DMARC Trusted Sources
So you’re successfully receiving DMARC reports, but now you might be wondering what it all means. In particular, there’s a section labeled “Trusted Sources” that has quite a bit of data. There’s also an “Unknown” section that we’ll address in a separate help article. For now, we’re going to dig in and look at the variety of possible results you might see in your trusted sources. Everything under trusted sources will not be rejected or quarantined by your DMARC policy. Any email from a trusted source is effectively a pass even if it is only partially aligned and not fully aligned.
While it’s unlikely you’ll ever see a report with this wide of a variety of passing and failing scenarios for a single domain, it helps illustrate all of the possible scenarios you might see in a report. We’ll use this example and go through it column-by-column.
There are multiple ways that a given source can be classified as “trusted” according to your DMARC policy’s details. The important thing to understand is that for a source to be trusted only one of SPF or DKIM have to pass. If both pass, that’s great, but as long as one passes, then everything’s good.
In the above example, all of the IP addresses are considered trusted sources even though not all messages associated with the IP addresses were fully aligned. Let’s dive deeper into what each of these rows means and how the different circumstances arise.
Fully aligned (Both SPF & DKIM pass)
If a given source is fully aligned for all of the emails that it sends, you’ll see a green bar in the report like this one…
While this is the ideal case, it’s not the only acceptable case for a given source to be sending DMARC aligned messages. A source can also be partially aligned in one of several ways as long as each message passes either SPF or DKIM.
Partially aligned (Either SPF or DKIM pass)
If a source is partially aligned, then at least one of either the DKIM or SPF passed. In our example, there are multiple IP addresses that sent partially aligned messages. While the specifics of each IP address vary in our example, you can safely assume that all messages sent by those IP addresses were aligned with your DMARC policy and processed accordingly.
SPF fails but DKIM passes
The most common partial alignment scenario is that SPF fails but DKIM passes. When SPF fails, it’s most commonly due to email forwarding. For example, if you have an email account that is setup to automatically forward all email to another email address, the forwarded email will pass SPF when it’s received by the original email address, but it can fail SPF when it’s received by the secondary receiving email address if forwarding isn’t handled correctly by the original receiving email account. Since, these cases are outside of your control, it’s impossible to ensure that SPF will never fail.
In some cases, you might notice that SPF fails for an Email Service Provider such as Mailchimp or Campaign Monitor, even though you followed the instructions for SPF on their site. With DMARC, SPF alignment is more strict and requires the Return-Path domain (the one used to collect bounces) and the From domain to match. This is usually not possible since the ESP needs to collect bounce information to their own mail servers. In Postmark, we added custom return-path domains to solve this problem.
The good news is, as long as the forwarding service only modifies certain headers of the email, and the content of the message is left unmodified, DKIM will still pass for the email, and it will be partially aligned with DMARC and considered to pass. This is why it is important to use DKIM with an ESP as well.
DKIM fails but SPF passes
While less common, it’s also possible that DKIM can fail while SPF passes, but as long as SPF passes for these messages, then they’ll be considered as being aligned.
DMARC Fails (Neither SPF or DKIM pass)
Of course, not all messages pass DMARC, and for that, you should visit our guide on handling “Unknown” sources.