On the SPF part of that new DMARC thing...
With the upcoming/more aggressive DMARC requirements from google/yahoo, I'd like to check something. As far as I can tell, Luminate was built in such a way that it'll always fail half the equation, right?
Check this out in the email resource center:
“As an email service provider (ESP), the return-path in Blackbaud’s email header for bounces allows SPF to pass, but not align…For this reason, you must DKIM sign your sending domains with us…to successfully implement DMARC.”
The tech here is a little bit confusing, because SPF is actually two different things:
- SPF Alignment: Checks if the “from” header matches the “return path” header.
- If this fails, someone was sending the email on your behalf.
- SPF Authorization: Checks if the computer that sent the message is actually owned by the sender.
- If this fails, the email came from a computer you haven't said you own.
Here's the key, DMARC only cares about the first one, alignment. If you look at the source code when you get an email from LO, you'll see SPF “pass” in there a couple of times. But that's the second check, not the first one.
And that's what the quote above is saying, SPF (authorization) passes, but sender policy (alignment) doesn't. Or to paraphrase the article, “LO is configured to always fail half the DMARC test. Make sure DKIM passes or you're going to have a bad time.”
Comments
-
Now. You might be asking yourself, “Does this really matter? Half the DMARC check fails, but as long as the other one works, we'll pass and everything's okay, right?"
Yes, assuming there's never a hiccup with the DKIM authorization. And assuming gmail or yahoo aren't secretly giving preference to those who fully pass DMARC instead of only half of it. Or they don't decide later to want both DMARC tests to pass.
You also might be asking, “Isn't this what happens for any vendor out there who sends email on my behalf?”
In my experience, BlackBaud is the only vendor who does it this way. In the same way that Luminate websites are usually something like donate.mycharitydomain.org, it should be possible for BB's email servers to do something similar. That's what all the other email vendors our org uses do.
Soo…anyone know if it's on the roadmap to get Luminate to start using our domains for email “return path” instead of the old convio ones?
4
Categories
- All Categories
- 6 Blackbaud Community Help
- 206 bbcon®
- 1.4K Blackbaud Altru®
- 394 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 15 donorCentrics®
- 357 Blackbaud eTapestry®
- 2.5K Blackbaud Financial Edge NXT®
- 646 Blackbaud Grantmaking™
- 561 Blackbaud Education Management Solutions for Higher Education
- 3.2K Blackbaud Education Management Solutions for K-12 Schools
- 934 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.4K Blackbaud Raiser's Edge NXT®
- 3.6K SKY Developer
- 242 ResearchPoint™
- 118 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 238 The Tap (Just for Fun)
- 33 Blackbaud Community Challenges
- 28 PowerUp Challenges
- 3 (Open) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 778 Community News
- 2.9K Jobs Board
- 53 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)