Designating A DKIM Signer Other Than The "From" Domain

A few months ago, I implemented SPF/DKIM/DMARC for my three-person company. After a trial period, I switched our DMARC to "p=reject", so that emails are rejected if they fail SPF/DKIM. Generally, it works: our emails go through, and based on data from DMARC reports, spammers' emails trying to forge coming from our domain are getting rejected. The server is Ubuntu/Postfix.

The one thing that doesn't work is that, for calendars, we have been using Google calendars with Google accounts with our work emails (with our company domain; not gmail addresses). When one of us creates a Google calendar invite (either on the Google website, or via Thunderbird/Lightning with Provider for Google Calendar) with an attendee-recipient with an email address hosted by Google Apps, Google rejects our invite email. The bounceback message, from Google on behalf of the Google-Apps-hosted domain, says that the rejection is based on my domain's DMARC policy:

Google tried to deliver your message, but it was rejected by the server for the recipient domain [Google Apps Hosted Domain Removed] by aspmx.l.google.com. The error that the other server returned was: Unauthenticated email from [My Company's Domain Removed] is not accepted due to domain's DMARC policy. Please contact administrator of [My Company's Domain Removed] domain if this was a legitimate mail.

Right below that is a (presumably) valid DKIM signature for google.com. So in other words, Google rejected its own DKIM-signed email as spam because that's not what my DMARC policy says. But I can't figure out how to make my DMARC policy say otherwise. For SPF, I can designate Google as a valid sender. But I cannot find any way to do that for DKIM: something I can put in my DKIM record that says "If it's got a valid Google DKIM signature, that's not spam." Does such a thing exist? A way to authorize another DKIM signer other than the "From" domain?


Please note that you can have multiple DKIM selectors published in DNS. The one you are already using for on-premises server and another for mail originated from Google Apps (for example, ubuntu._domainkey.yourdomain.com and google._domainkey.yourdomain.com). Enable DKIM signing in Google Apps settings and Calendar invites will be signed by both google.com and yourdomain.com signatures (the latter will correspond to google._domainkey.yourdomain.com selector). This should resolve the issue with DMARC if you have Google IP space already added into your SPF definition. Hope this helps.