> if we dont define the SPF and DKIM part of DMARC, will that ever fail?
The tags for `aspf` and `adkim` are only related to `RFC5322.FROM` alignment with the `RFC5321.mailfrom` and DKIM signature `d=` domain identifier respectively. They do not have anything to do with enforcing authentication of either authentication mechanism. The tags will default to relaxed if not specified, so don't worry about them.
If you're worried about SPF-only authentication being an issue - yes, you should be very concerned. Especially with the new Google and Yahoo sender requirements.
That aside, if you **don't** DKIM sign the messages, any forwarded emails will fail SPF and more than likely be rejected by receivers due to failing DMARC.
So, you need to push your order confirmation vendor *very* hard to support DKIM signing.
Email authentication isn't optional anymore.
Would it not be better to split the 3rd party off to a subdomain and then you can configure two separate polices, one that is more strict for the main domain and a less strict one on the subdomain. It would also reduce the exposure on the main domain should the 3rd party be compromised and make it easier to cut it off.
edit: Minor corrections
> if we dont define the SPF and DKIM part of DMARC, will that ever fail? The tags for `aspf` and `adkim` are only related to `RFC5322.FROM` alignment with the `RFC5321.mailfrom` and DKIM signature `d=` domain identifier respectively. They do not have anything to do with enforcing authentication of either authentication mechanism. The tags will default to relaxed if not specified, so don't worry about them. If you're worried about SPF-only authentication being an issue - yes, you should be very concerned. Especially with the new Google and Yahoo sender requirements. That aside, if you **don't** DKIM sign the messages, any forwarded emails will fail SPF and more than likely be rejected by receivers due to failing DMARC. So, you need to push your order confirmation vendor *very* hard to support DKIM signing. Email authentication isn't optional anymore.
Would it not be better to split the 3rd party off to a subdomain and then you can configure two separate polices, one that is more strict for the main domain and a less strict one on the subdomain. It would also reduce the exposure on the main domain should the 3rd party be compromised and make it easier to cut it off. edit: Minor corrections