#eirikbakke

Hello! We'll be with you shortly. Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• eirikbakke, 3 days ago, 14 messages

👋 Hopping in here - let me dig around and see if I can get some confirmation that this is okay

Yes, thank you!

I'm not finding too much concrete information, but reading between the lines I think you'd have to modify the SPF records to enable strict SFP alignment. In our public docs we do recommend configuring your own DMARC record and enabling strict SPF so I'm guessing we don't include this in our own entries

Where in your docs did you see the recommendation to enable strict SPF?

https://stripe.com/docs/payments/account/email-domain#sender-authentication

Ah, I don't see the words "strict" or "alignment" in that document, so I think they just mean one should enable SPF, DKIM, and DMARC, without specifically saying that the DMARC strict-SPF-alignment setting (aspf=s) should be enabled.

That's fair - I haven't had to mess with this configurations that much so I could definitely be wrong

ok, thanks. Would be good to get more DMARC documentation on the Stripe site, as there are some new GMail/Yahoo policies coming from February 1. ( https://www.mailgun.com/blog/deliverability/gmail-and-yahoo-inbox-updates-2024 )

If it helps, my hunch is that strict SPF won't actually work because the domain in the "From:" address is e.g. mycompany.com whereas the Mail-From address is bounce.mycompany.com . I had a theory that one could work around this by taking the "include" domain from the SPF record at custom-email-domain.stripe.com and putting it in the root mycompany.com SPF record, but I don't think I want to mess with it, as it could disrupt mail delivery...

Hello! I'm taking over and catching up...

I'm looking at the blog post you linked to and it doesn't mention anything about a requirement to set strict alignment. Will relaxed not work for you?

Correct; I haven't seen it mentioned. I just had a hunch that strict alignment might give better reputation points with spam filters.

It's not a requirement from my side though, so I will probably go with relaxed, which is the default.

I think that should be fine, and I don't foresee issues with relaxed in practice. I don't see how you would be able to set strict while using a custom domain for Stripe emails.

Let me check one more thing though, hang on...

Yeah, we use Amazon SES to send these emails, and they explicitly state that strict won't work.

Oh, nice--could I have the link to the SES documentation that mentions that? I will have peace of mind...

(As it happens I also use SES for other stuff)

Yep! https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dmarc.html

In the output of this command, under Non-authoritative answer, look for a record that begins with v=DMARC1. If this record includes the string aspf=r, or if the aspf string is not present at all, then your domain uses relaxed alignment for SPF. If the record includes the string aspf=s, then your domain uses strict alignment for SPF. Your system administrator will need to remove this tag from the DMARC TXT record in your domain's DNS configuration.

brilliant--thank you! that answers my question.