3

I have a domain set up on AWS Route53 and I use the GoogleApps for the administration of email accounts. I'm having trouble sending invite (Google Calendar/Hangout) to other domains. These invites are going in the SPAM box.

My DNS Configuration

$ dig -t any matheuscarino.com.br

;; ANSWER SECTION:
matheuscarino.com.br.   27  IN  A   54.88.183.99
matheuscarino.com.br.   27  IN  A   54.86.206.71
matheuscarino.com.br.   21567   IN  NS  ns-1324.awsdns-37.org.
matheuscarino.com.br.   21567   IN  NS  ns-1966.awsdns-53.co.uk.
matheuscarino.com.br.   21567   IN  NS  ns-691.awsdns-22.net.
matheuscarino.com.br.   21567   IN  NS  ns-7.awsdns-00.com.
matheuscarino.com.br.   867 IN  SOA ns-1966.awsdns-53.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
matheuscarino.com.br.   267 IN  MX  1 aspmx.l.google.com.
matheuscarino.com.br.   267 IN  MX  10 alt3.aspmx.l.google.com.
matheuscarino.com.br.   267 IN  MX  10 alt4.aspmx.l.google.com.
matheuscarino.com.br.   267 IN  MX  5 alt1.aspmx.l.google.com.
matheuscarino.com.br.   267 IN  MX  5 alt2.aspmx.l.google.com.
matheuscarino.com.br.   267 IN  TXT "v=spf1 include:_spf.google.com ~all"

$ dig -t TXT _dmarc.matheuscarino.com.br

;; ANSWER SECTION:
_dmarc.matheuscarino.com.br. 299 IN TXT "v=DMARC1\; p=quarantine\; pct=100\; rua=mailto:webmaster@matheuscarino.com.br"

See how the messages are delivered.

spf=pass (google.com: domain of 3J4q7VQIUDdwCSK8RFCSQA8PGLM.AMK.9PK8RFCSQ.P8KMQL8RSC.AMK.9P@calendar-server.bounces.google.com designates 2607:f8b0:4002:c07::24a as permitted sender) smtp.mail=3J4q7VQIUDdwCSK8RFCSQA8PGLM.AMK.9PK8RFCSQ.P8KMQL8RSC.AMK.9P@calendar-server.bounces.google.com;
       dkim=pass header.i=@google.com;
       dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=matheuscarino.com.br
Received: by ykdv124 with SMTP id v124so3562561ykd.1
        for <matheus@XXXXX.com.br>; Fri, 31 Jul 2015 07:46:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;

Thanks in advance.

Matheus Carino Porto Ramos
  • 133
  • 2
  • 6
  • BTW, it looks like the SPF record for this domain has been changed and is currently invalid. This - `v=spf1 include:_spf.google.com matheuscarino.com.br ~all` is not a valid SPF record. – Peter Goldstein Aug 01 '15 at 15:45

1 Answers1

6

So getting a Google Apps email system to be DMARC compliant requires that you enable domain-specific DKIM. Right now your email is being DKIM signed with a google.com signature, but the FROM header is an matheuscarino.com.br address. So the DKIM signature cannot be used for DMARC authentication, because the domains are not the same.

For most emails sent from your Google Apps account, this isn't a problem, because SPF authentication matches the FROM header domain. These emails have a Return Path address with a domain of matheuscarino.com.br, and your SPF record above authenticates them.

BUT, Calendar and Hangout messages use a different Return Path domain. So for these messages to authenticate you must enable DKIM for your Google Apps account. You can find instructions here - https://support.google.com/a/answer/174124?hl=en

Peter Goldstein
  • 4,479
  • 2
  • 19
  • 17
  • 2
    Even with DKIM enabled, emails from google calendar still fails SPF checks – Morten Nilsen Aug 19 '21 at 07:33
  • 1
    Yes, even after enabling DKIM for Google Apps accounts, emails sent from calendar-server.bounces.google.com are still not DKIM signed, and they fail DMARC. It looks like there is no solution to this if DMARC has `p=reject` or `p=quarantine` set. – Patrick Mar 09 '22 at 02:07