Suped

How to handle DMARC failures when using TrustPilot email invitations with a custom domain?

10 Marketer opinions3 Expert opinions4 Technical articles3 Resources

Summary

Addressing DMARC failures when using Trustpilot email invitations with a custom domain requires a multifaceted approach. Begin by verifying if the return path is aligned and understanding whether Trustpilot is using its own domain. Experts suggest that DMARC failures often stem from SPF alignment issues due to discrepancies between the 'envelope from' and 'header from' domains. Review and correct SPF and DKIM records, utilizing a DMARC record checker for validation. Consider sending Trustpilot invitations from a dedicated subdomain to isolate DMARC failures and maintain the main domain's reputation. Analyze email headers, particularly the Authentication-Results, to pinpoint SPF or DKIM failures. Other recommendations include contacting Trustpilot support, using a dedicated IP address, whitelisting Trustpilot's sending domains (with caution), and implementing feedback loops. Starting with a relaxed DMARC policy (p=none) can help monitor email flow before enforcing stricter policies. Most Trustpilot users don't use custom domain settings, potentially impacting deliverability.

Key findings

  • SPF/DKIM Alignment: DMARC failures often stem from SPF and DKIM alignment issues; ensuring the 'header from' domain matches the 'envelope from' or DKIM signature domain is crucial.
  • Subdomain Isolation: Using a dedicated subdomain for Trustpilot emails can isolate DMARC failures, protecting the main domain's reputation.
  • Header Analysis: Analyzing email headers, especially the 'Authentication-Results', helps identify the root cause of DMARC failures.
  • Trustpilot's Configuration: Understanding if Trustpilot uses its domain and whether it supports DKIM influences the troubleshooting approach.
  • DMARC Record Validation: Validating the DMARC record ensures it is correctly configured and effective.

Key considerations

  • Whitelisting Trade-off: Whitelisting Trustpilot domains or IPs reduces DMARC effectiveness and security.
  • p=none Risks: Starting with a 'p=none' policy allows monitoring but also opens the door for domain spoofing.
  • Return Path Alignment: Verifying that the return path is properly aligned is important.
  • Trustpilot Custom Domain: Most Trustpilot users don't use custom domains, potentially impacting deliverability.
  • Trustpilot Support: Contact Trustpilot support to explore custom solutions, especially for Enterprise clients.

What email marketers say
10Marketer opinions

When encountering DMARC failures with Trustpilot email invitations using a custom domain, several strategies can be employed. A common approach involves using a dedicated subdomain for Trustpilot emails to isolate any DMARC-related issues. Analyzing email headers to pinpoint SPF or DKIM failures is crucial, followed by ensuring proper SPF record configuration or exploring DKIM signing with Trustpilot. Contacting Trustpilot support may reveal tailored solutions, especially for Enterprise clients. Other recommendations include whitelisting Trustpilot's sending domains (though it reduces DMARC effectiveness), creating a relaxed DMARC policy (p=none) for monitoring, and setting up feedback loops to track recipient complaints. Additionally, using a dedicated IP address for Trustpilot emails can simplify SPF/DKIM configuration.

Key opinions

  • Subdomain Isolation: Using a dedicated subdomain for Trustpilot emails isolates DMARC failures, protecting the main domain's reputation.
  • Header Analysis: Analyzing email headers identifies the root cause of DMARC failures (SPF or DKIM issues).
  • Trustpilot Support: Contacting Trustpilot support may offer specific solutions, particularly for Enterprise clients.
  • SPF/DKIM Alignment: Proper SPF record configuration and exploring DKIM signing options are critical for DMARC compliance.
  • Feedback Loops: Setting up feedback loops helps monitor recipient complaints and identify deliverability issues.

Key considerations

  • Whitelisting Trade-off: Whitelisting Trustpilot's sending domains reduces the overall effectiveness of DMARC.
  • p=none Monitoring: Implementing a p=none DMARC policy initially allows monitoring before enforcing stricter policies but bad actors can spoof your domain.
  • Dedicated IP Control: Using a dedicated IP address provides more control over sending reputation and simplifies configuration.
  • Return Path Alignment: Ensuring the return path is aligned with the sending domain is important.
  • Custom Domain Setting: Most Trustpilot users do not set up a custom domain which could cause DMARC issues.
Marketer view

Email marketer from Mail deliverability forums suggest implementing a p=none DMARC policy to monitor sending results before implementing a quarantine or reject policy. Note that some bad actors can spoof your domain.

June 2022 - Mail deliverability forums
Marketer view

Email marketer from Email Geeks explains that they discovered most Trustpilot users don't use the 'Custom Domain' setting, resulting in emails being sent from Trustpilot's domain. The company is using their own domain, which is causing issues because TrustPilot only supports SPF records. They will revert to sending invitation emails from Trustpilot's domain until they support DMARC setup.

September 2022 - Email Geeks
Marketer view

Email marketer from Reddit shares to review Trustpilot's email headers to identify the exact cause of the DMARC failure (SPF or DKIM). If it's an SPF issue, ensure Trustpilot's sending IP addresses are included in your SPF record. If it's DKIM, confirm that Trustpilot supports DKIM signing with your domain.

July 2022 - Reddit
Marketer view

Email marketer from Email on Acid suggests setting up feedback loops (FBLs) to monitor complaints from recipients about Trustpilot emails sent from your domain. This information can help identify issues with deliverability and reputation, informing adjustments to your DMARC policy or Trustpilot configuration.

March 2024 - Email on Acid
Marketer view

Email marketer from GMass suggests whitelisting Trustpilot's sending domains or IP addresses in your DMARC policy to instruct receiving mail servers to accept emails from Trustpilot, even if they fail DMARC checks. However, they caution that this approach reduces the effectiveness of DMARC overall.

June 2021 - GMass Blog
Marketer view

Email marketer from StackExchange suggests using a dedicated IP address for sending Trustpilot emails. This allows more control over the sending reputation and simplifies SPF/DKIM configuration, potentially resolving DMARC issues.

January 2023 - StackExchange
Marketer view

Email marketer from Email Geeks asks if the return path is aligned for Trustpilot emails, implying that SPF would be pointless otherwise, and suggests that moving to a dedicated subdomain will be the best bet if Trustpilot doesn't support anything and has no plans to.

March 2024 - Email Geeks
Marketer view

Email marketer from Mailhardener Blog suggests sending Trustpilot invitations from a subdomain of your main domain. This way, DMARC failures will only affect the subdomain, and your main domain's reputation remains intact. They also advise monitoring the subdomain's reputation.

October 2021 - Mailhardener Blog
Marketer view

Email marketer from Email Marketing Blog suggests creating a specific DMARC record for the Trustpilot subdomain with a relaxed policy (p=none) to monitor the email flow and identify any potential issues without impacting your main domain's deliverability. Then adjust the policy if confident.

April 2021 - Email Marketing Blog
Marketer view

Email marketer from Email Marketing Forum suggests contacting Trustpilot support to inquire about their DMARC compliance options, as they may offer custom solutions or workarounds for Enterprise clients.

December 2023 - Email Marketing Forum

What the experts say
3Expert opinions

When addressing DMARC failures with Trustpilot email invitations using a custom domain, experts highlight key aspects related to Trustpilot's email infrastructure and configuration. It's crucial to understand whether Trustpilot sends emails using their own domain, similar to services like PayPal, which would restrict custom SPF, DKIM, or DMARC setup. Despite utilizing platforms like Twilio/Sendgrid that support DKIM/DMARC, Trustpilot might be making a business decision not to fully implement these security measures. A significant cause of DMARC failures is often SPF alignment issues stemming from discrepancies between the 'envelope from' and 'header from' domains. Therefore, a careful review of SPF records and exploring DKIM signing options (if available from Trustpilot) are essential.

Key opinions

  • Trustpilot Infrastructure: Understanding if Trustpilot sends emails from their domain affects the feasibility of custom SPF, DKIM, and DMARC setup.
  • DKIM/DMARC Support Potential: Trustpilot's use of Twilio/Sendgrid indicates the technical capability to support DKIM/DMARC, suggesting a business choice against full implementation.
  • SPF Alignment Issues: SPF alignment discrepancies between 'envelope from' and 'header from' domains are a primary cause of DMARC failures.

Key considerations

  • SPF Record Review: Carefully review SPF records to ensure accurate authorization of Trustpilot's sending sources.
  • DKIM Signing Options: Explore and inquire about DKIM signing options with Trustpilot to improve authentication and DMARC compliance.
  • Business Decision Impact: Trustpilot's decision not to fully implement DKIM/DMARC requires exploring workarounds to achieve compliance.
Expert view

Expert from Email Geeks questions whether Trustpilot uses their own domain for sending emails like PayPal, making it impossible for users to set up SPF, DKIM, or DMARC. She also shares her own email headers which show that Trustpilot uses dkim and dmarc.

February 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that when using third-party senders like Trustpilot, DMARC failures often stem from SPF alignment issues because the 'envelope from' domain doesn't match the 'header from' domain. They recommend carefully reviewing SPF records and considering DKIM signing options if available from Trustpilot.

July 2021 - Word to the Wise
Expert view

Expert from Email Geeks says Trustpilot's advice is bad and that Trustpilot uses Twilio/Sendgrid so could support DKIM/DMARC, but are making a business choice not to.

July 2022 - Email Geeks

What the documentation says
4Technical articles

When addressing DMARC failures with Trustpilot email invitations using a custom domain, documentation emphasizes the importance of correct SPF and DKIM setup. DMARC failures often stem from SPF or DKIM alignment issues, where the 'header from' domain doesn't match the 'envelope from' domain (for SPF) or the DKIM signature domain (for DKIM). Crucially, analyzing email headers, particularly the `Authentication-Results` header, helps pinpoint whether SPF or DKIM is failing and why, aiding in the identification and correction of misconfigurations.

Key findings

  • SPF/DKIM Setup: Correct configuration of both SPF and DKIM records is essential for DMARC compliance.
  • DMARC Alignment: DMARC alignment requires the 'header from' domain to match the 'envelope from' domain (SPF) or the DKIM signature domain (DKIM).
  • Header Analysis: Analyzing the `Authentication-Results` header in email headers helps identify the specific cause of DMARC failures.

Key considerations

  • DMARC Record Validation: Use a DMARC record checker to ensure the DMARC record is correctly configured and valid.
  • SPF Record Verification: Verify that the SPF record includes all authorized sending sources for the domain, including Trustpilot.
  • DKIM Configuration Review: Review the DKIM configuration to ensure proper signing and alignment with the 'header from' domain.
Technical article

Documentation from DMARC Analyzer explains that DMARC failures typically occur due to SPF or DKIM alignment issues. If SPF passes but doesn't align (the 'header from' domain doesn't match the 'envelope from' domain), or if DKIM fails, DMARC will fail. They recommend checking SPF and DKIM records and alignment.

April 2023 - DMARC Analyzer
Technical article

Documentation from EasyDMARC explains that DMARC alignment is crucial. For SPF to align, the `header from` address must match the `envelope from` address. For DKIM to align, the domain in the `d=domain.com` tag of the DKIM signature must match the `header from` address. They suggest ensuring these alignments for Trustpilot emails.

May 2024 - EasyDMARC
Technical article

Documentation from AuthSMTP explains the importance of analyzing the email headers of Trustpilot invitations that are failing DMARC. Specifically, check the `Authentication-Results` header to see which part of the DMARC check is failing (SPF or DKIM) and why. This helps pinpoint the misconfiguration.

October 2023 - AuthSMTP
Technical article

Documentation from Trustpilot Help Center explains that DMARC configuration requires setting up both SPF and DKIM records correctly for the custom domain. They recommend checking your DMARC record using a DMARC record checker to ensure it's valid.

December 2024 - Trustpilot Help Center

Related resources
3Resources

Custom Domains in Apple's iCloud Mail: Two Years Later
Custom Domains in Apple's iCloud Mail: Two Years Later

Revisiting the state of Custom Domains on iCloud Mail two years after launch.

Empty Coffee
DMARC Digests – Matt West
DMARC Digests – Matt West

An email security product that helps brands protect their email reputation.

Matt West
Issue - Can send mails but can't receive (554 5.7.1 Relay access ...
Issue - Can send mails but can't receive (554 5.7.1 Relay access ...

You have to login to the outgoing mail server to be able to send mail through it. If you see "Relay access denied" you have not logged in properly. I received this message on gmail. I was sending an email to mail@domain.com from my personal gmail account. The message hasn’t been delivered to...

Plesk Forum

Related questions