Google calendar invite violates DMARC...?
Question asked by michael~ - 8/17/2015 at 1:32 PM
Answered
Hi all --
 
A couple users just told me they're missing event invites from Google Calendar.  My SMTP logs show the following:  
 
[...] A trace of the DMARC processing follows.
[...] Beginning DMARC check for 3ervsvqgmcawtoidustfbmuz-bfo.oaypodagotqdbmuz-bfo.oay@calendar-server.bounces.google.com from IP 209.85.213.73...
[...] The from field for the message is "userxxx@mydomain.com".  Will look for DMARC policy record at _dmarc.mydomain.com
[...] Retrieved the following DMARC policy record for "mydomain.com": v=DMARC1; p=reject; sp=none; rua=mailto:xxx@ag.dmarcian.com; rf=afrf; pct=100; ri=604800
[...] DMARC policy violated due to DKIM domain ("google.com") not belonging to the same parent domain as the from address field domain ("mydomain.com").
[...] Data transfer succeeded but message rejected by DMARC
[...] cmd: QUIT
 
I'm pretty sure I followed Bruce's (chicagonettech) much appreciated AntiSpam doc to the letter, and as far as I can tell, I have things set as they should be.  Is this a weird Google thing?  Do I need to add that Google IP to a safe sender's list?  
Any help would be appreciated.. Thanks
-- michael~

16 Replies

Reply to Thread
0
michael~ Replied
I just tested some more and figured out the problem.. The original user (the one with the calendar) registered her mydomain.com address with google, so the calendar invites are sent From that address, but originate from google's server, so my DMARC policy is working as it should and rejecting the message.

Can anyone offer a suggestion to work around this?
0
Bruce Barnes Replied
What version of SmarterMail are you running?  I believe this was resolved in SmarterMail 14.X.
 
The most recent version is 14.2.5704, released last Friday
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
michael~ Replied
Thanks for the reply..  I was running 13.4, but (literally) just upgraded to the latest 14.2.5704;  tried again and still get the same DMARC rejection for the same reason.  I've disabled the DMARC check for the time being and the calendar invites are coming thru, but I spent so much time getting that policy set up, I don't wanna lose it!  ha
0
Bruce Barnes Replied
I would open a ticket with SmarterMail as this appears to be a bug.  If found to be a bug, your ticket will be refunded to you.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
michael~ Replied
What makes it sound like a bug?  Seems like DMARC is working as it should.. the From address has my domain in it, but the sending server is in xxx.google.com (sending "on behalf" of user@mydomain.com).   My DMARC TXT record has p=reject, so any mail sent from outside my domain should be auto-rejected.. 
 
I was thinking there would be a work around, as opposed to a bug.  Notsomuch?
0
michael~ Replied
I changed my _dmarc record to use 'p=quarantine', so now the invites are marked as spam and are getting delivered to the Junk Mail folder.. I guess that's something, but is it the only option?  Anyone know of any other workaround to avoid it being marked as spam?  
Thanks.
0
Bruce Barnes Replied
Setup an account at unlockitheinbox.com and then, after registering the e-mail address with problems on that account, send a test message, from that account, to mailtest@unlocktheinbox.com.
 
If you are properly setup, you will receive a passing DMARC score in the test.  If you are not properly setup, the test will tell you what you need to do to correct it.
 
We've been using DMARC for more than a year and have ZERO issues.

We also route all of our DMARC reports to
DMARCIAN.COM 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Robbie Wright Replied
Note that the DMARC check is failing because DKIM is failing. I'd chase that issue down first. Make sure your DKIM is setup correctly on SM. If they user is using Google Apps, make sure DKIM is setup correctly in Google Apps as well.
0
michael~ Replied
Marked As Answer
As far as I understand, the line "DMARC policy violated due to DKIM domain ("google.com") not belonging to the same parent domain as the from address field domain ("mydomain.com")." is stating that the email is originating from a google.com server, but the From address is in my domain; the two different domains are what's causing the DMARC to fail.
 
The response from unlocktheinbox states that all my tests pass;  DKIM, SPF, and DMARC are all set up correctly.
0
Robbie Wright Replied
That's pretty close, yeah. Specifically, a google mail server is dkim signing outbound mail. There should be a dkim record in dns for mydomain.com that matches that dkim record at google. From what I'm piecing together, that does not appear to be the case. Log into Google Apps and check dkim signing and make sure it is setup correctly. There should be two dkim records in dns for mydomain.com, one for SM and one for GA.
0
michael~ Replied
Not sure we'er talking about the same thing.. the user registered her (mydomain) email address with google, then just goes to calendar.google.com. She doesn't subscribe or have a Google Apps account..
0
Robbie Wright Replied
"Registered her domain" could mean a few different things.

If she just used myname@mydomain.com as a google account, her calendar would not be sending invites out with her domain, it would be sourcing from a google address and passing spf and dkim checks.

If she registered her account with Google Apps, it would try to send mail as you're describing. The solution is to correctly setup GA to dkim sign outbound mail.

You can also register a domain with Google (aka purchasing it). I might verify with her exactly what she did. It sounds like everything is working as expected but there is a config issue with Google.

We see this a lot with people that have a distribution list with external recipients. Some HostGator or GoDaddy or another hosted has email for info@mywebsite.com and that DL has 4 recipients in different domains. Our mail system (SM14) receives the mail from HostGator or whoever with the from address of the person that sent the mail to the DL. HostGator tries to keep the sender's from address, but our severs receive it from their server, which breaks SPF and thus DMARC so the message gets dropped. This is only going to happen more often as dmarc becomes more prevalent and mail systems are not setup to correctly handle forwarding.
0
michael~ Replied
The DL example is exactly what's happening, except with google calendars. Google's mail server is sending the invite with the From address as user@mydomain.com. So SPF and DKIM pass, as google's records are set up correctly, but the DMARC isn't aligned because the server domain is "calendar-server.bounces.google.com", but the From address domain is "mydomain.com", and the _dmarc record in mydomain.com was set to "p=reject".

How did you get around the DMARC fail in your DL scenario?
0
Robbie Wright Replied
You can't get around the dmarc fail in the DL scenario, that's the issue. If you control the domain that is failing, set it to quarantine instead of reject, which it sounds like you've already done. Then at least they will get delivered rather than blocked.

The issue we see is when someone from an AOL or Yahoo address (which both have reject dmarc records) mails a distribution list hosted anywhere else and forwards to one of our users. Our servers gets it from the DL mail server and the original user's from address, being AOL. SPF fails, dmarc rejects the mail. Customer unhappy.

Cisco IronPorts let's you choose how you handle dmarc failures. IE, if dmarc fails, you can choose to quarantine or reject, regardless of what the domain says. I'm on the fence about this because as a mail hoster, I want to set it to quarantine to my users at least get their mail, but on the other hand if a domain tells me to reject their mail, I'd like to listen.

I've never experience this specific issue with Google before, but the only unknown in it for me is how Google treats a non-gmail address in this situation. If it was a gmail addy, all would be good. If it was a Google Apps addy, you setup custom dkim signing, and you're all good. I'm just not sure how Google handles this specific use case.
0
michael~ Replied
I agree it's an odd thing.. but if you sign out of all accounts (in chrome) and go to google.com, in the upper-right, click Sign In, then Add an Account.. you can create a google account using whatever email addy you like. This user did that with her 'user@mydomain.com' address. So when invites get sent, the header is like:
...
Return-Path: <3y03tvqymcv4sz0xg4vgot-vzi.iusvuyzsgyzkxvgot-vzi.ius@calendar-server.bounces.google.com>
Received: from mail-qg0-f73.google.com (mail-qg0-f73.google.com [209.85.192.73]) by mydomain.com with SMTP
(version=TLS\Tls12
cipher=Aes256 bits=256);
Tue, 18 Aug 2015 11:21:06 -0400
Received: by qgh4 with SMTP id 4so9715496qgh.1
for <test@mydomain.com>; Tue, 18 Aug 2015 08:21:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=mime-version:reply-to:sender:auto-submitted:message-id:date:subject
:from:to:content-type;
bh=WQeWeSPi/eWmG0qZTBiVw6EvXyc6BvO5lEZHZVl202s=; b=E7BuZS9gJKMSJDzLgBwkG0cDcj+fzUtjp7Kf2XC8lT/X5gWo5iKihav78vIWyt57V6x8qlipHfly/bt7BBk/VQM7IRKfUqHLcSKtHs7r5Lq+OiHG7b6gpNftQATh5R9iwMlh4beAuXWYFsvFv9LC5IqfwdqpET5OSR2/to84+Nt3nU6zMjWJSIvORHQf+0bn2C155/LFi4BUrjdy1OAeqo01X7w0Q1LJ4tS8Ek3Flq7aSL2LQtCIJnUR5j0tB149Hqj7NeSF5c0nIp6lHRBWcha7bdxKPaderG/H6k6L7EBfNW0/oGn9hVKc4qvpwieKo4nGENnBXqoRcL6uatrz1w==
Reply-To: user@mydomain.com
Sender: Google Calendar <calendar-notification@google.com>
Auto-Submitted: auto-generated
Message-ID: <001a11408c1e9bca04051d977737@google.com>
Date: Tue, 18 Aug 2015 15:21:07 +0000
Subject: Invitation: test invite @ Thu Aug 20, 2015 10:30am - 11:30am (user@mydomain.com)
From: user@mydomain.com
To: test@mydomain.com
...

I guess if the only option is to set my _dmarc to "p=quarantine" and have the invites go to junk, then my users will just have to deal. bummer. But thanks for the replies.
0
Robbie Wright Replied
Yeah, kinda crappy. I'd see what you can do to lean on Google and see if you can get any support for them. They generally are a big proponent of dmarc and generally wouldn't do something quite like this. It might just be this specific use case though.

Reply to Thread