If you are a Google Workspace user and use Google Calendar, you may have noticed some DMARC fails on your DMARC reports.

Here’s a sample record extracted by DMARCPal Record Explorer showing the issue:

Record with failed DMARC check

The problem is caused by Google sending those emails from domains that don’t align with the “From” address (blurred in the screenshot). It usually happens with Google Workspace users who reply to calendar invitations. Without alignment, you don’t get a pass from DMARC.

Let’s analyze this record a little more to understand what’s going on.

Breaking down Google Calendar invite DMARC record

SPF

As we can see, the SPF domain used by Google is calendar-server.bounces.google.com. SPF checks indeed pass for those emails.

However, this domain is different from the one present in the “From“ header. This will fail DMARC alignment.

DKIM

Google adds two DKIM signatures to the email: one from its own google.com domain, another from XXXXX.20210112.gappssmtp.com (where XXXXX is your Google Workspace domain).

Here both DKIM signatures validate, hence DKIM is a pass for the messages. However, the domains checked aren’t the same as the one in the “From” line. This also will fail DMARC alignment.

DMARC

For DMARC to pass, domain alignnment has to happen.

In other words, the domains authenticated by SPF and DKIM must be the same (for strict alignment), or be a sub-domain (relaxed alignment) of the domain in the “From” header.

Under certain conditions, Google Calendar invitation replies pass both SPF and DKIM domain checks. However, neither domains are in alignment with the “From” line.

That’s why DMARC fails.

How to solve this?

You need to do two things:

  • Add Google’s DKIM record to your DNS, and
  • Turn on DKIM authentication on Google Workspace

Step 1 — add Google’s DKIM record to your DNS

  1. Log in to your Google Workspace admin console at https://admin.google.com (opens a new tab)

  2. Navigate to Google Workspace > Settings for Gmail > Authenticate email

  3. Copy the DKIM record Google will use to sign your emails

    Google Workspace - Start Authentication

  4. Log in to your DNS hosting, and add the DKIM record copied above as a TXT record at google._domainkey.

Step 2 — turn on DKIM authentication

  1. Log in to your Google Workspace admin console at https://admin.google.com (opens a new tab)

  2. Navigate to Google Workspace > Settings for Gmail > Authenticate email

  3. Click “Start Authentication”

    Google Workspace - Start Authentication

This last step is important in that apparently this is what enables Google apps to generate DKIM signatures using your domain.

Wrapping up DMARC check failing on Google Calendar

Just adding the DKIM record to your DNS is not enough to enable DKIM signatures using your domain, at least for Google Calendar.

We have seen Google Workspace users just doing that: they set up the DKIM record, they see DMARC checks passing for Gmail, and then they assume everything is okay.

What they don’t realize is that DMARC is passing only because Gmail uses the domain in the Return-Path, which makes SPF pass, and be in alignment. When they don’t start auhentication, DKIM indeed validates, but this happens using Google domains’ signatures, which don’t align with your domain. This makes DMARC fail.

See Your Google Workspace DKIM setup may be broken (and you may not know it) for more details about this issue.

For more details about setting up DKIN with Google Workspace, see Turn on DKIM for your domain page.

Previous Post