---

@ajojose33333344 wrote:

I dont know if it helps but try using the SMTP relay option in google workspace.

---

Unfortunately that is a problem as Google Workspace SMTP relay doesn't have an option to specify authentication with the SMTP relay.

---

@ajojose33333344 wrote:

Also can i get the full scenario here, is it like you have a primary domain mail address and an alias from secondary domain added under this and when you send an email using the alias id those are getting delivered to spam due to spf/dkim failure?

---

The simplest explanation is that the return path is set to user@primarydomain.com instead of user@secondarydomain.com This is an alternative email address added, and then I'm using the "send mail as" option in Gmail. The messages are DKIM signed with secondarydomain.com 

Yes, I have DKIM enabled for both domains.
At this time my DMARC policy is just set to report.. no enforcing is happening (yet).

Thanks for the offer.. 
I do know stuff about stuff.. both domains have SPF and DKIM setup. I do use 3rd party mailers (and DKIM records and bounce handling is configured correctly).

The issues here are:

1. Why is Gmail setting the return path for emails I send from user@secondarydomain.com to user@primarydomain.com ?
2. How can a Google Workspace user send mail from an alternative email address ("send mail as") via 3rd party SMTP server using authentication.. ie a login and password.

Thanks for all your replies and efforts to help.

That's how I understood it.. but I've been monitoring DMARC for this domain, and despite having the correct DKIM signature (see my original post) DMARC is failing. 
Here is the relevant part of the report:

I've spoken to multiple people at Google who acknowledge the issue, but have no idea how to escalate it to someone who can do something about it.

Do you mean the collating of the DMARC reports? If so, I have received them raw as well as "process" them via the tool Postmarkapp.com provides for DMARC reports.

I am sending ALL these emails out via Gmail in the browser, no app involved. Using an app, ie Thunderbird/Mac mail etc would be no issue as I can send out via a 3rd party SMTP server just fine then.

Please see my original post. I can send emails via Gmail (Workspace) just fine.. but they are failing DMARC (due to the mismatched return path I think).

again, this is all resolvable if there was a way to send out email just for this one email address via a 3rd party SMTP server (that uses authentication). I can't believe it's not possible.. using any other @gmail.com it's not an issue at all, but using a Google Workspace account where the domain is added as an alias or secondary domain is not possible.

SPF (TXT) for both domains: 
v=spf1 include:_spf.google.com ~all

DMARC (for both domains): 
v=DMARC1; p=none; pct=100; rua=mailto:redacted@dmarc.postmarkapp.com; sp=none; aspf=r;

Thanks.. but keep in mind while I have mentioned Postmark, the issue here is only when emails are sent via the Gmail interface (for the secondary domain).

Emails sent via Postmark are just fine (yet I can't send them via Postmark from Gmail (or Workspace), which is what I really wanted to do to work around this issue.

Are you 100% sure DMARC is actually failing? Have you tried a different tool than just Postmark (I recommend EasyDMARC)? I am asking because in your initial post, the headers you posted actually say that DMARC passed. 

In relaxed DMARC (which is the default and what you are using), some portions of SPF+DKIM can be unaligned (which some DMARC tools already report as failed or "red") but DMARC overall still passes. 

For example, if SPF and Return-Path don't match, but the DKIM signature matches with the from header, then you are unaligned but DMARC still passes. 

Check with something like MXToolBox or EasyDMARC, just to be sure. 

Good suggestion.. I'm going to try that.

Sadly, this doesn't come up as an option if using a "send mail as" email address that is an alias or secondary domain. (despite being able to use outbound alternative gateways for non aliased or secondary domains)

You need to set up DKIM and SPF for both domains separately. When done correctly, DMARC will align even for secondary domains. 

Are you sure that's correct? SPF and DKIM pass for both domains, but DMARC fails (even in relaxed mode).

If I inspect the email being sent, it still contains information related to the primary domain (the SPF and DKIM being checked are from primary domain). And it's this mismatch that gets flagged (results below from https://redsift.com/tools/investigate)

Yes, absolutely positive. I use secondary domains every day. SPF does not align, but DKIM does, and so DMARC checks out, when set with a relaxed policy. 

I don't know how RedSift works and how to interpret their results, but if it is telling you that DMARC failed, then something is wrong in your SPKF/DKIM setup or DMARC policy somewhere. 

Here is what it looks like for me (I am using Dmarcian):

Note I have redacted the domain names. In the From: domain, it would show my alias domain, but in the SPF section, the from: would be my primary domain. This is why SPF does not align. However, since the correct DKIM signature is passed along, DMARC still authenticates the email. 

This is how DMARC is designed. It is accounting for forwarded emails, which typically break SPF. If your DMARC policy isn't set to strict (which it never should be), then DMARC will pass, as long as the from domain (your secondary) and the DKIM signature match.

Looking at your screenshot again, I think you're fine. Your DMARC authentication PASSED. Only alignment failed. This aligns with what I explained above. You should not have any delivery issues, unless your DMARC policy is set to strict. 

Unfortunately no, I tried enforcing DMARC and it immediately blocked all users that had Google Workspace set to use "secondary email" as their default sending email.

Looking at the headers manually, I do get a DMARC Fail for the email sent with the "secondary domain" as an alias.

(I have aspf=r; adkim=r, so the policy should be relaxed)

Based on your and @xyzulu 's answer, I might need to take a look at the DKIM for the secondary domain again.

In Google Workspace itself, do the settings make any difference? E.g. "Treat as an alias" and "Specify a different reply-to address"?

I enforce DMARC on my secondary domain and have no issues.

Hey... yea, it looks like something might be off with DKIM on your secondary domain. It needs to have its own DKIM setup (own key), it can't use the DKIM of the primary domain. The same applies to SPF. 

Also, try to simplify your DMARC policy as much as possible. "Relaxed" is the default for everything, so no need to specify it. Also, set the policy to "p=none" for the time being. This will prevent emails from getting blocked, but still allows you to monitor DMARC results. 

As for the difference between "Treat as alias" and "different reply-to address": You want to set this to "Treat as alias". The other option will send from: your primary domain and just add a "reply-to:" header pointing to whatever you specify. Treat as alias is what you need. 

Thank you! 

I think I figured out the issue. While my DKIM record for the secondary domain was set up on the DNS records, it wasn't fully enabled on the Google Workspace side.

This seems to work now:

 Thanks a lot for your help!

I am glad to hear you were able to fix it! 🙂

Could you please share what settings you changed in Google Workspace that changed the DMARC check to change from FAIL to PASS? I'm troubleshooting this exact issue with Addon domains in Workspace. 😂

You need to configure (and enabled) DKIM in Google Workspace for the addon domain to have it pass DKIM test.

Thanks, I'm well aware of that and have followed all the steps mentioned in the setup guides from Google. I was specifically asking @pcothenet what they did to correct the issue re SPF and DKIM passing but DMARC still showing as FAIL in messages received in external Gmail accounts previously; that per their last post are now showing PASS.

as they said: "it wasn't fully enabled on the Google Workspace side."

Thanks, I'll let them reply if they can specify what exactly was "not enabled" that they changed and is now working for them. I'm experiencing the same issue they had previously; where DKIM and SPF pass but DMARC shows FAIL. I've followed the guides and as far as I can tell, everything in Workspace is enabled for it; but mail sent to an external Gmail account shows SPF and DKIM pass and DMARC fail as in @pcothenet 's screenshots. Not seeking general help, just to know what worked for him specifically please.

Hi @michaelkatzman ,

In my case, I was missing Step 3 of this guide: https://support.google.com/a/answer/180504?hl=en. We had gotten the keys, added them to DNS, but never clicked on that "Start authentication" button in Google Workspace, for our alias domain. As soon as we did, the DKIM started passing for that second domain.

@pcothenet thanks for that detail. I wish that was my case, but the "Start Authentication" button was clicked previously, and it shows "Authenticating email with DKIM". Was hoping I was having the same issue you did, as I have the exact same issue you did previously- where SPF and DKIM pass but DMARC in Gmail shows as fail... except your last screenshot shows a DMARC: PASS in Gmail which is my goal. Thanks for the replies everyone, even though it's been a while since the original issue was resolved. I'll keep picking at it and see if I can figure it out.