Whenever my domain sends a message to a google group on another domain the DMARC alignment fails. This is true for all my approved senders, even using Gmail in my domain. It seems to be because the Return-Path (Envelope From) header is replaced by the receiving group's bounce address, but the From header remains as my domain, which is incorrect.
For example, I send mail from Gmail in my domain, [email protected], to a group in your domain, [email protected]. If you look at the headers of the message you receive, you see:
BAD
Return-Path: <[email protected]>
Authentication-Results: mx.google.com;
dkim=pass [email protected];
spf=pass (google.com: domain of [email protected] designates 2607:f8b0:400d:c04::246 as permitted sender)
smtp.mailfrom=your-group+bncBCA5XFGRYQLCBEHHVS5AKGQED3J2I7I@yourdomain.com;
dmarc=fail (p=NONE dis=NONE) header.from=mydomain.com
From: Chris <[email protected]>
X-Original-Sender: [email protected]
X-Original-Authentication-Results: mx.google.com; dkim=pass
[email protected]; spf=pass (google.com: domain of [email protected]
designates 2607:f8b0:400c:c05::233 as permitted sender)
[email protected];
dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com
DMARC fails because of bad alignment between the From domain (mydomain) and the DKIM and SPF domains (yourdomain). However, when you, a properly configured GApps user, send mail from Gmail to a group at mydomain, the headers are different.
GOOD
Return-Path: <[email protected]>
Authentication-Results: mx.google.com;
dkim=pass [email protected];
spf=pass (google.com: domain of [email protected] designates 2607:f8b0:4001:c0b::247 as permitted sender) smtp.mailfrom=my-group+bncBCGJ3NF22YBRBTXIVS1RKGQEIWR5E6Q@mydomain.com;
dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com
From: "'You' via my-group" <my-group@ mydomain.com>
Note the different form of the From header - the original sender has been replaced by my own group. There is also a pair of X-Original headers as above that have the same form (just reversed), so I'm not pasting them.
So the question is, how do I configure my domain, gapps, dns, mx, or whatever, so that Google Groups that receive my messages will correctly replace the From header with "via [email protected] ?"
Mail from my domain to users at other domains work fine - DMARC passes because SPF and DKIM are good and the Return-Path still says @mydomain. I have read articles about why the "via you-group" is necessary - I'm ok with that. I'm trying to figure why my messages to groups are not getting treated that way.
Seems to be similar to: How to prevent emails from my domain through mailing lists to be rejected due to DMARC Different because google groups are definitely compatible with DMARC - other people don't have this problem.
Update: I found this article which says google groups only rewrites the sender when the DMARC policy is strict (p=reject). That seems like a terrible idea since the whole point of starting with p=none is to gain confidence that your mail will get delivered when you up the policy, but if true then it may explain my issue. Can anyone confirm? http://www.spamresource.com/2014/04/google-groups-rewriting-from-addresses.html
I did finally get this response from Google. I was glad to find someone who understood the issue, but unfortunately it looks like Google is sticking with their incorrect treatment of the DMARC directive.