Issue
This article is to assist customers with authenticating their domain utilizing the Custom Return Path setting in a situation where there is a strict SPF Identifier Alignment (aspf=s) within the DMARC policy. To check a domain's DMARC policy, there are many available free tools online you can use such as MXToolbox's DMARC Check Tool.
Critical information: In the majority of circumstances, it is advised to avoid "aspf=s" as a DMARC setting as it may not, practically speaking, protect your domain in a meaningful way. There should be a clear and defined reasoning behind why domain admins that control a DMARC policy are using strict SPF alignment instead of a relaxed policy--which often makes management of your domain's mail send more reasonable while not significantly sacrificing security of the domain. Please use your best judgment.
Product
Twilio SendGrid
Cause
Strict SPF Alignment Overview
The SPF Identifier Alignment checks the "FROM" address and compare it to the "return-path (envelope-sender)". When the tag value for aspf is set to strict, this will require the “FROM” address to exactly match with the domain within the “return-path” header.
Domain Authentication and Return Path
When sending an email via Twilio SendGrid, it is required to have your domain authenticated ("settings > sender authentication") when sending. Domain authentication configuration determines how outbound emails and their "return-path" are formatted. For instance, a domain authentication of "em1234.example.com" will cause messages sent from that domain to also have "em1234.example.com" as the return-path domain. This will cause issues if aspf=s because the “FROM” address domain will need to strictly match to the return-path domain.
For example if the “FROM” address is “@example.com” then the return-path will be “@em1234.example.com”. This may then result in the following error:
“550 5.7.26 Unauthenticated email from domain.com is not accepted due to domain's DMARC policy.”
Resolution
Customers can resolve the issue by utilizing a "Custom Return Path" when making a domain authentication (note: it is not possible to edit an existing domain authentication in this way). Found within the "Advanced Settings" when creating a domain authentication, the Custom Return Path setting allows customers to customize the first CNAME record that is generated so that it can match the sending domain.
For example, the first CNAME record can be configured to subdomain.example.com instead of the default em8266.example.com.
Enabling Custom Return Path:
Result with using the custom return path setting:
Result without using custom return path setting:
With a Custom Return Path CNAME record generated, this will allow customers who have aspf=s to send with @subdomain.example.com and have it match the domain that will be in the return-path thus resulting in both domains matching. For example, customers will now be able to use the “FROM” address: “@subdomain.example.com” that now also matches the domain in return-path: “@subdomain.example.com”.
Note that directly rewriting the return path to be the root domain while sending with Twilio SendGrid (and having SPF alignment set to "strict" in DMARC) is often not possible. It is often better to consider why aspf=s is being used to begin with or then contacting Twilio SendGrid support for help.
Additional Information
Troubleshooting Domain Authentication issues