If a sending source identified by DMARCwise shows an SPF alignment percentage close to 0%, there are several possible reasons:
- Your DMARC record has strict alignment enabled.
- Custom Envelope From/Return-Path is not enabled on your email service provider.
- The failing emails have been forwarded by the source.
- Your sender domain is being spoofed by an attacker.
Let’s go through them one by one.
Strict alignment in your DMARC record
If your DMARC record contains aspf=s
(strict alignment), check whether there’s a misalignment between the Envelope From domain and your organizational/sender domain.
You can do that in the DMARCwise dashboard by choosing a source with SPF alignment issues and looking at the domain in the SPF column: if the SPF domain is a subdomain of your main domain, strict alignment will fail.
You have two options to fix this:
- Remove
apsf=s
to switch to relaxed alignment. This will make sure that subdomains are ignored in DMARC checks and SPF alignment will therefore pass. - Ensure that the emails you send have a strictly aligned Envelope From domain. This isn’t always possible.
Learn more about SPF and alignment in Introduction to SPF.
Enabling custom “Return-Path” or “Envelope From”
Some email providers may allow you to send emails from your domain while having an Envelope From that is shared among many customers.
To achieve SPF alignment in DMARC, the Envelope From domain must align with your sender/From domain.
Learn more about how and why SPF works with the Envelope From domain and not the sender domain.
To fix this, you should check if your provider supports enabling a “custom Envelope From”, often called “custom Return-Path” or “custom MAIL FROM”, interchangeably.
Email providers with partial or no support for SPF alignment
Some email providers have partial support for SPF alignment or don’t support it at all.
If you’re unable to fix SPF alignment with a specific email provider, unfortunately you can’t do much and you must rely on DKIM alignment solely to ensure DMARC alignment.
Some providers that are not capable of sending SPF-aligned emails are Mailchimp and Brevo, while others like HubSpot request a fee for that.
You can find practical information and instructions for the most popular email providers on DMARC.wiki, our directory of email providers and their DMARC compliance level.
Forwarded sources
If you don’t recognize a sending source or the above options aren’t applicable, it’s very likely that some or all emails from the source are the result of automated forwarding.
The reason is that upon forwarding usually DKIM alignment survives, while SPF or SPF alignment fails.
You can safely ignore authentication issues of forwarded emails.
You can learn more on how SPF and forwarding work together in this article.
Domain spoofing
Finally, there’s the case where none of the above options apply.
For example, you may see emails being sent with an Envelope From domain that is not yours and it’s not a destination with forwarding set up either.
In this case, it usually means you’ve identified a spoofing source and it’s recommended to go ahead with DMARC enforcement so that these impersonation attacks are blocked.
When SPF alignment fails and an email spoofing attack is going on:
- You usually see DKIM or DKIM alignment fail as well, since the attacker cannot properly sign the email messages with the correct DKIM key.
- SPF may pass if the attacker is using the same email provider as yours, e.g. your email is hosted on Google Workspace and the attacker is also using Google Workspace.