emailmandrillspfreturn-path

SPF alignment with subdomains

I'm trying to set up a Return-path for Mandrill emails. This is what I currently have:

From: hello@info.example.com
Return-path: bounce-mc.us3_25014995.932533-27c52c08ee@mail52.suw11.mcdlv.net

and I'm wondering how to set up the Return-path header. Would it pass the SPF alignment if the Return-path would be the following:

From: hello@info.example.com
Return-path: hello@bounce.example.com

?

I've found this: https://mxtoolbox.com/dmarc/spf/spf-alignment which mentions couple of examples about SPF alignment but I can't find anywhere in the SPF standard whether if I have subdomains both in the From & Return-path if that'd align just based on top of the top-level example.com domain.

I'm unfortunately not able to set up the Return-path to match the From like so:

From: hello@info.example.com
Return-path: hello@info.example.com

As I can't create a CNAME record for info.example.com as I already have an MX record for this subdomain to route incoming emails to Gsuite (see this issue: https://support.google.com/a/forum/AAAA034zvV85E_AluPsqD8/?hl=en&gpf=%23!msg%2FApps%2F5E_AluPsqD8%2F0x_O1tqmAwAJ&msgid=0x_O1tqmAwAJ)

Solution

  • As a sender, you don't set a return path. That's the job of the receiving server. As RFC5321 says:

    A message-originating SMTP system SHOULD NOT send a message that already contains a Return-path header field. SMTP servers performing a relay function MUST NOT inspect the message data, and especially not to the extent needed to determine if Return-path header fields are present. SMTP servers making final delivery MAY remove Return- path header fields before adding their own.

    The envelope sender is what's used in the MAIL FROM SMTP command, and that's what SPF checks. SPF does not look at what's in the from address header – one of its weaknesses – but fortunately exactly what DMARC is designed to (ahem) address. That MX Toolbox article is misleading because it categorises this alignment as an SPF feature when it's a DMARC one, which is why you're not finding it in the SPF spec.

    If mandrill is expected to handle your bounces while maintaining DMARC (relaxed) alignment, I would expect your envelope sender to be something like:

    bounce-mc.us3_25014995.932533-27c52c08ee@mandrill.example.com

    and then you'd have a CNAME in your domain's DNS pointing it at mandrill:

    mandrill CNAME mail52.suw11.mcdlv.net