0

My company has two separate Google Workspace accounts, each associated with a separate domain (lets call them domainA and domainB).

Employees have email addresses assigned to them for both domains.

If [email protected] sends [email protected] a calendar invite, and [email protected] replies to that calendar invite email through the Gmail web client, he receives an auto-response saying:

Message blocked

Your message to [email protected] has been blocked. See technical details below for more information.

The response was:

Unauthenticated email from domainB.com is not accepted due to domain's DMARC policy. Please contact the administrator of domainB.com domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative.

I've read the information at the link provided, which suggests that we need to create and publish a DMARC policy. However, given that these are both Google Workspace accounts, it seems like there would be a simpler solution –– and preferably one with a smaller blast radius than broadly changing our email authentication logic.

Is there a simple solution I'm missing, before I go down this rabbit hole?

1 Answer 1

1

TL,DR:

  • Make sure you have DKIM setup on both domain, using the DKIM selector record provided by Google at Google Workspace > Settings for Gmail > Authenticate email
  • Enable signing with your domain on the same page above

Long answer

Unauthenticated email from domainB.com is not accepted due to domain's DMARC policy. Please contact the administrator of domainB.com domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative.

The message above indicates that domainB.com indeed has already a DMARC record. And its policy is set to reject emails that don't pass DMARC checks.

You can check that by using a local DNS tool to query the TXT record at _dmarc.domainB.com (e.g. dig _dmarc.domainB.com txt). You can also use https://toolbox.googleapps.com/apps/dig/#TXT/ for that.

Now, emails from domainA.com to domainB.com are being rejected because neither SPF nor DKIM are passing and in alignment, from a DMARC POV. To be in alignment means that either SPF or DKIM pass, and the domain that pass checks is domainA.com (perhaps subdomains of that, depending on how you configured DMARC).

Having said that, Google Calendar invitation replies by default are sent with envelope from a Google domain. This will not pass DMARC, because SPF will not be in alignment with your domain. AFAIK there's no option on Google Workspace to change that.

DKIM, on the other hand, can be set up on Google Workspace to sign emails and use your domain. This setting will be used by Google apps, and it will make DKIM signatures align with "From" headers. This will make DMARC pass.

Therefore, to solve this you need to:

  • Make sure that a DKIM record is set up on domainA.com's DNS, with the value provided by Google. The record must be at the address shown in the page (google._domainkeys.domainA.com).

  • Make sure that you actually enable DKIM signing. You do this by clicking the "Start Authentication" button, otherwise some Google apps won't issue DKIM signatures using your domain. This is not totally obvious, and people seem to forget this last step. Emails sent using Gmail and other Google apps will still work without starting auhtentication (see Google Calendar invites failing DMARC checks if you want to know why), and this helps masking the issue. Enabling signing using your domain (i.e. the "Start" button) changes that.

1
  • 1
    Wow, thank you for the detailed explanation. Great answer. Commented Sep 26, 2022 at 21:48

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .