1
Google calendar invite violates DMARC...?
Question asked by michael~ - August 17, 2015 at 1:32 PM
Answered
Hi all --
 
A couple users just told me they're missing event invites from Google Calendar.  My SMTP logs show the following:  
 
[...] A trace of the DMARC processing follows.
[...] Beginning DMARC check for 3ervsvqgmcawtoidustfbmuz-bfo.oaypodagotqdbmuz-bfo.oay@calendar-server.bounces.google.com from IP 209.85.213.73...
[...] The from field for the message is "userxxx@mydomain.com".  Will look for DMARC policy record at _dmarc.mydomain.com
[...] Retrieved the following DMARC policy record for "mydomain.com": v=DMARC1; p=reject; sp=none; rua=mailto:xxx@ag.dmarcian.com; rf=afrf; pct=100; ri=604800
[...] DMARC policy violated due to DKIM domain ("google.com") not belonging to the same parent domain as the from address field domain ("mydomain.com").
[...] Data transfer succeeded but message rejected by DMARC
[...] cmd: QUIT
 
I'm pretty sure I followed Bruce's (chicagonettech) much appreciated AntiSpam doc to the letter, and as far as I can tell, I have things set as they should be.  Is this a weird Google thing?  Do I need to add that Google IP to a safe sender's list?  
Any help would be appreciated.. Thanks
-- michael~

8 Replies

Reply to Thread
0
Bruce Barnes Replied
August 17, 2015 at 3:35 PM
What version of SmarterMail are you running?  I believe this was resolved in SmarterMail 14.X.
 
The most recent version is 14.2.5704, released last Friday
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
michael~ Replied
August 17, 2015 at 6:23 PM
Thanks for the reply..  I was running 13.4, but (literally) just upgraded to the latest 14.2.5704;  tried again and still get the same DMARC rejection for the same reason.  I've disabled the DMARC check for the time being and the calendar invites are coming thru, but I spent so much time getting that policy set up, I don't wanna lose it!  ha
0
Bruce Barnes Replied
August 17, 2015 at 9:02 PM
I would open a ticket with SmarterMail as this appears to be a bug.  If found to be a bug, your ticket will be refunded to you.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
michael~ Replied
August 18, 2015 at 8:08 AM
What makes it sound like a bug?  Seems like DMARC is working as it should.. the From address has my domain in it, but the sending server is in xxx.google.com (sending "on behalf" of user@mydomain.com).   My DMARC TXT record has p=reject, so any mail sent from outside my domain should be auto-rejected.. 
 
I was thinking there would be a work around, as opposed to a bug.  Notsomuch?
0
michael~ Replied
August 20, 2015 at 6:40 AM
I changed my _dmarc record to use 'p=quarantine', so now the invites are marked as spam and are getting delivered to the Junk Mail folder.. I guess that's something, but is it the only option?  Anyone know of any other workaround to avoid it being marked as spam?  
Thanks.
0
Bruce Barnes Replied
August 20, 2015 at 6:45 AM
Setup an account at unlockitheinbox.com and then, after registering the e-mail address with problems on that account, send a test message, from that account, to mailtest@unlocktheinbox.com.
 
If you are properly setup, you will receive a passing DMARC score in the test.  If you are not properly setup, the test will tell you what you need to do to correct it.
 
We've been using DMARC for more than a year and have ZERO issues.

We also route all of our DMARC reports to
DMARCIAN.COM 
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Robbie Wright Replied
August 20, 2015 at 7:23 AM
Note that the DMARC check is failing because DKIM is failing. I'd chase that issue down first. Make sure your DKIM is setup correctly on SM. If they user is using Google Apps, make sure DKIM is setup correctly in Google Apps as well.
0
michael~ Replied
August 20, 2015 at 10:00 AM
As far as I understand, the line "DMARC policy violated due to DKIM domain ("google.com") not belonging to the same parent domain as the from address field domain ("mydomain.com")." is stating that the email is originating from a google.com server, but the From address is in my domain; the two different domains are what's causing the DMARC to fail.
 
The response from unlocktheinbox states that all my tests pass;  DKIM, SPF, and DMARC are all set up correctly.

Reply to Thread