DMARC fails for forwarded emails; end up in spam

[jamescridland]

When receiving an email from example.com (sent via Google Workplace), which is forwarded through forwardemail, they are ending up in spam in my Gmail.

Gmail tells me:

• SPF: | PASS with IP 138.197.213.185 Learn more
• DKIM: 'PASS' with domain example-com.20210112.gappssmtp.com
• DMARC: 'FAIL' Learn more

The full headers are here. In the example below, the email comes in from eve@example.com (I've done a search/replace) but everything else is there.

example.com is a client; and I'm in charge of their DNS - so we've some opportunity to try something if we need to.

Delivered-To: (mygmail)
Received: by 2002:a59:afa8:0:b0:29e:61ae:1e25 with SMTP id h8csp1209700vqa;
        Fri, 20 May 2022 11:33:25 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwzsEUMPylvWfVxTu/IygdSv4ca/opAXEFOnVXlUPEC4RkX/F4UBBxI+I/7BOw+S9RMEEMt
X-Received: by 2002:a17:903:1252:b0:154:ca85:59a0 with SMTP id u18-20020a170903125200b00154ca8559a0mr11130361plh.169.1653071605264;
        Fri, 20 May 2022 11:33:25 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1653071605; cv=pass;
        d=google.com; s=arc-20160816;
        b=jzr9V0C7i5PGrThrwYRow99apu9mYDSLf/mpgmXcdIZD/vOAbj5w0Zp8U7OFZtZaGY
         ECWfI1eczehdBISJJfM1sd2sVlp1tL9VQDbLBQlz7D9ffL2pUZKkq3Du+vOUM+opq6h5
         15ntEkB7YkG4OsOgVpwOAhelTguSF3ygag4GorVmOs2RyLMjKGdQ+a8peUWCy/dVeGs4
         LoiRSthWLd93zqL+lVMbV4ESQ/+7vuOfk2qURVlfsWq+sYbKNF4sd3vBhkIZ6oU3lzUL
         qEocwjcwFEDdBCV6jD+YMWn/7FMqcnmaI5PbSsoxQZBOfpVBzdWBpRJEx3JY4UMcyDdz
         FsIA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=c3qyEErR7uloDh14wrwNKwuc+XRlGNAv2O2M0Bq0dRg=;
        b=Mhvo17/4RRcVl9ukSDBmKwaK0kxzGSD0gSyElT05CDvxXpxAUfU6VaT5pD7C6tk9O0
         d9S7Rb5H62cdQjAQ8T6hYX7JOuuLLigWI/gfybXHxRZnVG41P9Hc+DY9btHGjVlnCM47
         YP05ujkUfrEShlxP1D+EaZBHAMojf7S41sRAYzHi0R4awgEPfs9wNPBw63QBuPCb4vw5
         2QPW4dkOOPklYFUisimXM9fN/g4R2mMw+GjIjjO/DIuH2Z4bnlYNOGhqFD54yIghZzns
         jvSnG5upHt4cZS/A/HdSndhBjM8TByzHphDbr9DQAMa0oOpkaXWXBqAJBiPycX8wqy5k
         XX/w==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@example-com.20210112.gappssmtp.com header.s=20210112 header.b=V1uCvjkm;
       arc=pass (i=1 spf=pass spfdomain=example.com dkim=pass dkdomain=example-com.20210112.gappssmtp.com dmarc=pass fromdomain=example.com);
       spf=pass (google.com: domain of srs0=6fc1=v5=example.com=eve@forwardemail.net designates 138.197.213.185 as permitted sender) smtp.mailfrom="SRS0=6fc1=V5=example.com=eve@forwardemail.net";
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=example.com
Return-Path: <SRS0=6fc1=V5=example.com=eve@forwardemail.net>
Received: from mx1.forwardemail.net (mx1.forwardemail.net. [138.197.213.185])
        by mx.google.com with ESMTPS id x17-20020a1709027c1100b00161a5dc2ea8si163125pll.612.2022.05.20.11.33.24
        for <(mygmail)>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 May 2022 11:33:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of srs0=6fc1=v5=example.com=eve@forwardemail.net designates 138.197.213.185 as permitted sender) client-ip=138.197.213.185;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@example-com.20210112.gappssmtp.com header.s=20210112 header.b=V1uCvjkm;
       arc=pass (i=1 spf=pass spfdomain=example.com dkim=pass dkdomain=example-com.20210112.gappssmtp.com dmarc=pass fromdomain=example.com);
       spf=pass (google.com: domain of srs0=6fc1=v5=example.com=eve@forwardemail.net designates 138.197.213.185 as permitted sender) smtp.mailfrom="SRS0=6fc1=V5=example.com=eve@forwardemail.net";
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=example.com
ARC-Seal: i=1; a=rsa-sha256; t=1653071604; cv=none; d=forwardemail.net; s=default; b=nt+rAhzetDfRutoATvmssciQqtSWNTfYDLWRMagI/Kuo9vObh6XHuIXDSpP1qKwTDRnkWIwLt 8XOqdI8yNrPzwTTeJNVdSSQRNcmRPNtDDYDenlMWu6bzeaTifK6+5LU9WgwaoDibY3ondeTpJuB c51LVNC7pB8cN+dFPDOucwU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardemail.net; h=Content-Type: Cc: To: Subject: Message-ID: Date: From: MIME-Version; q=dns/txt; s=default; t=1653071604; bh=c3qyEErR7uloDh14wrwNKwuc+XRlGNAv2O2M0Bq0dRg=; b=pMh0qbj70zreirk+olV/zQzOJmwxF6plhsaEn2nbF4NqXin0GljdPpoPr/VQCoeVmK+ofn+Uw 7Gt16iYKnajFAYvriD7tCv0ko81xrT77fxrs59lDV5BjCXm3O5PniMJoY8vwwstrk1rd3GgM6sJ sjGVixZGrIbVw8THU4Ro6lc=
ARC-Authentication-Results: i=1; mx1.forwardemail.net; dkim=pass header.i=@example-com.20210112.gappssmtp.com header.s=20210112 header.a=rsa-sha256 header.b=V1uCvjkm; spf=pass (mx1.forwardemail.net: domain of eve@example.com designates 209.85.208.49 as permitted sender) smtp.mailfrom=eve@example.com smtp.helo=mail-ed1-f49.google.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE arc=none) header.from=example.com header.d=example.com; bimi=pass header.selector=default header.d=example.com
Received-SPF: pass (mx1.forwardemail.net: domain of eve@example.com designates 209.85.208.49 as permitted sender) client-ip=209.85.208.49;
Authentication-Results: mx1.forwardemail.net; dkim=pass header.i=@example-com.20210112.gappssmtp.com header.s=20210112 header.a=rsa-sha256 header.b=V1uCvjkm; spf=pass (mx1.forwardemail.net: domain of eve@example.com designates 209.85.208.49 as permitted sender) smtp.mailfrom=eve@example.com smtp.helo=mail-ed1-f49.google.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE arc=none) header.from=example.com header.d=example.com; bimi=pass header.selector=default header.d=example.com
X-ForwardEmail-Sender: rfc822; eve@example.com
X-ForwardEmail-Session-ID: 3rivgenh7xgy2khf
X-ForwardEmail-Version: 8.3.0
Received: by mail-ed1-f49.google.com with SMTP id s3so11803367edr.9
        for <james@podnews.net>; Fri, 20 May 2022 11:33:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=example-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=c3qyEErR7uloDh14wrwNKwuc+XRlGNAv2O2M0Bq0dRg=;
        b=V1uCvjkmUTH/2Pv37MebkFzEnwhj44ztA3PAnHAJMoIrFhtptRTO3VV7c2LEMIH/WY
         k2PmmP2b7o/SezXZ6i2T8p0Nvpe/DPsR/j73kp7NptXHskQzjhckU/noPNWG+B6Db0F4
         EX890OiDxHyJ1QgP2ypL3YQskjlWifRCn+jCg0GS0fgXcbNyFlf21L50u96NWlvcNE8O
         tG70JHQtOPOszzoo8HF9JrLINSl3uHf+ZcxhSmXQhWcKDYX96C49laS5GdqV94fwa9kA
         ovEdCa8ePct03hXVt5LkwbIuG2m65CvRorRzQ1SoHxHwiF4oceyn9yvDdCLmU349/iPY
         TAwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=c3qyEErR7uloDh14wrwNKwuc+XRlGNAv2O2M0Bq0dRg=;
        b=eF+hqhXbBavuEB6MKoS0N2iRpWo2vCjBYx09DDH4NE5qOYQBIP4wZl7OqI9tIrT/qf
         VbwsjwJtLT/EjzoXWMuojIuBzLMw1NLoIcpf+YoG/cWU7x7/bzaEbBAFRBTJYe+HJcQl
         ko5Fecq6r6uA8BFmpc3Obn1eO27YGOP1MDOvUB9jrDoub8rk1+znLwOQA+7Gp3VB90BU
         np0PTvHzghxpVLUAn0P76GhNqoIWsxVaFefCc2PTOlXIo6MiadNMW20P2+GIiN7TsaUY
         xQTlW9dnvk1mnNDR7PMmOhZe2AihwzB1WepA2QS5U/L59r8DBi0F05i8JQIkBID8Us3d
         98dw==
X-Gm-Message-State: AOAM532A5KFTT/nfoK4AG//hlO5MMY7iBxpCjlARXYk0G3vCjk3ji0VF izkF+Bzt3Y6/jDMopTAhurjuCAgClm7Y3Nos9g1jRwi+u8w=
X-Received: by 2002:a05:6000:1563:b0:20e:7206:ed0c with SMTP id 3-20020a056000156300b0020e7206ed0cmr6450694wrz.192.1653071590389; Fri, 20 May 2022 11:33:10 -0700 (PDT)
MIME-Version: 1.0
From: Eve <eve@example.com>
Date: Fri, 20 May 2022 11:32:59 -0700
Message-ID: <CAMe-7TR1MptjE=Zv8mkNpk=32Qjx=WGUTw5r8E2ySC1q2GQ2zQ@mail.gmail.com>
Subject: SP article for 22-05-24
To: "James Cridland · Podnews" <james@podnews.net>
Content-Type: multipart/alternative; boundary="000000000000ef17b405df75b856"

[titanism]

This is because you need to configure a DKIM signature for your Google Business domain of "example.com".

[jamescridland]

...if it helps anyone else...

GSuite (or Google Workspace) has a button marked "START AUTHENTICATION", and not very obviously, you need to hit that, irrespective of whether you've added the TXT entry. That was the issue.

[marxo]

@titanism I have a similar problem, although my domain is not registered with any service, and I use Cloudflare for DNS. Is there a way to generate a DKIM key?