So you decided to implement a stricter DMARC policy to protect yourself from a recent spoofing attack. Great job! But upon review of your non-complaint mail sources, you realize there is an authorized vendor, but they are not DMARC-compliant. What do you do?
One of the more important details to identify during the DMARC authentication setup process is identifier alignment, often seen in non-compliant mail sources. Before we get into the alignment discussion, we need to understand the domains authenticated during a DMARC policy check.
For mail to authenticate successfully with DMARC, either the DKIM signature or the SPF check need to return a DMARC pass. This would be sufficient for those simply on DMARC monitoring mode (p=none). But once you move to a stricter policy (p=quarantine or p=reject), you would also need to ensure the domains mentioned in the headers align or match each other.
For email to be considered DMARC compliant, the policy domain (Header.FROM) should match either the SPF domain or the DKIM domain. This is called identifier alignment. The alignment can be specified in either strict mode (an exact match) or relaxed match (match of organizational domain).
Coming back to the original question, you have a few options when sending from third-party sources.
There might be a scenario in which the vendor is not capable of DKIM-signing the email. Create a subdomain specifically for these email flows. Using a specific subdomain with a p=none policy will allow you to monitor non-compliant email, and allow your primary domain to publish a p=reject policy without blocking non-compliant emails.
You might be feeling a little overwhelmed at this point, but that’s totally ok. That’s why we’re here! Reach out to us and we’ll help you figure out what’s going right, what’s gone left, and how to get your DMARC into tip-top shape!