alignment set to "strict" in DMARC) is often not possible.  It is often better to consider why aspf=s is being used to begin with or then contacting Twilio SendGrid support for help.

Have more questions? Submit a request