How DMARC and a custom Return-Path work together

Last week we revived an offer giving our customers 100K Postmark credits to do two things:

  1. Add a custom Return-Path.
  2. Add a DMARC policy to their domain.

I realized we've been really clear about what you need to do. We were less explicit about why we asked you to set up a DMARC record AND a custom Return-Path on Postmark. To make this clear, I’d like to explain the important role a custom Return-Path plays in DMARC alignment.

Not sure what DMARC does? Our DMARC guide goes in depth and covers how SPF and DKIM work together with DMARC to help domains secure their email.

What is a Return-Path? #

Return-Path determines where replies should be sent.

You might have experience running your own mail servers but as a quick refresher, a Return-Path is where bounced messages should be sent if your email can’t be delivered. There are other standards designed to provide similar info, but Return-Path is important to us because of the way it works with DMARC.

When you send email to someone directly from your webmail or client, the Return-Path is normally set to send bounces back to your personal email address. Sending from an email service provider (ESP) is a little different because they need to collect, track, and report when a message can’t be delivered. Postmark and other ESPs do this to protect their systems from abuse and to give you accurate information on what happened to emails you’ve sent from their platforms.

When you check the message headers you’ll see something like this:

Return-Path in message headers

In the example above, I’ve highlighted the Return-Path in the message header. Postmark uses a specific address to collect bounces for emails for Beanstalk in this example. The Return-Path tells remote mail servers to send bounces back to this address, and therefore, into Postmark’s system. Postmark will collect these bounces and report them to you in your activity dashboard.

Why does DMARC look at your Return-Path? #

DMARC is a workhorse that uses DKIM and SPF to verify the legitimacy of an email's 'from address' and quarantine or reject email based on what it finds. These actions are defined by your DMARC policy. It also gives ISPs a way to send you reports based on your domain’s activity. When you use an ESP like Postmark to power email for your domain, there’s a small wrinkle caused by how DMARC checks your SPF record. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your from address. If the Return-Path path doesn't match your from address, those messages will fail DMARC's SPF alignment test.

Spammers love to piggyback their campaigns on established brands, but they don’t want to bounce their messages back to the company they’re targeting. They want to avoid backscatter and make it harder for the brands they’re abusing to track them down. This isn’t out of fear, as much as it is convenience and effectiveness. The spammers have spent time building their campaigns and infrastructure. They don’t want to burn through their compromised systems by sending bounces to legitimate brands.

With all of this in mind, the from address for this spam campaign might be “admin@paypal.com” but the Return-Path would be “xyz@spammerdomain.com.” To pass DMARC’s SPF check, the domain in the Return-Path and the from address have to match a domain in your SPF record.

This image provides a couple of examples of how this can work. On the left is an example where a regular SPF check would pass, but your DMARC alignment would fail. On the right is an example with a custom Return-Path in place and DMARC alignment would pass. The custom Return-Path "pm.example.com" is a CNAME alias of "bounces.mtasv.net" to make sure bounces are reported to Postmark correctly.

How Return-Path determines which SPF record to use

The reports from Postmark’s DMARC tool would show messages without a custom Return-Path like this:

What you see when a message fails SPF check with wrong Return-Path
SPF won't pass DMARC alignment without a custom Return-Path.

Email from 50.31.156.122 is failing SPF but aligned because DKIM passed. DMARC has fault tolerance built in because it will pass with a valid check from either SPF or DKIM. This means email from an ESP only needs a valid check of SPF or DKIM for DMARC to see it as a trusted source.

How Postmark takes care of your Return-Path #

Postmark launched with DKIM support, but we wanted to make sure DMARC would recognize messages from Postmark with both SPF and DKIM. We added the option to add a custom Return-Path last year. It’s available to all of our customers, and to set it up you need to create a CNAME (like pmbounces.yourdomain.com). Once that’s up, you log in to your Postmark admin site and add your new subdomain under the Sender Signatures tab. After this is enabled, your email will align with SPF for DMARC since the From domain and Return-Path domain’s match.

Wait a sec…what about ESPs without a custom Return-Path? #

Not all ESPs support custom Return-Path domains. Don’t worry your email can still pass DMARC tests with a properly configured DKIM record. This will need to be configured with each of your ESPs to give you full coverage. If you plan on using DMARC to quarantine or reject messages make sure you have a verified DKIM record in place. Without this, your messages will be filtered or discarded before reaching your intended recipients.

100% aligned DMARC #

That’s the rundown on why we asked our customers to set up a DMARC record and a custom Return-Path to claim their credits recently. Our hope is every Postmark customer will fully align their email with DMARC, Postmark, and their other ESPs.