Mail received in gmail on the Foundation Google Workspace account does not have dmarc data in the "Authentication-results" header. Anecdotally on my personal Google Workspace account, dmarc validation is working correctly and is populated in the "Authentication-results" header.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | jhathaway | T355712 Ensure Wikimedia complies with Google's 2024 email sender guidelines | |||
| Resolved | jhathaway | T356118 Google Workspace for the Foundation does not check dmarc |
Event Timeline
Comment Actions
@bcampbell do you have any idea why this might be? Not a critical issue, but it is nice to be able to check how a single message is validated by Google.
Comment Actions
@jhathaway Thanks for flagging this. I do not know the answer off the top of my head, but will try to figure out why this week. Should Gmail show dmarc auth results if we're not actually enforcing a dmarc policy on the mail server side?
Comment Actions
I believe so, for instance here what I get from a mail from services.discover.com on my personal account:
Authentication-Results: mx.google.com;
dkim=pass header.i=@discover.com header.s=yaklsnl3a5hp4lden5zn5j3tsmbcb7wf header.b="l1PtVNb/";
dkim=pass header.i=@amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=JQ26eNvy;
spf=pass (google.com: domain of 0100018d55b46e89-7a7cda58-d90b-4857-b0ee-7214eb92ea51-000000@services.discover.com designates 54.240.41.201 as permitted sender) smtp.mailfrom=0100018d55b46e89-7a7cda58-d90b-4857-b0ee-7214eb92ea51-000000@services.discover.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=services.discover.comand this is their dmarc record:
v=DMARC1; p=none; fo=1; rua=mailto:morse-dmarc@discover.com,mailto:dmarc_agg@vali.email; ruf=mailto:morse-dmarc@discover.com;
Comment Actions
Does it matter that the mx*.wikimedia.org servers do not currently add an Authentication-Results header?
Comment Actions
I don't think so, but I do think you hit upon the issue, namely that the first inbound host is mx{1001,2001}.wikimedia.org and per their docs for an "Inbound gateway":
Gmail doesn't do SPF or DMARC checks on incoming messages from the IP addresses you specify in the setting.
However, gmail does seem to be doing SPF checks:
Authentication-Results: mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=JZZSnEyL;
spf=pass (google.com: domain of akathelollipopman@protonmail.com designates 185.70.40.137 as permitted sender)Comment Actions
where the SPF IP is mx2001.wikimedia.org and not my mail server.
I wonder how accurate that header is. I just sent myself an email that got this:
Authentication-Results: mx.google.com;
dkim=pass header.i=@taavi.wtf header.s=mail header.b=EHgTwQaV;
spf=pass (google.com: domain of taavi@taavi.wtf designates 159.65.117.75 as permitted sender) smtp.mailfrom=taavi@taavi.wtfHowever, in the "original message" Gmail section I see also this:
where the SPF IP is mx2001.wikimedia.org and not my mail server.
Comment Actions
Possibly because "Gmail doesn't do SPF or DMARC checks on incoming messages from the IP addresses you specify in the setting."? support.google.com
I don't know your Google settings, but it's pretty easy to guess that mx{1|2}001.wikimedia.org would be set as an inbound email gateway, so... (And I no longer have an @wikimedia.org to send test email to...)
Comment Actions
I'm not exactly sure what changed, which is not fabulous, but in my latest test email, from my test protonmail account, authentication headers were present, so resolving:
Authentication-Results: mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=r8M4F66C;
spf=pass (google.com: domain of akathelollipopman@protonmail.com designates 109.224.244.31 as permitted sender) smtp.mailfrom=akathelollipopman@protonmail.com
Received: from mail-24431.protonmail.ch (mail-24431.protonmail.ch [109.224.244.31]) by mx-in2001.wikimedia.org (Postfix) with ESMTPS id 9BC88E0470 for