> On Dec 5, 2016, at 4:36 PM, Dave Warren via dmarc-discuss > <[email protected]> wrote: > > On Mon, Dec 5, 2016, at 16:20, Steve Atkins via dmarc-discuss wrote: >> >>> On Dec 5, 2016, at 1:32 PM, Denis Salicetti via dmarc-discuss >>> <[email protected]> wrote: >>> >>> Hi Guys, >>> I am having a strange behaviour with Google Calendar. >>> >>> Since I decided to set p=reject to my domain (galeati.it), every time I >>> share a calendar with another user, Google notification (attached) gets >>> rebounded immediately. I think this should not happen because my SPF record >>> include: _spf.google.com ~all >>> >>> Any suggestions? >> >> Mail from within Google to other places within Google may not cross the >> external, non-ten-dot internet at all - and so cannot comply with your >> SPF requirement. From your forwarded error that looks like it may be >> what's happening. >> >> Should that cause a DMARC failure? Probably, yes. This may not be a good >> domain to publish a DMARC p=reject message for. >> >> The only people who can fix it (other than you by removing your DMARC >> records) are probably Google support, given they're your vendor for both >> the sender and the recipient. > > Oh shoot, I missed the TXT file. Okay, looking at the headers: > > From: [email protected] > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > d=galeati.it; s=google; > > That looks like message did get DKIM signed and is aligned to the From > header, so shouldn't that be enough to pass DMARC in this case, even if > SPF fails?
Should be, assuming it's a valid signature (and there's no reason to think it isn't). *But* in this case, the lack of Authentication-Results header makes me suspect DKIM may be checked at an external MX that this internal-only message didn't go through, leading to an authentication failure that parallels the SPF one. > > I agree that this should be fixed within Google, but if I were Google, I > might also include all of my internal IPs in my internal representation > of "_spf.google.com". Also something only Google could address, of > course :) Yup. Cheers, Steve _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
