This is the comment from my network manager.
I’ve been working with all our email systems, both internal and external, and also SPF, DKIM and DMARC setups -
For many of our providers, we are allowed to send through mailgun, as mg.example.com subdomain, but the sender and from fields are set to match @example.com - so there is no “on behalf of” issue.
For dmarc alignment, the really important parameter is the “d=” field when signing the email with dkim. If this is d=example.com, then everything is aligned because the @example.com is matching the top level sender domain (ie, outdomain.com) - so the mechanisms “SPF dmarc alignment” and “DKIM dmarc alignment” both show as “pass”. When eveything shows as pass, the email is accepted as valid.
So, we have a couple issues here. Can we set the “sender” and “from” fields?
Do you properly assign the domain in the “d=” when dkim signing the email?