Hi @xyzulu ! Thank you so much for posting your question here and for the continued discussion. Was your issue resolved? If so, would you be able to mark this as solved? If not, please let us know. 

@pcothenet , let us know if you're still having issues after the additional troubleshooting advice from yesterday.

Hi @cryptochrome , @GuibsonPrieto and @ajojose33333344 , thank you so deeply for your help troubleshooting with @xyzulu and @pcothenet ! We truly appreciate your time, effort and expertise!

Hi @xyzulu ! I have a response from an internal Google expert (see below). Let me know if you have any questions from there! 

Yes, you can configure the user's primary email address to be on ANY registered (primary or secondary) domain within the workspace tenant. That will have implications around authentication, as the user will then need to sign in as user@secondary.com.

As to the DMARC question in the post, I wanted to clarify how DMARC alignment works. It's correct that SPF alignment won't work here, because the mail from/return path address doesn't match the sender's from address. That's okay, because the DKIM signature does match the sender's from address, so we have DMARC alignment covered through DKIM. This is normal and acceptable within the standard (one or the other must align). Here's more information on how alignment works: https://www.rfc-editor.org/rfc/rfc7489#section-3.1.

It's possible that there are other misconfigurations causing confusion or DMARC failures here, but without actual domain names and non-redacted headers, we don't have enough information to assist. Google support should be able to help with a deeper dive.

@KarisaE I am sorry but that is not a resolution, you provide the right informations, but if the spf alignement fails with the secondary domain and even the dmarc pass and relaxed policy, when you apply the "quarantine/reject" action, you will sent your emails in spam or blackhole. 

I am in the same situation where our company has changed the company name and need to change the main domain. so I need to contact Google Support for a solution ?

thanks for new advices on this.

@cryptochrome indeed, I understand.

but by design, it implies other things. Our company has changed its name. The primary domain is @123.com and we use secondary domain @456.com , right, you can send emails and be dmarc compliant, not full compliant but at least with dkim.  

now when you sent invite from  your agenda/calendar, it always sent from your main domain. I am not able to find a way to change that owner. So, it could be a great option to change the main domain here or rename it, or any other methods.

or maybe I miss something, let me know, 

@icrew thanks, but I am not able to do this, an error message appears and as we are Google workspace reseller, it ain't work.

@cryptochrome @KarisaE I think I found the way to change things to make DMARC full compliant. it's weird, I already take that look before, maybe, some updates were made. 

1. (maybe not required) Change your principal administrator to have the domain name you want under that page: https://admin.google.com/ac/accountsettings?hl=fr_CA  
2. Go under each users and update the domain name, not as alias, but as main email. 
3. Sent an email and check the header: the from and return-path will be with the same domain name and the SPF will be aligned. 

From: redacted <redacted@123.com>
Date: Wed, 17 May 2023 11:23:31 -0400
Message-ID: <CAL5predactedZX85Dw@mail.gmail.com>
Subject: test 11h22
To: redacted@outlook.com
Content-Type: multipart/alternative; boundary="0000000000005dd0b505fbe5462d"
X-IncomingHeaderCount: 13
Return-Path: redacted@123.com

And I can confirm, now the DMARC is full compliant. 

thanks to all, 

So glad to hear the issue was resolved @jsstamour !!!

this is caused by using STRICT mode for your SPF. If you change it to relaxed, then you will no fail authentication, as long as DKIM is properly setup.
I have tested and confirmed this, as I had the same issue. I have written an article explaining it here.

https://domainadmintools.com/dmarc-strict-vs-relaxed-alignment-how-to-fix-spf-alignment-failed/

Hello everyone, We have the same problem mentioned in the messages. We have domain1 (primary) and domain2 (alias). Every time we send an email from domain2, the return-path is domain1. We have DKIM configured and activated on the Google Workspace side. The same goes for the DNS settings. We have SPF records for both domains set to relaxed mode. And yet, we are still facing this problem. It's hard for us to believe that they said here that it's resolved by simply "activating" authentication on the Google Workspace side. I repeat, both domains have their records activated and working properly, both in DNS and in Workspace. Every email we send shows up as FAIL, except for the first two, which always pass. This means that our clients receive the emails in the SPAM folder. We have conducted numerous tests by sending emails to external providers, and a large majority of them end up in the SPAM folder. We have contacted Google support, and their configuration guides for SPF/DKIM/DMARC are very nice and pleasant, but they don't solve anything. Any other ideas?

@jsstamour wrote:

 

• (maybe not required) Change your principal administrator to have the domain name you want under that page: https://admin.google.com/ac/accountsettings?hl=fr_CA  
• Go under each users and update the domain name, not as alias, but as main email. 
• Sent an email and check the header: the from and return-path will be with the same domain name and the SPF will be aligned. 

 

---

@JosePerez  those are my steps I did to align the "returnpath" and "from" for a specific domain (even with multiples domains). it works for me and get my dmarc full compliant. 

@michaelkatzman your issue seems at another level, check your dmarc report to get more details. 

Thank you for the responses.
We hope to resolve this somehow.
The solution we found is to separate the domains so that each one has its own return-path,
but that implies more expenses in the area and for now, we cannot afford another expense in Google Workspace.

We have also tried adding functions like include or redirect to the SPF record, but it still fails.

Thank you very much again to everyone.

Sorry, Monday first thing, I'm going to give it a try.
I have to share the information with my colleagues.

Very informative thread - thank you! I've been following all of these instructions to get my alias domain in good shape. However, I can't get the DKIM header to display my alias domain properly (as mentioned previously, this is needed for alias DMARC authentication, since SPF alignment won't work).

Here's my situation: I set up DKIM for my alias domain, making sure to follow all of the instructions for generating the key in Google Workspace. I added the key to my DNS records (GoDaddy), and made sure workspace is authenticating DKIM (the status says: "Authenticating email with DKIM."). However, any receiving email header continues to print something like "d=***-com.20221208.gappssmtp.com," when it should be displaying the domain (i.e. ***.com).

I've tried so many things to make this work, including:

• Experimenting various selectors, including "google" and "mail"
• Trying both 2048 vs. 1024 bits (and also making sure my DNS record isn't being truncated)
• Ensuring that SPF, DKIM, and DMARC are all working for my primary domain (they are)
• Waiting 48 hours on most of these iterations (though I know in practice it shouldn't take this long)

One last thing: I had previously set up Wix nameservers in GoDaddy for my primary domain, and Google MX records are set up in Wix. I'm not sure why this would make a difference... as I said previously, primary domain (spf/dkim/dmarc) is working fine, and my alias domain has it's own DNS setup. This could be the culprit, but I'd rather rule out any other problem before modifying the primary domain nameservers.

Any ideas of what could be going wrong? @cryptochrome ? Would greatly appreciate any advice!