To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain).
Don’t really have a question, but maybe it should be clarified that the header.from and the sender domain doesn’t need to be exactly the same (unless aspf=s), one can be a subdomain of the other.
Oh, also - you did bring up the difference between from domain and sender domain in the webinar, but I think it would be a good idea to bring it up again. And again and again and again and really hammer it home. I daily deal with customers (their IT departments) who have set p=reject and wonder why DMARC fails even though they include our servers in their SPF post. …for their header.from domain. It can take many mails back and forth until they understand the difference between the rfc5321 sender and the rfc5322 from, and which one SPF applies to.
1 Like
Thank you for this Jesper. All excellent points.
I didn’t want to get into aspf tag until weeks 3-4. DMARC is where SPF alignment is the focus, not so much with just SPF verification alone. DMARC helps with allowing the alignment to be relaxed and use of subdomains with SPF and DKIM.
In the scenario here, if it is thru a third party, does the visible From: need to have an SPF record or can it be no record?
Section 5 example 1
Examples of SPF alignment
visible From: [email protected]
Return-Path: [email protected]
DKIM-Signature d= news.mybrand.com
Alignment: Relaxed
Hello palooza,
Ideally you should have an SPF record for the visible from address, but as long as you have a valid DKIM key/record in place SPF isn’t required.
Josh
Thank you @jhenry. Then it is solely DKIM alignment? What are the positives and the negatives of this set up?