DMARC reports no longer being received from google

ChrisBint

7/19/24, 8:49 PM

We are seeing a large number of DMARC rejects from google from emails that have both a valid DKIM signature and a valid SPF sender. We have validated this by sending the same emails to other ISPs and these arrive and the headers agree with our findings. It appears that google are rejecting those emails, but they are also not sending us any dmarc reports, whereas we are getting reports (for the same domain) from other ISPs, so the DMARC configuration is present and working.

The record is as follows;

v=DMARC1; p=reject; ruf=mailto:[email protected]; rua=mailto:[email protected]; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=28800; sp=reject;

Domain is anonymised, but the rest is correct. From what I remember, we were getting reports prior to changing the policy to reject.

Any suggestions?

Edit

Rejection message

Jul 19 15:24:04 uksvl-web03-rs postfix/smtp[18671]: C180250BFA: to=<recipient.email>, relay=aspmx.l.google.com[64.233.167.27]:25, delay=0.66, delays=0.32/0/0.04/0.31, dsn=5.7.26, status=bounced (host aspmx.l.google.com[64.233.167.27] said: 550-5.7.26 Unauthenticated email from mydomain.com is not accepted due to 550-5.7.26 domain's DMARC policy. Please contact the administrator of 550-5.7.26 mydomain.com domain if this was a legitimate mail. Please visit 550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.26 DMARC initiative. p13-20020adfe60d000000b00314343692b7si2238651wrm.545 - gsmtp (in reply to end of DATA command))

Example authentication results

Authentication-Results: spf=pass (sender IP is x.x.x.x)
 smtp.mailfrom=uksvl-web03-rs.mydomain.com; dkim=pass (signature was verified)
 header.d=senderdomain.com;dmarc=pass action=none
 header.from=senderdomain.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of
 uksvl-web03-rs.mydomain.com designates x.x.x.x as permitted sender)
 receiver=protection.outlook.com; client-ip=x.x.x.x;
 helo=uksvl-web03-rs.mydomain.com; pr=C

0 + 6

dmarc

anx

7/19/24, 9:04 PM

Share the name of the (by nature, public anyway) record containing the key, so we can check whether any software we use fails to retrieve or parse your key from DNS. Share the message Google gave you (from the SMTP transcript, should look something like `550 5.7.26 rejected for this particular reason.. Please visit https://support.google.com/mail/answer/01234 .. asd.123 - gsmtp`). Find and show us the `Authentication-Results: ` headers of sample a message Google rejected but someone else accepted.

ChrisBint

7/19/24, 9:34 PM

@anx I have added the rejetion message and an example of the authentication results we are seeing, but this is a test message and is not being sent to google. I have added a bcc to the email server and will get the headers from an email rejected by google.

anx

7/19/24, 9:45 PM

I still wonder if your DKIM signature is mathematically valid, yet worthless (bad algo, configuration or in case of RSA, chosen key size). Have it validated by a software that would explain so, if uncertain just use a public service like https://www.mail-tester.com/

ChrisBint

7/20/24, 7:12 AM

@anx I have checked the configuration of SPf, DKIM, DMARC using multiple external tools and no issues are reported by any of them. I added a always_bcc option to our mail server last night and have caught occurences of an email that was rejected by google but accepted by outlook.com. Reviewing the headers for these and the Authentication Results are all green and look exactly like the example above. I would add that the report email for DMARC is not the same domain as the sender, but again we get reports from other ISPs in that configuration and for multiple domains.

Reinto

7/27/24, 6:46 PM

Google might be more strict than most ESPs in determining to send reports or not if the domain in the rua tag does not match the domain for which DMARC was checked. In your example case you can add a record to mydomain.com: `senderdomain.com._report._dmarc IN TXT "v=DMARC1"`.

Reinto

7/27/24, 6:51 PM

Also agree with @anx that because SPF domain doesn't align with FROM domain, something must be happening with the DKIM signature, where Google does not successfully verify the signature, where Microsoft does... Because of reasons already mentioned.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: DMARC reports no longer being received from google

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.