dnsspfgoogle-workspacepostmarkdmarc

DMARC/SPF configuration error


I have a domain registered at domains.google.com that I use with a G Suite account and also to send email from SES and mailchimp.

My DNS records look correct to me (Mailchimp instructions):

@ TXT "v=spf1 include:_spf.google.com include:amazonses.com include:servers.mcsv.net ~all"

_dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:re+aml1ryadtn7@dmarc.postmarkapp.com; sp=none; aspf=r;"

I use postmark's nifty service to get a weekly DMARC digest, and they report this error for mailchimp emails:

mcsv.net is authorized to send on behalf of mydomain.com, however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.

Here are relevant headers from a mailchimp email:

Return-Path: <bounce-mc.us17_88978185.265251-recipient=patentbots.com@mail125.suw11.mcdlv.net>
From: me@mydomain.com

Do I have an error in setup (either DNS or Mailchimp) that causes SPF DMARC alignment to fail? Or is this something that isn't supported by Mailchimp?


Solution

  • Mailchimp does not support SPF as it uses its own domain in the bounce address. Their domain authentication verification tool requires including Mailchimp, though. Mailchimp always fails DMARC's SPF alignment test because the Return-Path path doesn’t match the From address. MailChimp doesn't support custom Return-Path (even though Mandrill, which is owned by Mailchimp, does). This makes it impossible to be 100% SPF-compliant under DMARC rules with Mailchimp.