1

I'm using Gsuite with our own domain name "audacy.space". I've setup DMARC, DKIM and SPF, and both DMARC Analyzer and Google's Mx Tool report no problems for the domain. However, our weekly DMARC reports from Postmark still show 70% of messages as not aligned. Especially one Google server at 209.85.550.69 shows a very high failure rate.

DMARC Report

I've tried adding that IP explicitly in our SPF records (as 209.85.220.0/24), but it hasn't improved anything. Any idea where I'm going wrong? Thanks!

AudRE
  • 11
  • 2

1 Answers1

0

However, our weekly DMARC reports from Postmark still show 70% of messages as not aligned.

I've tried adding that IP explicitly in our SPF records (as 209.85.220.0/24), but it hasn't improved anything.

Since the issue here is alignment, adding IPs to your SPF is not going to solve the issue.

DMARC is there to demand that the domains used in your authentication methods, SPF and DKIM, align with the domain used in the email address that is shown to the recipient of your emails, namely the Header.From field.

Since your DMARC policy allows for relaxed SPF and DKIM alignment, this means the smtp.mailfrom address (a.k.a. Return-Path / Bounce address / envelope from) should use a domain that shares the same organizational domain, for example bounces@newsletters.audacy.space. This is similar for DKIM.

Forwarders generally rewrite the bounce address to an address in order to receive the bounces themselves and PASS their own SPF policy. However, they do not change the Header.From address and thus these forwarded messages end up as "SPF misaligned" in your DMARC reports.

Apart from forwarding rules, Google uses Groups for Business as distribution groups to forward email to the members of that group. Google then also includes the results from these forwarded emails in the DMARC reports they send back to you.

If you can look in the raw data for your DMARC report, you may find that:

  1. the sender of the report is Google, meaning that the recipient mailbox is hosted on Google.
  2. The sending IP address is owned by Google.
  3. And, the bounce address is rewritten to a domain that is hosted on the Google platform.

This last bit is not always crystal clear, because it could be an external domain. But if you look up the MX records for that domain, you might find that it points to Google servers.

To conclude: Based on the information you provided my best guess would be, since the sender IP belongs to Google, that this situation involves forwarders and probably Google's Groups for Business.

Reinto
  • 649
  • 4
  • 9
  • That's super helpful; thank you! I'll do some investigating on what you suggested and will report back on how it goes. – AudRE Jul 03 '19 at 20:43
  • @AudRE Did you ever get to the bottom of this? Just curious... – Reinto Jul 31 '19 at 21:10