Hey reddit – I have a contact form on a wordpress site that is used to send emails. The email passes SPF & DKIM but fails DMARC. We dont use a third party sender, just the wpengine
this is the current dmarc: v=DMARC1; p=quarantine; [rua=mailto:[email protected]](mailto:rua=mailto:[email protected])
current spf: v=spf1 ip4: ip4: +a +mx include:spf.protection.outlook.com include:spf.constantcontact.com include:relay.mailchannels.net include:7142995.spf03.hubspotemail.net -all
Here is the message header analysis done via learndmarc.com:
DMARC Results
— Connection parameters —
Source IP address: 23.83.209.81
Hostname: hedgehog.birch.relay.mailchannels.net
Sender: mail1.wpengine.com
— SPF —
RFC5321.MailFrom domain: mail1.wpengine.com
Auth Result: PASS
DMARC Alignment: wpengine.com != my-site.com 1
— DKIM —
Domain: mail1.wpengine.com
Selector: mx
Algorithm: rsa-sha256
Auth Result: PASS
DMARC Alignment: wpengine.com != my-site.com 1
— DMARC —
RFC5322.From domain: my-site.com 1
Policy (p=): quarantine
SPF: FAIL
DKIM: FAIL
DMARC Result: FAIL
— Final verdict —
The DMARC disposition is set to ‘quarantine’. The recipient treats the message with suspicion, which can lead to various actions based on the recipient’s capabilities. These actions may include placing the message in the spam folder, subjecting it to heightened scrutiny, or flagging it as suspicious.
Note – I did not set up the site, don’t have access to the wordpress admin dashboard. I (obviously 😂)don’t know much about DNS & email. According to a wordpress help article, I added these CNAME records to cloudflare dns:
CNAME wpcloud1._domainkey wpcloud1._domainkey.wpcloud.com
CNAME wpcloud2._domainkey wpcloud2._domainkey.wpcloud.com
Please help with any advice as to if this is something that can be solved by adding a DNS record, or if I need to do something on the WordPress end. Thank you
You are missing alignment. DMARC needs the SPF and DKIM authentication domains to match that of RFC5322.From domain. More details: [https://www.uriports.com/blog/demystifying-dmarc-alignment/](https://www.uriports.com/blog/demystifying-dmarc-alignment/)
Has nothing to do with WordPress and I can only do this blindly so here is my take on it. Pardon me if I am wrong :)..
For DMARC to pass you need:
1. SPF to align OR
2. DKIM to align
wpengine does not actually provide DKIM as you can see here: [https://wpengine.com/support/using-3rd-party-email-provider-send-mail-wordpress/](https://wpengine.com/support/using-3rd-party-email-provider-send-mail-wordpress/)
So your best bet is to have SPF align.
1. First, your SPF seems a bit wrong. Notice two “ip4” and it is all empty.
2. Second, the SPF domain [mail1.wpengine.com](http://mail1.wpengine.com) does not align with the RFC5322.From domain [https://my-site.com/](https://my-site.com/)
SO fixing this both might make the DMARC work… But who knows? Try this:
v=spf1 +a +mx include:spf.protection.outlook.com include:spf.constantcontact.com include:relay.mailchannels.net include:7142995.spf03.hubspotemail.net include:mail1.wpengine.com -all
Not sure it will work so backup your previous entry :).
Doing a quick Google search reveils that you will not be able to align SPF or DKIM with WPEngine, so you need a third-party service to become DMARC-compliant. Everything is on the website of WPEngine, and recommended solutions: [https://wpengine.com/support/using-3rd-party-email-provider-send-mail-wordpress/](https://wpengine.com/support/using-3rd-party-email-provider-send-mail-wordpress/)
Your DMARC issue is due to the From domain not aligning with the SPF/DKIM domains. I used Unspam Email to test my emails and it helped me identify similar issues. You might want to try setting up a custom domain for your WordPress site’s emails, so the From domain matches the SPF/DKIM domains.
This is not a WordPress issue. r/DNS or reach out to WP Engine.