My company has two separate Google Workspace accounts, each associated with a separate domain (lets call them domainA
and domainB
).
Employees have email addresses assigned to them for both domains.
If [email protected]
sends [email protected]
a calendar invite, and [email protected]
replies to that calendar invite email through the Gmail web client, he receives an auto-response saying:
Message blocked
Your message to
[email protected]
has been blocked. See technical
details below for more information.The response was:
Unauthenticated email from
domainB.com
is not accepted due to domain's
DMARC policy. Please contact the administrator ofdomainB.com
domain
if this was a legitimate mail. Please visit
https://support.google.com/mail/answer/2451690 to learn about the
DMARC initiative.
I've read the information at the link provided, which suggests that we need to create and publish a DMARC policy. However, given that these are both Google Workspace accounts, it seems like there would be a simpler solution –– and preferably one with a smaller blast radius than broadly changing our email authentication logic.
Is there a simple solution I'm missing, before I go down this rabbit hole?
Best Answer
TL,DR:
Long answer
The message above indicates that
domainB.com
indeed has already a DMARC record. And its policy is set to reject emails that don't pass DMARC checks.You can check that by using a local DNS tool to query the TXT record at
_dmarc.domainB.com
(e.g.dig _dmarc.domainB.com txt
). You can also use https://toolbox.googleapps.com/apps/dig/#TXT/ for that.Now, emails from
domainA.com
todomainB.com
are being rejected because neither SPF nor DKIM are passing and in alignment, from a DMARC POV. To be in alignment means that either SPF or DKIM pass, and the domain that pass checks isdomainA.com
(perhaps subdomains of that, depending on how you configured DMARC).Having said that, Google Calendar invitation replies by default are sent with envelope from a Google domain. This will not pass DMARC, because SPF will not be in alignment with your domain. AFAIK there's no option on Google Workspace to change that.
DKIM, on the other hand, can be set up on Google Workspace to sign emails and use your domain. This setting will be used by Google apps, and it will make DKIM signatures align with "From" headers. This will make DMARC pass.
Therefore, to solve this you need to:
Make sure that a DKIM record is set up on
domainA.com
's DNS, with the value provided by Google. The record must be at the address shown in the page (google._domainkeys.domainA.com
).Make sure that you actually enable DKIM signing. You do this by clicking the "Start Authentication" button, otherwise some Google apps won't issue DKIM signatures using your domain. This is not totally obvious, and people seem to forget this last step. Emails sent using Gmail and other Google apps will still work without starting auhtentication (see Google Calendar invites failing DMARC checks if you want to know why), and this helps masking the issue. Enabling signing using your domain (i.e. the "Start" button) changes that.