Designating A DKIM Signer Other Than The "From" Domain

dkim dmarc

A few months ago, I implemented SPF/DKIM/DMARC for my three-person company. After a trial period, I switched our DMARC to "p=reject", so that emails are rejected if they fail SPF/DKIM. Generally, it works: our emails go through, and based on data from DMARC reports, spammers' emails trying to forge coming from our domain are getting rejected. The server is Ubuntu/Postfix.

The one thing that doesn't work is that, for calendars, we have been using Google calendars with Google accounts with our work emails (with our company domain; not gmail addresses). When one of us creates a Google calendar invite (either on the Google website, or via Thunderbird/Lightning with Provider for Google Calendar) with an attendee-recipient with an email address hosted by Google Apps, Google rejects our invite email. The bounceback message, from Google on behalf of the Google-Apps-hosted domain, says that the rejection is based on my domain's DMARC policy:

Google tried to deliver your message, but it was rejected by the server for the recipient domain [Google Apps Hosted Domain Removed] by aspmx.l.google.com. The error that the other server returned was: Unauthenticated email from [My Company's Domain Removed] is not accepted due to domain's DMARC policy. Please contact administrator of [My Company's Domain Removed] domain if this was a legitimate mail.

Right below that is a (presumably) valid DKIM signature for google.com. So in other words, Google rejected its own DKIM-signed email as spam because that's not what my DMARC policy says. But I can't figure out how to make my DMARC policy say otherwise. For SPF, I can designate Google as a valid sender. But I cannot find any way to do that for DKIM: something I can put in my DKIM record that says "If it's got a valid Google DKIM signature, that's not spam." Does such a thing exist? A way to authorize another DKIM signer other than the "From" domain?


Please note that you can have multiple DKIM selectors published in DNS. The one you are already using for on-premises server and another for mail originated from Google Apps (for example, ubuntu._domainkey.yourdomain.com and google._domainkey.yourdomain.com). Enable DKIM signing in Google Apps settings and Calendar invites will be signed by both google.com and yourdomain.com signatures (the latter will correspond to google._domainkey.yourdomain.com selector). This should resolve the issue with DMARC if you have Google IP space already added into your SPF definition. Hope this helps.

Related

Windows 2008 R2 & Infiniband SRP
I messed up my /etc/hosts and /etc/resolv.conf files, now my network doesn't work. How can I reset it?
I have no account in ubuntu
How can I solve this error related to gnome-terminal & software updater?
How can I do recursive unzip from terminal? [duplicate]
I cannot open system settings in ubuntu 17.10
Flash Player works on Firefox, but not on Chromium? [duplicate]
Unstable WiFi connection on Ubuntu 16.04
replace default Dutch Thunderbird by en-US version
Trying to Set up VirtualBox with Live Persistent USB made using Mkusb
Is it possible to block NotifyOSD for one application?
Does an Intel Core i3-3217U @ 1.80GHz (quad core, I think) qualify as "2 GHz dual core processor or better"