0

For example, I have:

example.com (in this domain I create account) need.com (additional domain) I want to give the users the ability to send emails as @need.com using alias in accounts settings.

The problem is that all messages go to spam with DMARC policies.

Authentication-Results: mx.google.com; 
dkim=pass header.i=@need-com.20150623.gappssmtp.com header.s=20150623 header.b="y0qDXN/D";
spf=pass (google.com: domain of mailtest@example.com designates 209.85.220.41 as permitted sender) 
smtp.mailfrom=mailtest@example.com;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=need.com

It is necessary to configure so that everything would work correctly with the quarantine DMARC policy. Is it possible? Maybe someone has a practical solution to this problem?

Presumably the problem is in the difference of headers but could not figure out how to solve it.

Vasyl Kolomiets
  • 1
  • 1
  • There exists a problem with DMARC with `Sender: a@one.domain` and `From: b@second.domain`. Check DMARC home page for detailed explanation. You need to capture the whole message or, even better, whole SMTP dialog to see what's going on, what google server is sending. – Zrin Feb 11 '21 at 17:14

2 Answers2

2

*.20150623.gappssmtp.com indicates that you don't have a custom DKIM setup for your Google Workspace.

SPF is failing because of misalignment. When you send an email from Alias setup (from Google Workspace), your MailFrom: will be your Primary domain (primarydomain.com), and your From: address your Alias domain(aliasdomain.com), failing alignment, leading to SPF failure in regards to DMARC.

To fix this, make sure you set DKIM for your alias domain from your Google Workspace admin portal. You will pass DMARC with DKIM Alignment/pass.

Jacob
  • 46
  • 2
  • I set DKIM for alias domain and checked it by online service but i still get need-com.20150623.gappssmtp.com in signet-up. Maybe there is something else that needs to be done? – Vasyl Kolomiets Feb 09 '21 at 11:37
  • Make sure you hit DKIM 'Activate' button from your Google Workspace after implementing the Public Key in your DNS. If that's OK, then wait for DNS propagation and perform additional tests. – Jacob Feb 10 '21 at 11:27
  • DKIM was activeted from admin account but i still get need-com.20150623.gappssmtp.com . The problem is observed on a free account on a paid one with similar settings, everything works. Perhaps the problem is related to an outdated account? – Vasyl Kolomiets Feb 19 '21 at 16:40
  • Make sure that p=none until you are very sure all legit mail is consistently passing DMARC. It's best to go slow with regard to ramping up to an enforcing policy such as p=quarantine or p=reject. – Neil Anuskiewicz Jun 28 '21 at 12:30
  • Struggling with this too. I've setted up dkim and spf for both main and alias domains but I am uncertain if the dkim signature for the alias needs to be installed at the main domain too? I mean... do both need to be on the main domain? – luison Nov 03 '22 at 12:17
1

DMARC only passes if it meets the alignment criteria, and that's what you're tripping up on. You need to fix at least one of SPF or DKIM so they align to the From: header.

womble
  • 96,255
  • 29
  • 175
  • 230