How do third-party senders authenticate under DMARC?
Third party senders must authenticate in a way that produces DMARC alignment. This is usually achieved with DKIM because it is more flexible and survives forwarding. Vendors often provide a DNS record that allows them to sign with your domain in the d tag. SPF alignment is possible but fragile because it requires the third party to send using a matching envelope from which can break during forwarding.
Was this answer helpful?
Thanks for your feedback!