| My guess on this is that SendGrid isn't strict enough about the `FROM` header when the message is being written. It's tough to say though without seeing the full set of headers. Note the mail is sent from @sendgrid.net. DKIM even lists it as `with domain sendgrid.net`. Also note the `via sendgrid.net`. I'm not positive how that works on GMail, but I'm guessing that means the Return-Path (aka envelope from) is @sendgrid.net while the `FROM` in the mail header is set to @support.github.com. That explains why SPF and DKIM pass, but DMARC fails. Both SPF and DKIM are aligned to sendgrid.net, but the FROM address the receiver sees is aligned to github.com (relaxed by default uses the organizational domain). AFAIK, that's exactly the scenario DMARC was made to catch. The problem is that (I think) sending mail like that is sort of acceptable, and a strict DMARC policy breaks it. My guess for that type of mail is you need to trust the via party (ex: via sendgrid.net) to trust that email. Is that right? How many people know that? I had to refresh my memory on how DMARC works to figure out what was going on. I've never used SendGrid, but I think they support sending from custom domains [1]. IIRC correctly they even let you delegate a subdomain to them which makes the setup simple since they handle all the NS. For example, point sendgrid.github.com DNS to them and all of the SPF / DKIM / DMARC alignment gets dealt with automatically. For a high value domain like github.com they should probably be using a stricter DMARC policy. It's tough because you can impact deliverability, but all the transactional / cloud providers use similar strategies to improve deliverability and users don't have a chance understanding even a tiny portion of it. Ex: (IIRC) MS365 will DKIM sign and ARC seal messages using their `onmicrosoft.com` domain if you don't configure DKIM for a tenant. It's been a while since I thought I saw that somewhere and I only noticed in in passing once when diagnosing a different issue for someone, so don't take it as fact. TLDR; SendGrid probably needs to be stricter when writing the FROM address. GitHub probably needs to send from a custom domain so they can be stricter about DMARC. 1) https://sendgrid.com/docs/ui/account-and-settings/how-to-set... |