10

Whenever my domain sends a message to a google group on another domain the DMARC alignment fails. This is true for all my approved senders, even using Gmail in my domain. It seems to be because the Return-Path (Envelope From) header is replaced by the receiving group's bounce address, but the From header remains as my domain, which is incorrect.

For example, I send mail from Gmail in my domain, chris@mydomain.com, to a group in your domain, your-group@yourdomain.com. If you look at the headers of the message you receive, you see:

BAD

Return-Path: <your-group+bncBCA5XFGRYQLCBEHHVS5AKGQED3J2I7I@yourdomain.com>
Authentication-Results: mx.google.com;
   dkim=pass header.i=@yourdomain.com;
   spf=pass (google.com: domain of your-group+bncBCA5XFGRYQLCBEHHVS5AKGQED3J2I7I@yourdomain.com designates 2607:f8b0:400d:c04::246 as permitted sender)
smtp.mailfrom=your-group+bncBCA5XFGRYQLCBEHHVS5AKGQED3J2I7I@yourdomain.com;
   dmarc=fail (p=NONE dis=NONE) header.from=mydomain.com
From: Chris <chris@mydomain.com>

X-Original-Sender: chris@mydomain.com
X-Original-Authentication-Results: mx.google.com;       dkim=pass
 header.i=@mydomain.com;       spf=pass (google.com: domain of chris@mydomain.com
 designates 2607:f8b0:400c:c05::233 as permitted sender)
smtp.mailfrom=chris@mydomain.com;
       dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com

DMARC fails because of bad alignment between the From domain (mydomain) and the DKIM and SPF domains (yourdomain). However, when you, a properly configured GApps user, send mail from Gmail to a group at mydomain, the headers are different.

GOOD

Return-Path: <my-group+bncBCGJ3NF22YBRBTXIVS1RKGQEIWR5E6Q@mydomain.com>
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mydomain.com;
       spf=pass (google.com: domain of my-group+bncBCGJ3NF22YBRBTXIVS1RKGQEIWR5E6Q@mydomain.com designates 2607:f8b0:4001:c0b::247 as permitted sender) smtp.mailfrom=my-group+bncBCGJ3NF22YBRBTXIVS1RKGQEIWR5E6Q@mydomain.com;
   dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com
From: "'You' via my-group" <my-group@ mydomain.com>

Note the different form of the From header - the original sender has been replaced by my own group. There is also a pair of X-Original headers as above that have the same form (just reversed), so I'm not pasting them.

So the question is, how do I configure my domain, gapps, dns, mx, or whatever, so that Google Groups that receive my messages will correctly replace the From header with "via you-group@yourdomain.com ?"

Mail from my domain to users at other domains work fine - DMARC passes because SPF and DKIM are good and the Return-Path still says @mydomain. I have read articles about why the "via you-group" is necessary - I'm ok with that. I'm trying to figure why my messages to groups are not getting treated that way.

Seems to be similar to: How to prevent emails from my domain through mailing lists to be rejected due to DMARC Different because google groups are definitely compatible with DMARC - other people don't have this problem.

Update: I found this article which says google groups only rewrites the sender when the DMARC policy is strict (p=reject). That seems like a terrible idea since the whole point of starting with p=none is to gain confidence that your mail will get delivered when you up the policy, but if true then it may explain my issue. Can anyone confirm? http://www.spamresource.com/2014/04/google-groups-rewriting-from-addresses.html

Community
  • 1
lordbyron
  • 331
  • 2
  • 9
  • Yes, it's broken by designed. – Jenny D May 30 '16 at 08:21
  • 1
    Possible duplicate of [How to prevent emails from my domain through mailing lists to be rejected due to DMARC](http://serverfault.com/questions/598990/how-to-prevent-emails-from-my-domain-through-mailing-lists-to-be-rejected-due-to) – Jenny D May 30 '16 at 08:21
  • Yeah, Unless you can get either your SPF or DKIM [Identifier Alignments](https://www.unlocktheinbox.com/resources/identifieralignments/) Aligned, DMARC is going to fail. There is a new spec to address this issue in the works, you can read more about that here: [ARC Spec](http://arc-spec.org/) – Henry May 30 '16 at 16:02
  • Possible I explained poorly, but this is a problem that other people have definitely solved. My GOOD example above is a real example - sending from a properly configured GApps domain to a mailing list in my domain works perfectly for them. It's only my outgoing that breaks. This is similar, but not a duplicate, to the post linked by @JennyD; Google groups are not incompatible with DMARC. – lordbyron May 31 '16 at 16:31

1 Answers1

12

I did finally get this response from Google. I was glad to find someone who understood the issue, but unfortunately it looks like Google is sticking with their incorrect treatment of the DMARC directive.

Google Groups will only rewrite the From: header when the DMARC policy of the original sender (you in this case) is set to reject or quarantine.

With DMARC/p=none, DKIM isn't rewritten when sending to a group, but because DMARC is set to "none", it doesn't matter that the group will break DKIM from the point of view of delivery and spam detection - it will still get delivered properly. Unfortunately, it does make it look confusing if you're monitoring your deployment.

In order to see the correct behavior you can switch to p=quarantine and monitor the delivery. Please tell me if there is anything else I can assist you with, I'll be glad to follow up.

Community
  • 1
lordbyron
  • 331
  • 2
  • 9
  • Link to discussion on GSuite Help Forum: https://productforums.google.com/forum/#!topic/apps/GCyP2whcsrM – jornane Feb 22 '19 at 10:26
  • 1
    See also the "I see 'via' and a website name ..." item, indicating google-groups rewrites only if p=quarantine or p=reject. https://support.google.com/mail/answer/1311182?hl=en – fche Apr 15 '20 at 00:04