Re: SPF records for workspace or domain email

kolb · 03-12-2023 05:56 AM

how to hide the 'mailed by' address for SPF from the secondary domain which shows the primary domain name.
I am an admin of a workspace. I have added a secondary domain and then set up an email alias for the secondary domain. Then in the Gmail settings under account -> send mail as-> I have added the email alias of the secondary domain. Now when I send mail from that secondary domain email address, it displays the following thing to the recipient:

Mailed by: primary domain name
Signed by: secondary domain name

I want to either show (when mailed from a secondary domain email address) :

Mailed by: secondary domain name or hide it (and only show signed by: secondary domain name)

Marcin_Milewski

Hey Kolb,

'Signed by' indicates that the email is authenticated. When you add the secondary domain to your Workspace instance, make sure that you add SPF & DKIM records to that domain too.

When you add the alias to the account interface, you have an option to check 'Treat as an alias' In this HC article you can compare how it will affect sent messages.

Best,
Marcin

brendonmccarthy

I added SPF and DKIM records to the secondary domain. Still, it includes the primary domain in the Mailed by:

Mailed by: primary domain name
Signed by: secondary domain name

christiannewman

Is the user's primary email address on the primary domain, or secondary domain?

brendonmccarthy

Yes, Primary email address, attempting to send as an Alias configured for the Secondary domain.

Main Account: brendon@r______n.com
Send as Alias: brendon@c_____o.co

SPF, DKIM and DMARC configured (and verified) on both r_____n.com (primary) and c_____o.co (secondary).

ajojose33333344

@kolb as of my understanding:

its an expected scenario when you are using another domain email address to send emails through.

you will have to create a separate google workspace account for your secondary domain email address if you don't want users to see this.

kim_nilsson

@brendonmccarthy, it's not technically possible.

The reference to the primary domain will always be in the Mailed by, if the alias is in a secondary domain.

With both addresses in the secondary domain both values will say secondary domain.

brendonmccarthy

@kim_nilsson I think "technically" it is possible, but it would require Google to make the technical changes necessary to support mailed-from on secondary domains?

Both "addresses" on the secondary domain would be two separate accounts, both requiring a license, whereas an alias does not use a license. Two accounts would not keep all email in the same inbox without forwarding enabled. For these (and other) reasons, its not efficient to create two accounts, thus why the Alias functionality exists.

kim_nilsson

Not at all.

I never answer questions like this without testing them first.

I added an alias to an account in a secondary domain, added it as SendAs and sent an email. Both values report from By secondary domain.

kim_nilsson

So, in my scenario, the user's primary address is in the secondary domain.

kim_nilsson

I never said it would solve your specific problem, only explaining and expanding on my explanation.

brendonmccarthy

@kim_nilsson I understand your scenario and appreciate your input.

In my case, I want to create 1 primary domain account with 1 secondary domain alias, and because I have selected the secondary domain (as the alias), I want the mailed-by to be the secondary domain when I configure "Send as" on the primary domain account.

To clarify, my comment was that technically it would be possible for Google Workspace to support using the secondary domain on mailed-from on a primary account w/ secondary alias - if it wanted to - as in there is no technical reason why it cannot, it simply has elected not to support.

aryan8475

I signed up with domainA.com and have domainB.com, domainC and to Z, as secondary domains but the SPF is not from the selective domain , the mail is sent from and always remains the primary domainA.com.

Mailbox shouldn't restrict this. I assume this is how the Google SMTP server work to not allow secondary domains for spf.

Using a different domain for SPF mailed-by: domainname will itself put the emails for spam and give a blocklist.

This is such a critical thing. There is no point of having multiple domains if you can't use them properly.

Outlook Business and Fastmail doing it better and allow secondary domains for spf.

Marcin_Milewski

Hey @aryan8475,

If you have multiple secondary domains, you have to add the SPF record, and DKIMs to all of them. Then either you update the primary user address in the admin console, or you add the alias and instruct the end user how to add this address to the mailbox (using 'send as' option). In both of these ways authentication will work correctly.

aryan8475

Authentication is via DKIM, alias/secondary domains which is correct but the SPF value(mailed-by) remains the primary domain which is wrong. Google Workspace is so advance but can't offer the basic feature. "Send as" alias or unchecked. both get the spf header domainA.com and not the secondary domains, the mail is sent from.

This also apply when you have secondary domains as separate user and you add them in primary inbox, the smtp server for the mailbox remains the same login so it get spf from primary domain.

kim_nilsson

Oh, really? That definitely sounds wrong.

When actually sending through SMTP as another/secondary user, the SPF and DKIM should be for the other separate user, without any connection to the primary.

brendonmccarthy

This is my experience as well and I also agree Google Workspace should use the secondary domains. I also have DKIM and SPF setup on primary and secondary. Only primary is used by Google Workspace.

christiannewman

That's not how DNS works... whichever domain you're sending from must have its SPF, DKIM and DMARC separately configured.

KAM

@christiannewman well SPF acts on the envelope from NOT the header from. And DKIM can be signed (and multi-signed) with non-aligned domains. DMARC just says what to do in those cases. I'd recommend if you have primary and secondary domains, send an email with each to raptorloopback@raptoremailsecurity.com. That should give some technical feedback on what that system sees for SPF/DKIM/DMARC.

-KAM

christiannewman

Correct for SPF but you still need a DNS record added to the domain in the envelope from.

aryan8475

those are already configured properly with SPF v=spf1 include:_spf.google.com ~all is given for both domain. the issue is it is not respecting the secondary domain spf and uses primary domain as spf.

aryan8475

I am getting back and point out this issue again. this is such a bug and not a normal thing to accept.

I have a workspace account with email admin@example .com where primary domain is example.com.

I have also a secondary domain name secondexample .com both added in single workspace account.

Now if i add alternative emails for secondary domain hello@secondexample .com on admin console user profile and then add this email as sendAs in gmail, i can use it to send and reply emails. all Good.

The problem is when i am sending or replying any email from any@secondexample .com domain, the SPF shows primary domain, mailed-by: example.com while it is sending from secondexample .com

SPF and DKIM is properly set for both domains. It is strange that secondary domain is taking their own DKIM value but using primary domain as SPF which is wrong.

Outlook business uses the same spf domain the mail is send from. same goes for icloud+, fastmail. they all use spf of the domain the mail is being send from and not related to the primary domain.

If someone is getting email from secondary-domain and the signed-by show primary-domain, it itself feel suspicious and most of the time marked as spam.

it is like mail is send by personA but signed by a personB. this need to be fixed. it is a critical issue while the workspace support skip this as normal behavior. It is not.

heyyoad

100%

Literally created this domain to avoid sending some emails from the main domain.