This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Alternative email address DKIM and incorrect Return-Path

Posted on 01-09-2023 02:47 PM
xyzulu
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Gmail is sending email from alternative email addresses (secondary domain) with the Return-Path set to the primary email address. Even though DKIM (and SPF) is setup for the secondary domain, DMARC is failing due to the Return-Path being different.

I have raised this with Google support staff on 2 occasions now.. no one seems to fully understand why this is such a big issue or how to get it in front of the right people. 

Here is a redacted example header:

 

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@secondarydomain.com header.s=ggl header.b=kWE8YvVK;
       spf=pass (google.com: domain of user@primarydomain.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=user@primarydomain.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=secondarydomain.com
Return-Path: <user@primarydomain.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
        by mx.google.com with SMTPS id o20-20020a67dfsdfdfsdfdsfdsfdfdsffd982760vsp.47.2023.01.09.13.39.36
        for <testaccount@gmail.com>
        (Google Transport Security);
        [timestamp]
Received-SPF: pass (google.com: domain of user@primarydomain.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@secondarydomain header.s=ggl header.b=kWE8YvVK;
       spf=pass (google.com: domain of user@primarydomain.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=user@primarydomain.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=secondarydomain.com

 

So, I thought I was smart to come up with a workaround and route emails from this alternative email address to an external SMTP server.. but this isn't possible as Google Workspace "hosts" section doesn't have provision for authentication. On top of this, there is no way to force using a 3rd party SMTP server in Gmail "send mail as" if the domain is already added as a secondary (or alias domain) in workspace.

I'm frustrated and looking for either a fix from Google or a working workaround.

Here is one DMARC analyser tool's explanation:

google.com is authorized to send on behalf of secondarydomain.com, however it looks like SPF is still failing DMARCโ€™s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesnโ€™t match your From address, those messages will fail DMARCโ€™s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.



9 130 25.9K
Topic Labels
130 REPLIES 130

Posted on --/--/---- --:-- AM
russ12
Bronze 1
Bronze 1
In response to Major_Grooves
Reply posted on --/--/---- --:-- AM

setting your dmarc policy to none basically disables it and says "allow any spoofed email form my domain that fails authentication to be delivered to the recipient"

0 Likes

Posted on --/--/---- --:-- AM
scheived
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

This is a big problem as gmail doesn't allow a different from domain as the reply-to domain to pass dmark. 

Posted on --/--/---- --:-- AM
russ12
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

while the issue in this discussion is not a problem for me, the solution I have given before works fine, the incompetent Google Workspace support have driven me insane now.
They also accidentally suspended by domain which caused a huge number of domino issues, as everything connected to my google account stopped working. All 3rd part apps were no longer connected, all authentication broke, emails started bouncing, which caused my email address to get blocked on all systems which sent out notifications and alerts.
All my google business profiles get suspended.
this affected no only me but every client whose website, GBP or any service I manage.

It took me weeks to find and fix all the issues this caused.
Google didn't care and have refused to pay me any compensation for their mistake.

So I have now started using FastMail instead, and am now offering this to my clients instead. 

 

 

0 Likes

Posted on --/--/---- --:-- AM
russ12
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

After receiving some nasty comments from a Troll, I would it would be pertinent to post this link again to an article I wrote on this topic. Please note that you cannot change the return-path and you don't need to.

https://domainadmintools.com/dmarc-strict-vs-relaxed-alignment-how-to-fix-spf-alignment-failed/

0 Likes

Posted on --/--/---- --:-- AM
KAM
Gold 2
Gold 2
Reply posted on --/--/---- --:-- AM

Overall, it's a fact that when using a secondary domain, the return-path is not set correctly and that is what this thread is about.  It doesn't sound like there is any fix to that issue.  You can work around it such as for DKIM alignment, I believe is what you are saying but people aren't asking for a workaround.  They are asking for Google to set a return path based on the secondary domain/alias used in the From.  -KAM

 

Posted on --/--/---- --:-- AM
Goury
Bronze 1
Bronze 1
In response to KAM
Reply posted on --/--/---- --:-- AM
Yes, this.

And also the fact that messages sent from domains with relaxed rules get
rated worse by spam filters.

If your car leaks oil, filling it with thicker oil so it doesn't leak
too fast is not a solution.

Posted on --/--/---- --:-- AM
KAM
Gold 2
Gold 2
In response to Goury
Reply posted on --/--/---- --:-- AM

@Goury clearly you have not driven some of the hoopties I have in my life... -KAM

Posted on --/--/---- --:-- AM
russ12
Bronze 1
Bronze 1
In response to Goury
Reply posted on --/--/---- --:-- AM

do you have any evidence of this, as I have not seen this. Using relaxed rules is the recommended setting unless you run your own mail servers and have full control over everything. Otherwise people tend to have issues with email sent through third party MTA's, websites etc.

0 Likes

Posted on --/--/---- --:-- AM
alterhit
Bronze 1
Bronze 1
In response to Goury
Reply posted on --/--/---- --:-- AM

So in conclusion, the answer is: The return path will always be the primary domain. Which sucks unfortunately.

0 Likes

Posted on --/--/---- --:-- AM
alterhit
Bronze 1
Bronze 1
In response to Goury
Reply posted on --/--/---- --:-- AM

The sadder thing, is that there are those on here, who hijack threads like this, not to answer the question but to advertise their business.

0 Likes

Posted on --/--/---- --:-- AM
russ12
Bronze 1
Bronze 1
In response to KAM
Reply posted on --/--/---- --:-- AM

No amount of arguing on here is going to change that and Google do not read this. they have known about this issue for years.

If you want to change the functionality, you will need to complain to google. Perhaps start a petition.

0 Likes
Top Labels in this Space