SFP & DKIM passing but DMARC not aligning using Wordpress

What is the name of the domain?

‘my-site.com’

What is the error message?

DMARC Alignment: wpengine.com != my-site.com

What is the issue you’re encountering

Hello all. I have a contact form on a wordpress site that is used to send emails. The email passes SPF & DKIM but fails DMARC

What steps have you taken to resolve the issue?

First off - I did not set up the site, don’t have access to the wordpress admin dashboard. I don’t know much about DNS & email. According to this wordpress article, I added these CNAME records to cloudflare dns

CNAME wpcloud1._domainkey wpcloud1._domainkey.wpcloud.com
CNAME wpcloud2._domainkey wpcloud2._domainkey.wpcloud.com

Please help with any advice as to if this is something that can be solved by adding a DNS record, or if I need to do something on the wordpress end. Thank you

this is the current dmarc: v=DMARC1; p=quarantine; rua=mailto:[email protected]
current spf: v=spf1 ip4: ip4: +a +mx include:spf.protection.outlook.com include:spf.constantcontact.com include:relay.mailchannels.net include:7142995.spf03.hubspotemail.net -all

What feature, service or problem is this related to?

Mail records

What are the steps to reproduce the issue?

Here is the message header analysis done via learndmarc.com:
DMARC Results

— Connection parameters —
Source IP address: 23.83.209.81
Hostname: hedgehog.birch.relay.mailchannels.net
Sender: mail1.wpengine.com

— SPF —
RFC5321.MailFrom domain: mail1.wpengine.com
Auth Result: PASS
DMARC Alignment: wpengine.com != my-site.com

— DKIM —
Domain: mail1.wpengine.com
Selector: mx
Algorithm: rsa-sha256
Auth Result: PASS
DMARC Alignment: wpengine.com != my-site.com

— DMARC —
RFC5322.From domain: my-site.com
Policy (p=): quarantine
SPF: FAIL
DKIM: FAIL
DMARC Result: FAIL

— Final verdict —
The DMARC disposition is set to ‘quarantine’. The recipient treats the message with suspicion, which can lead to various actions based on the recipient’s capabilities. These actions may include placing the message in the spam folder, subjecting it to heightened scrutiny, or flagging it as suspicious.

Thanks for using learndmarc.com
This free service is brought to you by URIports.com - DMARC Monitoring Reinvented.

What’s your actual domain name? I’m assuming it’s not my-site.com, as that domain doesn’t use Cloudflare. Knowing that would surely help.

It seems your contact form is using WPEngine to send the emails, but this sender is not on your SPF list.

If this is a WordPress site that you’re trying to troubleshoot email delivery for, you should definitely arrange access to the WordPress site so you can go over the setup there.

Which WordPress article? And are you using WPCloud at all? (I believe WPCloud is a WordPress.com service, unrelated to Cloudflare or WPEngine. Again, without your actual domain, we can’t test anything.)

Thanks GeorgeAppiah. Unfortunately I’m not permitted to post the actual domain, but it is a domain that uses cloudflare DNS. We use WPEngine, not WP Cloud.

It seems your contact form is using WPEngine to send the emails, but this sender is not on your list.

According to wordpress (DMARC Policies for Email Deliverability - Support Center) include:relay.mailchannels.net -all should be added to the SPF.

I have also reached out to wordpress. Thank you!

Sorry for the delayed response: life got in the way!

What’s wpcloud.com doing in you posting above then?

What are those CNAME records for if you’re not using WPCloud.com's hosting?

The link you provided is on WPEngine’s website, not WordPress (.com or .org). So that would be according to WPEngine, not WordPress. The WordPress software (WordPress.org) should not have anything do to with this, and as you’re not using WordPress.com's hosting service, they shouldn’t have anything to do with this either.

Even then, the WPEngine link you provided can be summed up as… “don’t count on us to deliver your emails: use a 3rd-party email provider instead”.

The issue here seems to be that the host mail1.wpengine.com is sending out emails on behalf of your domain my-site.com (whatever the real domain is) when it’s not permitted to – and that’s what you need to deal with.

Better yet, follow your own hosting provider WPEngine’s advice and use an external transactional email provider where you can properly and fully authenticate your domain.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.