DMARC un-aligned, by business necessity?

Question

I'm new to DMARC so this may be a silly question (sorry if it is):

Base facts: My company has a primary name and many other "doing business as" (DBA from here on) partnerships. However each of these various domains are simply aliases for the primary user email addresses. Depending on the brand name in question, our users have to send emails under the various different domains.

Problem: I have DKIM signing and SPF configured on several domains. Trying to implement DMARC and I'm finding that many of my emails are passing SPF and DKIM, but failing DMARC as "un-aligned." My research seems to suggest that DMARC will always fail if the From and Reply-To are different however for our DBA domains (which have no actual email servers behind them since they're legitimate, intentional spoofing) the From and Reply-To will always be different by necessity. Or am I mistaken on this?

Is there any way to instruct DMARC that I am knowingly and intentionally having this mismatch because our DBA agreements dictate we must use alternate domains for our alternate brands. Or is DMARC simply unable to accommodate this business requirement? Would I have to create different email/user accounts for each domain for each user to fix this (hopefully not, because this is way too much work...)

Is there a simpler solution I am overlooking?

Answer 1

I can think of no reason why you would need to break alignment between DKIM and SPF. By doing so you are basically admitting you are unable to configure DKIM for the sending domain.

The approach I use is to sign email for the originating domain. I use the same key and publish the public key for all sending domains. I use the same selector for all domains.

For SPF I use one of three records:

• "v=spf1 a mx -all" - for all sending domains
• "v=spf1 a -all" - for all MX servers
• "v=spf1 -all" - for all other (non-sending) domains