Issue
I haven't been able to find an answer to this, so forgive me if it's been asked somewhere before.
I'm working with non-profit who has a google workspace for non profits account. I'm working on getting our SPF/DKIM/DMARC records set up, and they work perfectly except for one situation.
We have two different domains, whedoncon.com, and thehellmouth.org. Some of our users have an email on both domains (i.e. user@whedoncon.com and user@thehellmouth.org are going to the same person). I can send emails individually from each domain, and they pass SPF, DKIM, and DMARC fine. The problem comes in when I set up the domains to be able to send from each other.
I've added the capability for user@whedoncon.com to be able to send mail as user@thehellmouth.org. The issue seems to be when I log in as user@whedoncon.com, and send a message as user@thehellmouth.org. Looking at the email headers, it seems that because I logged in as user@whedoncon.com, it sets the return-path to the whedoncon.com address regardless of what account I select to send out the email.
The problem with this, is it causes DMARC to fail whenever I send an email out as user@thehellmouth.org, even though SPF and DKIM both pass. It seems to be because the return-path is showing as user@whedoncon.com, but the DKIM is looking at hellmouth.org.
So, TL:DR, google seems to always default to the signed-in account for the return-path, and not the secondary account that it's actually sending from. Is there a way I can change the return-path so it matches the account the email is coming from, and not the account that I'm signed in as?
Solution
Google Workspace has a primary domain and users are assigned a primary address under that domain. When you have a domain alias, users are assigned an alias address under that alias domain.
The envelope sender address (also known as the return-path address) and the From: address for a message can be different or the same.
If users send email from their alias address, the return-path address will be their primary address, while the From: address will be their alias address.
To pass DMARC, a message must pass at least one of these checks:
- SPF authentication and SPF alignment
- DKIM authentication and DKIM alignment
SPF typically uses the message envelope sender address for authentication. DKIM uses the message From: address for authentication.
When the domain alias is setup correctly, both the SPF and DKIM authentication will pass. However, only DKIM alignment will pass, SPF alignment will not pass. But that is okay because DMARC does not require SPF alignment to pass as long ask DKIM authentication and DKIM alignment pass.
Answered By - bitPimps Answer Checked By - Marilyn (PHPFixing Volunteer)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.