infusionmail.com is authorized to send on behalf of my domain, however, it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match the From address, those messages will fail DMARC’s SPF alignment test.
Anyone had this issue? IS standard reply is that it is my problem but after 30 minutes of re-education they understand the problem and have informed me that the return path cannot be adjusted. This is not being prioritised as an issue because chat support is giving misguided advice i.e. “go speak with your provider”. All of the online tests for DMARC and SPF for my domain have passed but it looks like some do not test for the return path. It is very confusing but I would like to eliminate it as a possible cause of email rejection.
Everyone we’ve setup with DKIM/SPF/DMARC have not had any issues so if you can provide the domain name in question I might be able to at least spot anything from the server records they are tied to.
So I can’t check DKIM at the moment (it works differently than through public records like SPF/DMARC) but this is what any ESP will see when they check incoming emails from your domain name:
I’m not certain that the email format in your DMARC record is supported (with the + sign for formatting)…just something to check. p=none is fine which essentially just makes sure that the dmarc record exists in case an ESP requires it’s presence to continue accepting emails…that’s not at all uncommon.
I see you are also using mailgun and google… we have a client that has the exact same details (mailgun, google and Infusionsoft). We’ve found that using that many (but especially mailgun) has been causing them deliverability issues. Particularly in their case, however, mailgun incorrectly reported hard bounces to about 20% of their list even though Infusionsoft sent to their list and hit the inbox as well, in all but three of the “bounced” emails from mailgun. This affected their domain reputation to boot. You may also be reaching your DNS reverse lookup limit (which is normally 10 for most ESP services). You have no less than 8 at the moment but could be more depending on your other server record setup.
Also, as you’ve indicated you’re reporting from Postmark, can you verify that you’ve configured your txt/cname records for them as well? Just want to be sure where the results originate from and rule out that they are informing you that they are not setup correctly?
Thank you for the feedback regarding the DNS lookup. I will investigate. Are the lookups the TXT entries?
Without going too far off topic, my main concern is that the emails may be failing because the Return-Path path doesn’t match the From address. This is causing the SPF record to fail in the Postmarc report. I have no clue as to whether this “Fail” is a concern or not for email deliverability?
they are failing SPF alignment . The domain used in the “MAIL FROM” portion of the SMTP transaction is “infusionmail.com”. The domain used in the “From:” header of the email is “themarkofmastery.com”. Therefore, even though SPF passes (infusionmail.com authorizes IP addresses within the 35.227.130.0/24 range), it fails DMARC’s alignment requirements.
DMARC requires that either SPF or DMARC passes and is aligned, not both. Infusionsoft is DMARC-compliant through the use of DKIM, which does pass alignment (as shown in your DMARC report). We will not pass DMARC’s SPF alignment test since we do not use your domain as the sending domain during the “MAIL FROM” portion of the SMTP transaction. This is intentional - the “MAIL FROM” email address is also the “Return-Path” address where bounce notifications are sent, which allows us to remove invalid email addresses from your list to preserve your (and our) deliverability.
Glad you found the details, @JustinHandley. I was about to respond with the same (saved me some typing lol). Yes, the return path alignment is actually a very important and effective approach to improving inbox placement. DMARC is actually a kind of “fall back” to ensure that one or the other of DKIM/SPF are being used and pass. HOWEVER, coming soon, MS servers will be implementing BIMI and that will require DMARC to be active (ie domain/subdomains cannot =none and must use either quarantine or reject. If they don’t then exchange/microsoft mail servers will not allow inbox placement).
Some information on that one:
To further things, if MS is successful, then it will likely be adopted by others like Google etc.
Return path is it’s own entity. You can’t do anything in Infusionsoft but you can work with return path based on the domain name of the sender email address.
