0

Each day I get a DMARC report from Google. They include records for our own outgoing emails, various 3rd party partners we've authorized to send on our behalf, and various spammers trying to spoof our domain. But here's something strange: they also include some of Google's own servers:

  <record>
    <row>
      <source_ip>209.85.215.197</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
        <reason>
          <type>local_policy</type>
          <comment>arc=pass</comment>
        </reason>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>mydomain.com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>

whois shows that 209.85.215.197 is part of Google:

    NetRange:       209.85.128.0 - 209.85.255.255
    CIDR:           209.85.128.0/17
    NetName:        GOOGLE
    NetHandle:      NET-209-85-128-0-1
    Parent:         NET209 (NET-209-0-0-0-0)
    NetType:        Direct Allocation
    OriginAS:
    Organization:   Google LLC (GOGL)
    RegDate:        2006-01-13
    Updated:        2012-02-24
    Ref:            https://rdap.arin.net/registry/ip/209.85.128.0

I'm trying to figure out what's going on here, and there are only a few things I can think of:

  1. Some of Google's customers are spammers, sending email to Gmail addresses, while trying to use our domain
  2. Google not whitelisting their own servers
  3. Me being dumb and not understanding something about DMARC

I get at least 10 of these a day from random IPs in that netblock, always accompanied by a record for our own IP address showing emails going through. This leads me to believe it's #2: valid emails flowing around in Google's infrastructure, producing DMARC feedback when shouldn't be.

If it is #2, does anyone know who to contact to make it stop? It's annoying to have to whitelist or ignore their netblock.

HiredMind
  • 101
  • 3
  • 1
    Why would Google whitelist their own servers? Nobody would trust them if they did that as it would allow for anyone to send spam through them. The question you should ask and answer is, is it legitimate for mail from your domain to originate from Google? – Michael Hampton Jan 08 '21 at 23:49
  • I meant whitelist as in "do not produce a DMARC report when receiving from our servers", not "let this server spoof any domain". – HiredMind Jan 09 '21 at 00:43
  • 3
    Why would they do that, as well? It doesn't make sense. If spam is coming from Gmail (which DOES happen) you presumably want to know about it. – Michael Hampton Jan 09 '21 at 00:58
  • So DMARC records should be produced when forwarding emails around within an organization? 1. It actually hides the REAL source of the spam. 2. It leaks information about the internals of your organization. That doesn't make sense. – HiredMind Jan 11 '21 at 17:59
  • What are you talking about? – Michael Hampton Jan 11 '21 at 20:49

1 Answers1

1
  1. Yes, some of Googles customers are spammers
  2. Also yes, Google is well aware of this and does not blindly trust mail relayed by their own systems.
  3. There is nothing unusual about these IPs to appear in your DMARC reports. You asked to receive reports how your domains mail was handled, so of course Google also reports how your domains mail was handled when relayed by that particular server.
  4. This is information your receive on top of what is potentially already reported by the first Receiver (Yes, in DMARC even mail that will be forwarded may be reported by the first recipient). This extra information is not reducing the information about the origin of potential spam you may or may not also receive.

However, what I believe is the more interesting hint this reports gives you: Check your DKIM setup.

I have similar Google IPs in my reports, and every single message that is reported as going through there is also reported as carrying at least one aligned and validating signature.

Google accepted that mail based on the ARC signature - based on the authentication results recorded by the relaying server. If you were signing adequate headers with an aligned key, your message could be forwarded with DKIM signature intact. Google would report a DKIM signature pass to you, instead of resorting to a decision based on the information added by the forwarding server.

For almost all mail servers, your DKIM setup should allow people using Google as their mail provider to forward your mail to another inbox of theirs, without having to break the signature.

About your comment on possibly revealing - to the sender - which systems are used to relay mail from a public, internet-accessible mail server: this is known and deemed acceptable by anyone wanting to send mail on the internet. Server operators are expected to consider the implications of forwarding mail before allowing their users to do so.

anx
  • 8,963
  • 5
  • 24
  • 48