Back to Community Threads
1
Google calendar invite violates DMARC...?
Question asked by michael~ - 8/17/2015 at 1:32 PM
Answered
Hi all --
 
A couple users just told me they're missing event invites from Google Calendar.  My SMTP logs show the following:  
 
[...] A trace of the DMARC processing follows.
[...] Beginning DMARC check for 3ervsvqgmcawtoidustfbmuz-bfo.oaypodagotqdbmuz-bfo.oay@calendar-server.bounces.google.com from IP 209.85.213.73...
[...] The from field for the message is "userxxx@mydomain.com".  Will look for DMARC policy record at _dmarc.mydomain.com
[...] Retrieved the following DMARC policy record for "mydomain.com": v=DMARC1; p=reject; sp=none; rua=mailto:xxx@ag.dmarcian.com; rf=afrf; pct=100; ri=604800
[...] DMARC policy violated due to DKIM domain ("google.com") not belonging to the same parent domain as the from address field domain ("mydomain.com").
[...] Data transfer succeeded but message rejected by DMARC
[...] cmd: QUIT
 
I'm pretty sure I followed Bruce's (chicagonettech) much appreciated AntiSpam doc to the letter, and as far as I can tell, I have things set as they should be.  Is this a weird Google thing?  Do I need to add that Google IP to a safe sender's list?  
Any help would be appreciated.. Thanks
-- michael~

16 Replies

Reply to Thread
0
michael~ Replied
8/17/2015 at 2:22 PM
I just tested some more and figured out the problem.. The original user (the one with the calendar) registered her mydomain.com address with google, so the calendar invites are sent From that address, but originate from google's server, so my DMARC policy is working as it should and rejecting the message.

Can anyone offer a suggestion to work around this?
0
Bruce Barnes Replied
8/17/2015 at 3:35 PM
What version of SmarterMail are you running?  I believe this was resolved in SmarterMail 14.X.
 
The most recent version is 14.2.5704, released last Friday
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
michael~ Replied
8/17/2015 at 6:23 PM
Thanks for the reply..  I was running 13.4, but (literally) just upgraded to the latest 14.2.5704;  tried again and still get the same DMARC rejection for the same reason.  I've disabled the DMARC check for the time being and the calendar invites are coming thru, but I spent so much time getting that policy set up, I don't wanna lose it!  ha
0
Bruce Barnes Replied
8/17/2015 at 9:02 PM
I would open a ticket with SmarterMail as this appears to be a bug.  If found to be a bug, your ticket will be refunded to you.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
michael~ Replied
8/18/2015 at 8:08 AM
What makes it sound like a bug?  Seems like DMARC is working as it should.. the From address has my domain in it, but the sending server is in xxx.google.com (sending "on behalf" of user@mydomain.com).   My DMARC TXT record has p=reject, so any mail sent from outside my domain should be auto-rejected.. 
 
I was thinking there would be a work around, as opposed to a bug.  Notsomuch?
0
michael~ Replied
8/20/2015 at 6:40 AM
I changed my _dmarc record to use 'p=quarantine', so now the invites are marked as spam and are getting delivered to the Junk Mail folder.. I guess that's something, but is it the only option?  Anyone know of any other workaround to avoid it being marked as spam?  
Thanks.
0
Bruce Barnes Replied
8/20/2015 at 6:45 AM
Setup an account at unlockitheinbox.com and then, after registering the e-mail address with problems on that account, send a test message, from that account, to mailtest@unlocktheinbox.com.
 
If you are properly setup, you will receive a passing DMARC score in the test.  If you are not properly setup, the test will tell you what you need to do to correct it.
 
We've been using DMARC for more than a year and have ZERO issues.

We also route all of our DMARC reports to DMARCIAN.COM 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
1
Robbie Wright Replied
8/20/2015 at 7:23 AM
Note that the DMARC check is failing because DKIM is failing. I'd chase that issue down first. Make sure your DKIM is setup correctly on SM. If they user is using Google Apps, make sure DKIM is setup correctly in Google Apps as well.
0
michael~ Replied
8/20/2015 at 10:00 AM
Marked As Answer
As far as I understand, the line "DMARC policy violated due to DKIM domain ("google.com") not belonging to the same parent domain as the from address field domain ("mydomain.com")." is stating that the email is originating from a google.com server, but the From address is in my domain; the two different domains are what's causing the DMARC to fail.
 
The response from unlocktheinbox states that all my tests pass;  DKIM, SPF, and DMARC are all set up correctly.
0
Robbie Wright Replied
8/20/2015 at 10:19 AM
That's pretty close, yeah. Specifically, a google mail server is dkim signing outbound mail. There should be a dkim record in dns for mydomain.com that matches that dkim record at google. From what I'm piecing together, that does not appear to be the case. Log into Google Apps and check dkim signing and make sure it is setup correctly. There should be two dkim records in dns for mydomain.com, one for SM and one for GA.
0
michael~ Replied
8/20/2015 at 10:35 AM
Not sure we'er talking about the same thing.. the user registered her (mydomain) email address with google, then just goes to calendar.google.com. She doesn't subscribe or have a Google Apps account..
0
Robbie Wright Replied
8/20/2015 at 11:01 AM
"Registered her domain" could mean a few different things.

If she just used myname@mydomain.com as a google account, her calendar would not be sending invites out with her domain, it would be sourcing from a google address and passing spf and dkim checks.

If she registered her account with Google Apps, it would try to send mail as you're describing. The solution is to correctly setup GA to dkim sign outbound mail.

You can also register a domain with Google (aka purchasing it). I might verify with her exactly what she did. It sounds like everything is working as expected but there is a config issue with Google.

We see this a lot with people that have a distribution list with external recipients. Some HostGator or GoDaddy or another hosted has email for info@mywebsite.com and that DL has 4 recipients in different domains. Our mail system (SM14) receives the mail from HostGator or whoever with the from address of the person that sent the mail to the DL. HostGator tries to keep the sender's from address, but our severs receive it from their server, which breaks SPF and thus DMARC so the message gets dropped. This is only going to happen more often as dmarc becomes more prevalent and mail systems are not setup to correctly handle forwarding.
0
michael~ Replied
8/20/2015 at 11:12 AM
The DL example is exactly what's happening, except with google calendars. Google's mail server is sending the invite with the From address as user@mydomain.com. So SPF and DKIM pass, as google's records are set up correctly, but the DMARC isn't aligned because the server domain is "calendar-server.bounces.google.com", but the From address domain is "mydomain.com", and the _dmarc record in mydomain.com was set to "p=reject".

How did you get around the DMARC fail in your DL scenario?
0
Robbie Wright Replied
8/20/2015 at 11:52 AM
You can't get around the dmarc fail in the DL scenario, that's the issue. If you control the domain that is failing, set it to quarantine instead of reject, which it sounds like you've already done. Then at least they will get delivered rather than blocked.

The issue we see is when someone from an AOL or Yahoo address (which both have reject dmarc records) mails a distribution list hosted anywhere else and forwards to one of our users. Our servers gets it from the DL mail server and the original user's from address, being AOL. SPF fails, dmarc rejects the mail. Customer unhappy.

Cisco IronPorts let's you choose how you handle dmarc failures. IE, if dmarc fails, you can choose to quarantine or reject, regardless of what the domain says. I'm on the fence about this because as a mail hoster, I want to set it to quarantine to my users at least get their mail, but on the other hand if a domain tells me to reject their mail, I'd like to listen.

I've never experience this specific issue with Google before, but the only unknown in it for me is how Google treats a non-gmail address in this situation. If it was a gmail addy, all would be good. If it was a Google Apps addy, you setup custom dkim signing, and you're all good. I'm just not sure how Google handles this specific use case.
0
michael~ Replied
8/20/2015 at 12:06 PM
I agree it's an odd thing.. but if you sign out of all accounts (in chrome) and go to google.com, in the upper-right, click Sign In, then Add an Account.. you can create a google account using whatever email addy you like. This user did that with her 'user@mydomain.com' address. So when invites get sent, the header is like:
...
Return-Path: <3y03tvqymcv4sz0xg4vgot-vzi.iusvuyzsgyzkxvgot-vzi.ius@calendar-server.bounces.google.com>
Received: from mail-qg0-f73.google.com (mail-qg0-f73.google.com [209.85.192.73]) by mydomain.com with SMTP
(version=TLS\Tls12
cipher=Aes256 bits=256);
Tue, 18 Aug 2015 11:21:06 -0400
Received: by qgh4 with SMTP id 4so9715496qgh.1
for <test@mydomain.com>; Tue, 18 Aug 2015 08:21:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=mime-version:reply-to:sender:auto-submitted:message-id:date:subject
:from:to:content-type;
bh=WQeWeSPi/eWmG0qZTBiVw6EvXyc6BvO5lEZHZVl202s=; b=E7BuZS9gJKMSJDzLgBwkG0cDcj+fzUtjp7Kf2XC8lT/X5gWo5iKihav78vIWyt57V6x8qlipHfly/bt7BBk/VQM7IRKfUqHLcSKtHs7r5Lq+OiHG7b6gpNftQATh5R9iwMlh4beAuXWYFsvFv9LC5IqfwdqpET5OSR2/to84+Nt3nU6zMjWJSIvORHQf+0bn2C155/LFi4BUrjdy1OAeqo01X7w0Q1LJ4tS8Ek3Flq7aSL2LQtCIJnUR5j0tB149Hqj7NeSF5c0nIp6lHRBWcha7bdxKPaderG/H6k6L7EBfNW0/oGn9hVKc4qvpwieKo4nGENnBXqoRcL6uatrz1w==
Reply-To: user@mydomain.com
Sender: Google Calendar <calendar-notification@google.com>
Auto-Submitted: auto-generated
Message-ID: <001a11408c1e9bca04051d977737@google.com>
Date: Tue, 18 Aug 2015 15:21:07 +0000
Subject: Invitation: test invite @ Thu Aug 20, 2015 10:30am - 11:30am (user@mydomain.com)
From: user@mydomain.com
To: test@mydomain.com
...

I guess if the only option is to set my _dmarc to "p=quarantine" and have the invites go to junk, then my users will just have to deal. bummer. But thanks for the replies.
0
Robbie Wright Replied
8/20/2015 at 1:14 PM
Yeah, kinda crappy. I'd see what you can do to lean on Google and see if you can get any support for them. They generally are a big proponent of dmarc and generally wouldn't do something quite like this. It might just be this specific use case though.
Back to Community Threads

Reply to Thread

Enter the verification text

Related Knowledge Base Articles

IMAP and Calendar Invites on AndroidSmarterMail > Desktop and Mobile Synchronization
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Subscribing to Your Gmail Calendar in WebmailSmarterMail > Desktop and Mobile Synchronization
Subscribing to a Webmail Calendar in GmailSmarterMail > Desktop and Mobile Synchronization
Creating an Online Meeting in eM ClientSmarterMail > Desktop and Mobile Synchronization