Login/Register
How can I modify the return-path in a google workspace account that has the capability to send as another workspace account?
Asked Answered
Solved dkimdmarc
Q

1

14

I haven't been able to find an answer to this, so forgive me if it's been asked somewhere before.

I'm working with non-profit who has a google workspace for non profits account. I'm working on getting our SPF/DKIM/DMARC records set up, and they work perfectly except for one situation.

We have two different domains, whedoncon.com, and thehellmouth.org. Some of our users have an email on both domains (i.e. [email protected] and [email protected] are going to the same person). I can send emails individually from each domain, and they pass SPF, DKIM, and DMARC fine. The problem comes in when I set up the domains to be able to send from each other.

I've added the capability for [email protected] to be able to send mail as [email protected]. The issue seems to be when I log in as [email protected], and send a message as [email protected]. Looking at the email headers, it seems that because I logged in as [email protected], it sets the return-path to the whedoncon.com address regardless of what account I select to send out the email.

The problem with this, is it causes DMARC to fail whenever I send an email out as [email protected], even though SPF and DKIM both pass. It seems to be because the return-path is showing as [email protected], but the DKIM is looking at hellmouth.org.

So, TL:DR, google seems to always default to the signed-in account for the return-path, and not the secondary account that it's actually sending from. Is there a way I can change the return-path so it matches the account the email is coming from, and not the account that I'm signed in as?

Quechua answered 16/4, 2021 at 6:44 Comment(0)
G
8

Google Workspace has a primary domain and users are assigned a primary address under that domain. When you have a domain alias, users are assigned an alias address under that alias domain.

The envelope sender address (also known as the return-path address) and the From: address for a message can be different or the same.

If users send email from their alias address, the return-path address will be their primary address, while the From: address will be their alias address.

To pass DMARC, a message must pass at least one of these checks:

  • SPF authentication and SPF alignment
  • DKIM authentication and DKIM alignment

SPF typically uses the message envelope sender address for authentication. DKIM uses the message From: address for authentication.

When the domain alias is setup correctly, both the SPF and DKIM authentication will pass. However, only DKIM alignment will pass, SPF alignment will not pass. But that is okay because DMARC does not require SPF alignment to pass as long ask DKIM authentication and DKIM alignment pass.

Gerena answered 11/6, 2021 at 19:34 Comment(2)
This is good info but I don't see how it addresses the issue, there are many support threads on this, e.g. this one. I have an aliased domain and, despite having an aliased user and the second domain fully set up with its own SPF and (separate) DKIM records, the headers of sent mail will still show Return path [email protected] when I send as [email protected]. Google isn't choosing the right records to authenticate the send.Manteau
I have this issue and it's now very pressing with Yahoo! change. The SPF fails (for the reasons above), but the DKIM fails as well because the domain used is ********.######.gappssmtp.com where ********* is my domain (and ##### is assigned by Google).Baecher

© 2022 - 2024 — McMap. All rights reserved.