We're in the midst of a project to make all of our mail sources, including third parties that send on our behalf, DMARC compliant. We've run into a snag, namely an entire data center full of servers that send mail (usually just status updates or errors). If the mail's from address is <user@hostname.domain.tld> and we have many of them, and there are new ones added almost weekly, then how do get these compliant?
My understanding of DKIM and SPF, is that we'd need a DNS entry per host, because the receiving mail server checks on those records based on the FQDN of the from address.
Is there a reasonable way to keep using <user@hostname.domain.tld> as the from addresses and still make these 200+ (and changing) servers DMARC compliant?
Yes, this is what DMARC's "relaxed" mode is for. You can set that for both SPF and DKIM matching by adding these elements to your DMARC record:
aspf=r; adkim=r
However, this is the default behaviour, so you don't actually need to add them at all!
In this mode, a message from user@hostname.domain.tld
would be a relaxed match for domain.tld
.