Sent emails pass SPF and DKIM, but fail DMARC when received by Gmail

You'll need to add a Mandrill DKIM record for your domain. The SPF and DKIM pass, but it's based on messages being authenticated for mandrillapp.com, not your domain (ie, the Return-Path domain is being used for message authentication). In order to authenticate as your domain, and in turn pass the DMARC alignment check, you need both SPF and DKIM for the "from" domain. Here's information about the DKIM record to add: http://help.mandrill.com/entries/22030056-How-do-I-add-DNS-records-for-my-sending-domains-

Once you do that, the Mandrill account owner (in your case Flywheel), will need/want to validate those records in Mandrill, so that Mandrill knows both are valid and can start signing messages for your domain (this can be done within the account or via the Mandrill API).


Domain-based Message Authentication, Reporting & Conformance (DMARC) is being adopted by many major email providers like Google, Yahoo, Hotmail, AOL and others. As can be read about here, it's aimed at standardizing email authentication through SPF and DKIM mechanisms already being used by most mail servers.

Adding a DMARC policy record is very similar to adding SPF and DKIM records: you would add a TXT record to your domain's DNS table using the tags listed here by Google. An example they provide is:

v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com

Checking the DNS records for your domain, I see there hasn't been a DMARC record added yet:

v=spf1 +a +mx include:_spf.google.com include:servers.mcsv.net include:spf.mandrillapp.com -all

Details on how to add a TXT record for Mandrill and common DNS Providers can be found here.


The issue is caused by inconsistent between return-path and header From:.

Return-Path: mandrillapp.com

From: @seesawsf.com

  • SPF and DKIM check the domain using RFC5321.MailFrom (generally Return-Path:)
  • DMARC checks the domain using RFC5322.MailFrom (header From:)

Ref: https://space.dmarcian.com/how-can-spfdkim-pass-and-yet-dmarc-fail/

If the domain is different, DAMRC cannot authenticate the sender event though SPF and DKIM are passed and the authentication will be failed.

In this case, SPF and DKIM authenticate mandrillapp.com not for seesawsf.com.

As a workaround, Retrun-Path and Header From are needed to be the same domain or DMARC will be failed.