Is there a way to align SPF for Google Apps alias domain?
I use Google Apps for Work. Let's say I have:
primarydomain.com
And another alias domain:
aliasdomain.com
As long as I send emails from primary domain both SPF and DKIM result perfectly aligned.
However, when I send emails from alias domain SPF fails to align for a valid reason that it is actually primarydomain.com that is sending emails.
Is there any way to align SPF for alias domain?
Use the redirect modifier to "replace" the SPF record for the alias domain with that of the primary domain.
Thus, the SPF record for aliasdomain.com ends up looking like this:
v=spf1 redirect=primarydomain.com
Note that no all mechanism is required, the final clause of the primarydomain.com record will apply.
DMARC does NOT require SPF alignment!
Again, DMARC does NOT require SPF alignment!
From the DMARC RFC7489:
Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment.
(For reference, the RFC5322.From address is the actual "from" address that the email client shows a user.)
All you need is DKIM for DMARC to work
Once you setup dkim with gsuite, then you don't need to worry about the SPF on domain aliases.
Summary
Go to gsuite, setup dkim for all of your domains, add your dmarc dns records to all of your domains, and that's it.
Read More
For a pretty picture of the whole thing and a complete description that actually makes sense, please see Ivan Kovachev's excellent writeup - All you need to know about SPF, DKIM and DMARC
P.S. What about the "require=" attribute?
It makes no difference if you add this. It's never read or used. It adds an extra hop (alias.domain -> primary.domain -> _spf.google.com).
Why? The recipient email server only checks SPF for the address in the return-path. When Gsuite sends email from a domain alias, it uses the primary domain in the return-path. Therefore, the recipient email server only checks the SPF record for the primary domain. It never looks at the domain alias's SPF record.
Do you need an SPF record on the domain alias?
Yes. It will protect your alias from abuse. It won't affect DMARC or mail delivery.
As mentioned on SPF not aligned on domain alias, DMARC problems, when using domain aliases, the return-path and from headers are updated by Google to point to email addresses in different domains. The return-path has the primary domain email address, while the from header has an email address in the alias domain. This may cause problems with email delivery. It will reduce your spam score and increase the chances of your message being marked as SPAM.
As mentioned in the article, there is no solution for this so far from Google. I have used GSuite with domain alias and have no problems with sending and receiving emails. If your primary domain and domain alias have the correct MX and SPF records configured, then you should not have any problems with sending email from your primary domain or domain alias. Adding redirect modifier to SPF record is not recommended by GSuite support.
The MX records for both your primary domain and domain alias should point to Google's mail servers. Both primary domain and domain alias should also have a SPF record that allows email delivery from Google's mail servers.
See Help prevent email spoofing with SPF records on how to configure SPF for your GSuite domain. The article Set up MX records for G Suite Gmail, describes how to configure MX records for your domain.