1

Did I shoot myself in the foot ?

I mainly use gmail to send and receive emails. Support etc. My default 'send email as' profile is not the gmail address itself but an address on my server (also the Reply-to address). Example: "My Name <[email protected]>"

On my server I have SPF and DKIM setup optimally because I send out 'bulk' emails from time to time to my user base (after I update my software).

SPF includes gmail ( +include:_spf.google.com )

All this has been working fine for year. Yesterday I also setup DMARC to make sure people can't impersonate me via email. There was no DMARC record before yesterday. I setup my DMARC policy to reject (p=reject) to avoid spoofing etc.

Today I sent out a few emails (via gmail) to other gmail addresses and they bounced because of the policy. Weirdly enough emails to hotmail.com (for instance) arrived (I checked with the receivers). I sent an email (via gmail) to https://www.learndmarc.com/ (generated email address for testing) where the issue was confirmed

I wonder what to do best ?

  • Remove DMARC again ?
  • Keep DMARC but change the policy to relaxed (p=none)
  • Setup gmail to send via my server's SMTP

Ideally there would be a fourth option (I don't know about) that keep things as they are but somehow 'improves' DMARC to still p=reject yet accept gmail as sender somehow ?

Your input appreciated

1
  • 1
    Sent a message to a service that will let you share the results and quote that in your question. We do not know why your mails are failing. If you did not publish any policy before, setting to policy back to p=none is as safe as your previous configuration (though still subject to caching; recommend lowering TTL on that record to something in the order of magnitude of hours, not days)
    – anx
    Commented Dec 1, 2022 at 0:51

1 Answer 1

1

As of Dec 2022, adding "Send mail as" addresses to personal Gmail accounts seems to only support external SMTP servers, so that probably is the best solution. This way you can control everything regardless how Gmail sets up their SPF & DKIM.

If you really wish to send mail directly from Gmail, you have check & ensure that

  1. either SPF protecting the envelope sender or DKIM protecting headers passes (ideally both)
  2. the passing mechanism is aligned with the organizational domain used in the From header, i.e.,
    • for SPF, the domain of the envelope sender address matches
    • for DKIM, the d= domain of the signature matches.
1
  • Indeed, that is what I ended up doing. PS. since I setup DMARC I find that a lot of forwarders screw things up as well. Like people who have setup their hotmail to forward email to a different email address. These often bounce now (if I'm lucky enough to get a bounce msg) because (for instance) lots of servers only check SPF and not DKIM. It's a hornet's nest
    – Peter
    Commented Dec 17, 2022 at 23:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .