In most large organizations, a compliance process is in place to ensure that any vendors that the organization works with have gone through the proper vetting/compliance checks. As part of this, it should be determined if these prospective new vendors will need to send emails as the organization's domain(s).

As part of this, it should be determined if the vendor is capable of sending DMARC aligned emails. If they vendor is not capable of this, it is better to understand this before the business relationship with the vendor is finalized.

To this end, below is some text that can be shared with our customers for inclusion in their compliance processes:


Email Spoofing requirements:


  1. Will the vendor send emails on our behalf where the From address of the email is one of our domains?
  2. If the answer is no, skip the rest of this section
  3. If yes, can the emails be authenticated using SPF and/or DKIM for the purposes of DMARC (See below)? 
  4. If the answer to #3 is no, the vendor will not be able to send emails as any or our domains.


Definition of authenticating using SPF and/or DKIM:


In order for emails to be properly authenticated when sending emails as our domain(s), the emails must pass authentication with either SPF or DKIM (both is also acceptable). The requirements are as follows:


SPF (Sender Policy Framework):

in order for emails to authenticate properly, the Return Path of the emails must use the same domain as the user visible from address. For example, if the email to be sent is: user@domain.com, the Return Path domain must also be domain.com. This is known as alignment.

If the emails are properly aligned, we will need to know what IP addresses will be used to send these emails. It is preferred to have an SPF 'include' that can be incorporated into our corporate SPF record(s). For example: include:_spf.sender.com. If this is not available, a list of IP addresses (or address ranges) will suffice.

Note, 'whitelisting of IP addresses' where the emails are not aligned will not work


DKIM (DomainKey Identified Mail)

In order for emails to authenticate properly using DKIM, the emails must be DKIM signed using the same domain as the user visible from address. For example, if the email to be sent is: user@domain.com, the DKIM domain must also be domain.com. This is known as alignment.

If the emails can be DKIM signed in an aligned way, please provide the DKIM selector(s) and the TXT/CNAME value that needs to be published in our DNS.


See also:

I can't find a sender in your list