Issue
To troubleshoot emails that failed due to DMARC policy when sending through Twilio SendGrid with your own domain, it's important to understand the SPF Identifier Alignment (aspf) and DKIM Identifier Alignment (adkim)
Product
Twilio Sendgrid (Email API and/or Marketing Campaigns)
Cause
SPF Identifier Alignment (aspf) compares the "FROM" address with the "return-path (enveloped-sender)" to determine alignment. There are two modes for SPF Identifier Alignment - relaxed and strict. Relaxed mode allows flexibility in matching addresses, while strict mode requires an exact match.
DKIM Identifier Alignment compares the "FROM" address with the "d=" tag in the domain signature for DKIM. Like SPF, DKIM Alignment can be set to relaxed or strict.
In order for DMARC to pass, either SPF, DKIM, or both must align. Alignments can be specified as strict (s) or relaxed (r).
When sending through Twilio SendGrid with your own domain, emails may not be delivered due to the domain's DMARC policy. This is often affected by whether the SPF Identifier Alignment (aspf) in your DMARC policy is set to 'relaxed' or 'strict'.
SPF Identifier Alignment (aspf) is like a security measure for emails. Imagine emails have addresses just like letters. Sometimes, people pretend to send emails from a real address, but it's actually fake. SPF aspf checks if the email address matches the official one.
There are two modes:
- Relaxed mode: This mode allows for some flexibility. It says, "If the email address is almost the same as the official one, it's probably okay."
- Strict mode: This mode is more serious. It says, "The email address must be exactly the same as the official one, no exceptions."
Here are some response examples you'll see, within the 'Blocks' suppression list:
|
521 5.2.1 : (DMARC) This message failed DMARC Evaluation and is being refused due to provided DMARC Policy 550 5.7.1 Unauthenticated email from domain.tld is not accepted due to domain's DMARC policy. Please contact administrator of domain.tld domain if this was a legitimate mail. Please visithttps://support.google.com/mail/answer/2451690 to learn about DMARC initiative. 62si14044909itw.103 - gsmtp |
When customer’s authenticated their domain within Sender Authentication without altering any Advance Settings, this allows Twilio SendGrid to overwrite the return-path of the emails for tracking purposes. The return-path will look like so:
| Return-Path: <bounces+1XXXXXX2-2cc8-recipient=recipient_domain.com@em1XX3.example.com> |
Depending on the domain's DMARC policy or the from address that is used, this will cause delivery issues related to your domain's DMARC policy.
Resolution
Below are some solutions we recommend.
Solution 1: Set the aspf to relaxed
If the aspf tag within the DMARC policy is set to strict, this will cause a misalignment with the from domain that is sending the email due to the subdomain em1XX3. However, if the aspf tag is relaxed, then the misalignment will not prevent the email from being delivered.
Solution 2: Send with a subdomain
If the from address in your email includes a subdomain, then you might want to utilize the Custom Return Path option available within Advance Settings when authenticating the domain. This will allow you to edit the CNAME record so that em1XX3 is replaced with a subdomain of your choosing. You’ll want to use this feature to ensure that the subdomain that replaces em1XX3 matches the subdomain that is in the from address. This will result in the subdomain (that now matches the from address) to be included in the return path of the email sent through Twilio SendGrid.
Solution 3: Enable Preserve Sender
If the DMARC policy can’t be altered for your domain or if you’re unable to send with a subdomain within the from address that matches what is configured within the Custom Return Path feature, then you’ll need to reach out to our support team to enable the Preserve Sender setting. When enabled, this setting will prevent our system from overwriting the return path so that it stays the same as the from address. The drawback of this solution is that our system will be unable to log your bounces and spam reports and will subsequently not suppress future attempts to send to these recipients.
Adjusting your DMARC policy (p=none, p=quarantine, p=reject) can also impact how receivers handle email from your domain. Setting the policy to quarantine or reject can help control how unqualified emails are processed by recipients.
By understanding SPF and DKIM Identifier Alignments, adjusting DMARC policies, and utilizing SendGrid features effectively, you can optimize email deliverability and ensure your domain's emails meet DMARC requirements.
Additionally, it is important to note that implementing SendGrid Expert Services can help ensure that your account is optimized and set up for success as your email program continues to grow. By following these recommendations and utilizing the tools provided by SendGrid, you can address issues related to DMARC policy and enhance the deliverability of your emails.
Additional Information
Troubleshooting Email Delivery Failures due to DMARC