Google and Alignment Update

G

Earlier this month, I published a post about some changes with how Google is displaying information related to authentication in their “View Original” page. There’s one condition I apparently didn’t report and it brought up a question earlier today.

If a message has alignment between DKIM and the 5322.from address but there is no DMARC record for that domain published in DNS, Google gives a warning that the domain doesn’t align.

A screenshot from "Show Original" at google that says:

SPF: Pass with IP 2a00:1098:88:f6:0:0:0:1

DKIM: 'Pass: with domain blighty.com

Alignment: The From header Laura Atkins <laura@blighty.com> does not match the DKIM domain blighty.com. Be careful with this message as the sender may be spoofing the From header identity.

Clearly the domains do match and the message is aligned. However, there is no DMARC record published for blighty.com.

My speculation is that the alignment message is generated from the Authentication-Results header. When you pull up “show original” google grovels through the “Authentication-Results” header to populate all of the special fields. If there is a DMARC=pass stamped in that header field Google reports “Pass”. If there’s not a DMARC=pass in the header field, Google looks for the DKIM d= value and the From header and puts those tokens into the Alignment message.

What appears to be happening here is that Google only reports alignment in the Authentication-Results header if there is DMARC record published in DNS. If there is no record, they don’t report DMARC=Pass and therefore the default Alignment message shows up with the domain names.

We can look at the raw headers and see all of this happening in the messages – ones with the incorrect Alignment message don’t have a DMARC=pass stamped in the headers.

I kinda want to talk about how Google isn’t using SPF here but every time I start that paragraph my science brain kicks in and goes “but you need to test that first”. Right now we can say that our tests show that a SPF pass with DKIM unaligned (but passing) is enough to get “Alignment=Pass” if you have a DMARC record but not if you don’t. I can’t help wondering if you get a DMARC=pass with DKIM but not SPF if you still get a warning. I don’t easily have a way to send mail that fails SPF but passes DKIM so I can’t do the tests I want, nor am I sure if I could that it would give us more insight into Google’s inner workings.

I can say I’m extremely pleased that our brand new mailserver in IPv6 space is successfully sending mail to Google and reaching the inbox even after just a few messages. It’s nice to know small mailservers can still work for small senders without a penalty from the big mailbox providers.

About the author

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By laura

Recent Posts

Archives

Follow Us