Google DMARC reports for Google servers?
Each day I get a DMARC report from Google. They include records for our own outgoing emails, various 3rd party partners we've authorized to send on our behalf, and various spammers trying to spoof our domain. But here's something strange: they also include some of Google's own servers:
<record>
<row>
<source_ip>209.85.215.197</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>mydomain.com</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
whois
shows that 209.85.215.197 is part of Google:
NetRange: 209.85.128.0 - 209.85.255.255
CIDR: 209.85.128.0/17
NetName: GOOGLE
NetHandle: NET-209-85-128-0-1
Parent: NET209 (NET-209-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOGL)
RegDate: 2006-01-13
Updated: 2012-02-24
Ref: https://rdap.arin.net/registry/ip/209.85.128.0
I'm trying to figure out what's going on here, and there are only a few things I can think of:
- Some of Google's customers are spammers, sending email to Gmail addresses, while trying to use our domain
- Google not whitelisting their own servers
- Me being dumb and not understanding something about DMARC
I get at least 10 of these a day from random IPs in that netblock, always accompanied by a record for our own IP address showing emails going through. This leads me to believe it's #2: valid emails flowing around in Google's infrastructure, producing DMARC feedback when shouldn't be.
If it is #2, does anyone know who to contact to make it stop? It's annoying to have to whitelist or ignore their netblock.
- Yes, some of Googles customers are spammers
- Also yes, Google is well aware of this and does not blindly trust mail relayed by their own systems.
- There is nothing unusual about these IPs to appear in your DMARC reports. You asked to receive reports how your domains mail was handled, so of course Google also reports how your domains mail was handled when relayed by that particular server.
- This is information your receive on top of what is potentially already reported by the first
Receiver
(Yes, in DMARC even mail that will be forwarded may be reported by the first recipient). This extra information is not reducing the information about the origin of potential spam you may or may not also receive.
However, what I believe is the more interesting hint this reports gives you: Check your DKIM setup.
I have similar Google IPs in my reports, and every single message that is reported as going through there is also reported as carrying at least one aligned and validating signature.
Google accepted that mail based on the ARC signature - based on the authentication results recorded by the relaying server. If you were signing adequate headers with an aligned key, your message could be forwarded with DKIM signature intact. Google would report a DKIM signature pass to you, instead of resorting to a decision based on the information added by the forwarding server.
For almost all mail servers, your DKIM setup should allow people using Google as their mail provider to forward your mail to another inbox of theirs, without having to break the signature.
About your comment on possibly revealing - to the sender - which systems are used to relay mail from a public, internet-accessible mail server: this is known and deemed acceptable by anyone wanting to send mail on the internet. Server operators are expected to consider the implications of forwarding mail before allowing their users to do so.