DMARC allow from third party

2
votes

I would like to have a DMARC Reject policy, but having some issues making it pass. We use google apps/mail for our domain and use 2 third party email providers who send e-mails as us. I'm trying to make one of them work for now and to understand the process so i can add the second easily.

I'd like to understand how to allow them to pass DMARC. Right now SPF and DKIM both pass (as per DMARC report), but with a reject policy - it stops with "fail-unaligned"

Trying to understand the details HERE, I believe i need to create a subdomain dns record "email.mydomain.com" and set the From Address in the third party service to be "[email protected]". However I'm unsure how i need to setup the DNS.

Do i need to create only a TXT record with SPF in it? Do i need to create a CNAME email.mydomain.com?

I'm trying to be strict with reject policy so i can learn how to keep things in control, so i would appreciate some tips.

1
emaildnsdmarc

1 Answers

1
votes

strict alignment means you need an exact domain match. The DKIM d=same domain name space as the visible headers (envelope) headers that indicate the From Name.

Relaxed alignment enables you to have sub-domains.

A solution is to check your ESP documentation to see if you can just add a custom return path (bounce header) that points to the ESP's bounce header (bouncerzzzz.example.com). Note: You'd do in your DNS.

Or you might have to just ask your ESP to sign your emails with a custom DKIM key. You'd publish the public key in your DNS. This is a fairly common approach.

I'd back off from the reject policy for a while, using "reporting" maybe for a month or two. It's good to make sure things are all working and you know who should be using your domains in email and who's using it for nefarious purposes. Get a lay of the land, then set to reject.