DMARC policy violation

Hello,

Last thursday, I updated some DNS records based on the Letmlist documentation because we want to use it to send B2B emails.

I did this:
1/ Modification of this DNS record by adding the Google part here:
v=spf1 a mx include:_spf.google.com include:servers.mcsv.net include:spf.mandrillapp.com ?all

2/ Creation of this record:
v=DMARC1; p=quarantine; pct=90; sp=none

The problem is that we were not able to send email marketing from Klaviyo (that we used before Lemlist for B2C, without using a dedicated domain) because of the quarantine setting in our DMARC policy.

So finally, I edit the previous record and replace p=quarantine by p=none

It solved the problem on Klaviyo but now I realize that we can’t reach some partners through Gmail by email.
For example, we receive this : Réponse du serveur distant : 550 5.7.0 Local Policy Violation
Or this: Réponse du serveur distant : 554 5.7.5 Permanent error evaluating DMARC policy

Is there something I can change in order to have a secure DMARC policy without being filtered?

Thanks a lot for your help

You will never have a “properly secured policy” without hardening everything, e.g. by both using p=reject, sp=reject, as well as a SPF that ends with “-all”.

Even having the best possible (e.g. most strict) policies, it doesn’t guarantee you that you won’t be filtered at all.

It is the recipient (and/or the administrator (e.g. provider) of the mail service) that choose what to accept and what not to accept. You don’t get to choose that.

… That being said, there might be some things you can do:

Can you elaborate on what you mean when saying “without using a dedicated domain” here?

At what exact domain name, did make this _dmarc policy change on?

Hi,

Thanks for your reply and these explainations.

On Klaviyo we use a “shared” domain to send email and not a dedicated domain https://help.klaviyo.com/hc/en-us/articles/115000357752, like this:
[email protected] via ksd1.klaviyomail.com

The _dmarc policy change on debongout-paris.com

When staying on the “shared” domain option, it will likely be their domain (e.g. @ksd1.klaviyomail.com as mentioned) in the SMTP MAIL FROM / Envelope From, that is used to authenticate for SPF, and since ksd1.klaviyomail.com is not equal to your own domain, you do not have the SPF alignment required for the DMARC SPF to pass.

Similarly, I highly doubt that they are even trying to add a DKIM signature (using your own domain / with proper alignment to your domain), unless they have verified that you have added the mentioned DNS records (such as e.g. the _domainkey ones). A such DKIM signature with proper alignment to your own domain name, would similarly be required for the DMARC DKIM to pass.

As such, both the SPF and DKIM will fail for the DMARC, due to the missing alignment between the used domain, and your own domain, when staying on a such “shared” domain option, as Klaviyo call it.

I would suggest that you follow the guide to set up the debongout-paris.com as a dedicated sending domain, according to the tutorial from that link you provided.

Once that has been successfully done, the messages you send through Klaviyo will most likely become just fine for the switch of your DMARC policy to e.g. p=reject, sp=reject.

Thanks a lot for your reply. We’ll certainly set up a dedicate domain on Klaviyo in the coming days.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.