17

I use Google Apps for Work. Let's say I have:

primarydomain.com

And another alias domain:

aliasdomain.com

As long as I send emails from primary domain both SPF and DKIM result perfectly aligned.

However, when I send emails from alias domain SPF fails to align for a valid reason that it is actually primarydomain.com that is sending emails.

Is there any way to align SPF for alias domain?

Bubba Yakoza
  • 285
  • 2
  • 5

3 Answers3

14

Use the redirect modifier to "replace" the SPF record for the alias domain with that of the primary domain.

Thus, the SPF record for aliasdomain.com ends up looking like this:

v=spf1 redirect=primarydomain.com

Note that no all mechanism is required, the final clause of the primarydomain.com record will apply.

Caesar
  • 160
  • 2
  • 10
Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • Hi! Thanks for your very useful reply. I added the modifier to alias domain's DNS and SPF is reported as pass on yahoo, gmail, aol and hotmail servers. However, when I checked SPF record at http://www.kitterman.com/ I get following message: "evaluating... Results - Redirected to another SPF record. Processed without error using pySPF (Python SPF library)! The result of the test (this should be the default result of your record) was, softfail . The explanation returned was, domain owner discourages use of this host". Could you please explain it? – Bubba Yakoza Sep 24 '16 at 17:33
  • I see no SPF checking tool on kitterman.com ? – Mathias R. Jessen Sep 24 '16 at 17:34
  • Please check this: http://www.kitterman.com/spf/validate.html? – Bubba Yakoza Sep 24 '16 at 17:35
  • Right, but I don't know your domain, mail from address and sending host. If yahoo, gmail, aol and hotmail now process SPF successfully, it sounds more like it worked but you are using the tool incorrectly – Mathias R. Jessen Sep 24 '16 at 17:37
  • One more thing. If i want to authenticate one extra mail server in SPF record for alias domain, how would I do that in addition to redirect modifier? – Bubba Yakoza Sep 24 '16 at 17:42
  • Add any additional mechanism *before* the redirect (eg. `v=spf1 mx redirect=primarydomain.com`) – Mathias R. Jessen Sep 24 '16 at 17:57
  • I have not yet given it a try but would not it duplicate v=spf1 ??? – Bubba Yakoza Sep 24 '16 at 18:00
  • Do you think this would be a valid record? v=spf1 include:servers.mcsv.net redirect=primarydomain.com – Bubba Yakoza Sep 24 '16 at 18:04
  • I'm using the free version of Gmail and send emails from other domains that I own, would the primary domain be google.com? – morktron Aug 19 '19 at 06:27
  • 1
    I found this answer on google's forum (well, an official answer that a user cared to share on that forum) from May-2019, that says while SPF redirect "might" work, they don't officially support it, so they discourage this solution, and they say misalignment of domain alias should not cause any mail delivery issues. Source: https://support.google.com/a/thread/6821943?msgid=7023731 (ah, I see now there's another answer here that references this article) Has anyone been using SPF redirect in this scenario with no issues? – jotadepicas Oct 20 '19 at 15:56
  • 1
    This DOESN'T WORK - The ALIAS DOMAIN's SPF is NEVER looked up. See my answer below. – Jonathan Feb 11 '20 at 20:02
  • @Jonathan it looks like your answer only works for people using gsuite. What about those of us using the free version of gmail like @morktron? – williamcodes Sep 25 '20 at 17:10
7

DMARC does NOT require SPF alignment!

Again, DMARC does NOT require SPF alignment!

From the DMARC RFC7489:

Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment.

(For reference, the RFC5322.From address is the actual "from" address that the email client shows a user.)

All you need is DKIM for DMARC to work

Once you setup dkim with gsuite, then you don't need to worry about the SPF on domain aliases.

Summary

Go to gsuite, setup dkim for all of your domains, add your dmarc dns records to all of your domains, and that's it.

Read More

For a pretty picture of the whole thing and a complete description that actually makes sense, please see Ivan Kovachev's excellent writeup - All you need to know about SPF, DKIM and DMARC

P.S. What about the "require=" attribute?

It makes no difference if you add this. It's never read or used. It adds an extra hop (alias.domain -> primary.domain -> _spf.google.com).

Why? The recipient email server only checks SPF for the address in the return-path. When Gsuite sends email from a domain alias, it uses the primary domain in the return-path. Therefore, the recipient email server only checks the SPF record for the primary domain. It never looks at the domain alias's SPF record.

Do you need an SPF record on the domain alias?

Yes. It will protect your alias from abuse. It won't affect DMARC or mail delivery.

Jonathan
  • 193
  • 1
  • 7
  • Technically this appears to be correct. However, in practice, who knows what mail servers are going to implement and how mail providers are going to treat a return-path that does not match the sender domain. Adding `redirect=` has certainly aided in mail delivery on a couple of domains I admin, so give it a go if you're still have deliverability challenges and see if it helps. – smcstewart Jul 07 '22 at 17:35
5

As mentioned on SPF not aligned on domain alias, DMARC problems, when using domain aliases, the return-path and from headers are updated by Google to point to email addresses in different domains. The return-path has the primary domain email address, while the from header has an email address in the alias domain. This may cause problems with email delivery. It will reduce your spam score and increase the chances of your message being marked as SPAM.

As mentioned in the article, there is no solution for this so far from Google. I have used GSuite with domain alias and have no problems with sending and receiving emails. If your primary domain and domain alias have the correct MX and SPF records configured, then you should not have any problems with sending email from your primary domain or domain alias. Adding redirect modifier to SPF record is not recommended by GSuite support.

The MX records for both your primary domain and domain alias should point to Google's mail servers. Both primary domain and domain alias should also have a SPF record that allows email delivery from Google's mail servers.

See Help prevent email spoofing with SPF records on how to configure SPF for your GSuite domain. The article Set up MX records for G Suite Gmail, describes how to configure MX records for your domain.

Nadir Latif
  • 241
  • 3
  • 5