SPF Problems with MailChimp
We sometimes hear from our customers who have problems with how Mailchimp handles SPF. They see the following in their dmarcian dashboard:
SPF is not possible as Mailchimp uses their own domain in the bounce address.
And sometimes they’ll message us with some variation of the following:
I chatted with a support rep at Mailchimp this morning and he confirmed that this is the case and that they don’t have a workaround at this time.
Does anyone have any suggestions about what to do in this case? I’d like to tighten our DMARC policies, but I’m worried that doing so will cause our Mailchimp marketing campaigns to start being rejected.
Email Service Providers (ESPs) like Mailchimp often make use of their own addresses in the mail-from (where the domain is extracted for SPF authentication) in order to do things like processing bouncebacks, rejections, and probably some other returned-mail situations for your campaign. For the most part you want them to do this, so you must rely on the other DMARC authentication leg to be able to pass DMARC—DKIM.
In taking this approach, your raw SPF cannot fail—the domain in use for SPF authentication is not yours. The raw SPF result will be a “pass” against servers defined by the SPF record at the servers.mcsv.net location; however, SPF relative to DMARC will fail due to misalignment because the SPF auth domain does not match the From: header domain. But as long as you set up DKIM, the traffic will pass on that basis as DMARC requires either SPF, DKIM, or both to authenticate. Check your dmarcian account to make sure that DMARC reporting shows your MailChimp traffic is completely passing DMARC on the basis of DKIM.
With that set up, the only situation under which messages from the campaign would fail DMARC should be when the target account improperly forwards the message.
In summary: since they do not use your domain in the mail-from of messages they send, Mailchimp’s entry in your SPF record is useless in authenticating SPF. You can save that space in your SPF record and remove the Mailchimp entry which probably looks like “include:servers.mcsv.net.”
If you have any questions about Mailchimp, or any other ESP’s SPF management relative to DMARC deployment on our platform, get in touch with us and we’ll help you figure it out.
Want to continue the conversation? Head over to the dmarcian Forum.
