Troubleshooting Emails that Failed due to DMARC policy

Issue

To troubleshoot emails that failed due to DMARC policy when sending through Twilio SendGrid with your own domain, it's important to understand the SPF Identifier Alignment (aspf) and DKIM Identifier Alignment.

Product

Email

 

Cause

SPF Identifier Alignment (aspf) compares the "FROM" address with the "return-path (enveloped-sender)" to determine alignment. There are two modes for SPF Identifier Alignment - relaxed and strict. Relaxed mode allows flexibility in matching addresses, while strict mode requires an exact match.

 

DKIM Identifier Alignment compares the "FROM" address with the "d=" tag in the domain signature for DKIM. Like SPF, DKIM Alignment can be set to relaxed or strict.

 

In order for DMARC to pass, either SPF, DKIM, or both must align. Alignments can be specified as strict (s) or relaxed (r).

 

When sending through Twilio SendGrid with your own domain, emails may not be delivered due to the domain's DMARC policy. This often will be impacted by whether or not the SPF Identifier Alignment (aspf) is set to relaxed or strict. 

 

SPF Identifier Alignment (aspf) is like a security measure for emails. Imagine emails have addresses just like letters. Sometimes, people pretend to send emails from a real address, but it's actually fake. SPF aspf checks if the email address matches the official one.

 

There are two modes:

  1. Relaxed mode: This mode allows a bit of flexibility. It says, "If the email address is almost the same as the official one, it's probably okay."

  2. Strict mode: This mode is more serious. It says, "The email address must be exactly the same as the official one, no exceptions."

Here are some response examples you'll see within your Blocks suppression list:

521 5.2.1 : (DMARC) This message failed DMARC Evaluation and is being refused due to provided DMARC Policy

550 5.7.1 Unauthenticated email from domain.tld is not accepted due to domain's DMARC policy. Please contact administrator of domain.tld domain if this was a legitimate mail. Please visithttps://support.google.com/mail/answer/2451690 to learn about DMARC initiative. 62si14044909itw.103 - gsmtp


When customer’s authenticated their domain within Sender Authentication without altering any Advance Settings, this allows Twilio SendGrid to overwrite the return-path of the emails for tracking purposes. The return-path will look like so: 

Return-Path: <bounces+1XXXXXX2-2cc8-recipient=recipient_domain.com@em1XX3.example.com>

Depending on the your domain's DMARC policy or the from address that is used, this will cause delivery issues related to your domain's DMARC policy. 

 

Resolution

Below are some solutions we recommend. 

Solution 1: Set the aspf to relaxed 

If an aspf within the DMARC policy is set to strict, this will cause a misalignment with the from domain that is sending the email due to the subdomain em1XX3. However, if the aspf record is relaxed, then the misalignment will not prevent the email from being delivered. 

 

Solution 2: Send with a subdomain

If the from address your sending with includes a subdomain, then you will want to utilized the Custom Return Path feature within Advance Settings when authenticating the domain. This will allow you to edit the cname record so that em1XX3 is replaced with a subdomain of your choosing. You’ll want to use this feature to ensure that the subdomain that replaces em1XX3 matches the subdomain that is in the from address. This will result in the subdomain (that now matches the from address) to be included in the return path of the email sent through Twilio SendGrid. 

 

Solution 3: Enable Preserve Sender 

If the DMARC policy can’t be altered for your domain or if you’re unable to send with a subdomain within the from address that matches what is configured within the Custom Return Path feature, then you’ll need to reach out to our support team to enable the Preserve Sender setting. When enabled, this setting will prevent our system from overwriting the return path so that it stays the same as the from address. The drawback of this solution is that our system will be unable to log your bounces and spam reports and will subsequently not suppress future attempts to send to these recipients.

 

Adjusting your DMARC policy (p=none, p=quarantine, p=reject) can also impact how receivers handle email from your domain. Setting the policy to quarantine or reject can help control how unqualified emails are processed by recipients.

 

By understanding SPF and DKIM Identifier Alignments, adjusting DMARC policies, and utilizing SendGrid features effectively, you can optimize email deliverability and ensure your domain's emails meet DMARC requirements.

 

Additionally, it is important to note that implementing SendGrid Expert Services can help ensure that your account is optimized and set up for success as your email program continues to grow. By following these recommendations and utilizing the tools provided by SendGrid, you can address issues related to DMARC policy and enhance the deliverability of your emails.

 

Additional Information

Troubleshooting Email Delivery Failures due to DMARC

How to Implement DMARC

Everything about DMARC

 

Have more questions? Submit a request