Hi Guys, all your suggestions led me to identify a possible cause. I tried to verify if all the DNS records of my domain (SPF, DKIM and DMARC) were good and I found out that the 2048-bit DKIM key was no longer valid. This is strange because it was good so far, so I decided to contact my DNS provider.
It seems something is wrong with their system because all of the sudden it breaks the 2048-bit DKIM key. This doesn't occur with the 1024-bit DKIM key. I'll let you know when it fixed. Thank you very much. *Denis Salicetti* <http://linkedin.salicetti.it/> Avviso di riservatezza <http://goo.gl/zS2xL> | Inviami messaggi protetti <http://goo.gl/LbhIoi> 2016-12-06 8:14 GMT+01:00 Dave Warren via dmarc-discuss < dmarc-discuss@dmarc.org>: > On Mon, Dec 5, 2016, at 16:57, Steve Atkins via dmarc-discuss wrote: > > > > > On Dec 5, 2016, at 4:36 PM, Dave Warren via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > > > > > > On Mon, Dec 5, 2016, at 16:20, Steve Atkins via dmarc-discuss wrote: > > >> > > >> Mail from within Google to other places within Google may not cross > the > > >> external, non-ten-dot internet at all - and so cannot comply with your > > >> SPF requirement. From your forwarded error that looks like it may be > > >> what's happening. > > >> > > >> Should that cause a DMARC failure? Probably, yes. This may not be a > good > > >> domain to publish a DMARC p=reject message for. > > >> > > >> The only people who can fix it (other than you by removing your DMARC > > >> records) are probably Google support, given they're your vendor for > both > > >> the sender and the recipient. > > > > > > Oh shoot, I missed the TXT file. Okay, looking at the headers: > > > > > > From: denis.salice...@galeati.it > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > > > d=galeati.it; s=google; > > > > > > That looks like message did get DKIM signed and is aligned to the From > > > header, so shouldn't that be enough to pass DMARC in this case, even if > > > SPF fails? > > > > Should be, assuming it's a valid signature (and there's no reason to > > think it isn't). > > > > *But* in this case, the lack of Authentication-Results header makes me > suspect > > DKIM may be checked at an external MX that this internal-only message > didn't > > go through, leading to an authentication failure that parallels the SPF > > one. > > I had the same thought, but, the attached bounce wouldn't necessarily > have an Authentication-Results header yet if the message is rejected by > the server that should be responsible for adding said header. > > Either way, it's all on Google, hopefully their customer support will be > competent. > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)