It seems Google Apps customers cannot test (self-to-self) Actions through Apps Script as outlined in this example: https://developers.google.com/gmail/markup/apps-script-tutorial#creating_the_project despite having a valid SPF.
According to https://developers.google.com/gmail/markup/registering-with-google you can send them self to self, and it should work without pre-registering, provided the email goes through SPF or DKIM authentication.
We have not set up DKIM, but we do have a valid SPF for our domain. The first part of our SPF record is:
v=spf1 include:_spf.google.com
When I follow the tutorial linked above and I receive the email, the header shows:
Received: from mail-it0-x245.google.com (mail-it0-x245.google.com. [2607:f8b0:4001:c0b::245])
by mx.google.com with ESMTPS id i196si1416642itc.102.2016.06.25.10.03.10
for <my email address>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sat, 25 Jun 2016 10:03:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of 3trluvwgicd0sahffhmrzjqe.bnlsahffhmrzjqe.bnl#maestro.bounces.google.com designates 2607:f8b0:4001:c0b::245 as permitted sender) client-ip=2607:f8b0:4001:c0b::245;
Authentication-Results: mx.google.com;
dkim=pass header.i=#akrf-com.20150623.gappssmtp.com;
spf=pass (google.com: domain of 3trluvwgicd0sahffhmrzjqe.bnlsahffhmrzjqe.bnl#maestro.bounces.google.com designates 2607:f8b0:4001:c0b::245 as permitted sender) smtp.mailfrom=3TrluVwgICD0sahffhmrZjqe.bnlsahffhmrZjqe.bnl#maestro.bounces.google.com
Received: by mail-it0-x245.google.com with SMTP id 13so102904690itl.0
for <my email address>; Sat, 25 Jun 2016 10:03:10 -0700 (PDT)
According to the answer on this post (Actions Tutorial does not work despite SPF validation):
"The SPF domain must match the email sender domain.
If you are sending emails from myaccount#mydomain.com, the SPF domain must be mydomain.com.
Your headers show <host>#maestro.bounces.google.com
as the domain, update your domain configuration to sign emails properly and
you should be all set."
We have no control over how Apps Script generates email headers, so it seems Apps Script emails will always show #maestro.bounces.google.com.
Which finally brings my question: How can we test Actions via Apps Script if we cannot control the header? Apps Script triggered emails will always go through maestro.bounces.google.com, not [our domain].
Ultimately our goal is to use Actions entirely within our domain, and most likely through Apps Script each time. It would be great if Google Apps customers could allow Actions to pass (locked down for emails sent within the domain) through GA Control Panel, versus having to follow the very necessary restrictions imposed for domain-to-domain.
If there is another way for me to test this or something I've overlooked, please advise. Thanks!
Please try testing your schemas to see if your markup is working correctly end-to-end using the Email Markup Tester tool.
Once the markup is tested end-to-end with this technique and you are ready to launch your integration to production, check Registering with Google for the next steps.
Please note that you can only ignore the registration requirements if all emails where the sender and the recipient are the same account. Otherwise, you have to check Registering with Google.
Action tests that are not pre-registered are only testable self-to-self if you send them from personal (gmail.com) accounts. In order to make them work from a Google Apps for Work account, you currently need to register as if you were sending to someone else.
I've asked Google to open up this functionality so folks using work accounts can follow the tutorials, but if you are just learning this area, for now it is best to use a personal Gmail account.
Thanks Franco - your comment was the right answer but I could not see a way to mark it as such.
Related
I use dnsimple to host my DNS and have valid SPF, DKIM, and DMARC records to validate my emails sent from Zoho. However, Whenever I send emails to an #ucdavis.edu account I get an Undelivered Mail response
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error.
lsmiyashita#ucdavis.edu, ERROR_CODE :550, ERROR_CODE :5.7.1 <admin#study.space>... Access denied
Received:from mail.zoho.com by mx.zohomail.com
with SMTP id 1478675695600485.6815385213283; Tue, 8 Nov 2016 23:14:55 -0800 (PST)
Message-ID:<15847f087ed.112901d8e106580.9166398699723335101#study.space>
Date:Tue, 08 Nov 2016 23:14:55 -0800
From:Jacob Bevilacqua <admin#study.space>
User-Agent:Zoho Mail
To:"lsmiyashita" <lsmiyashita#ucdavis.edu>
Subject:Here's a little test for you.
Content-Type:multipart/alternative;
boundary="----=_Part_335760_1020694757.1478675695597"
I have tried several different hosts (GSuite, MailGun, & Zoho) and I get the same issue. I checked and I am not blacklisted on any sites. I ran a test at mail-tester.com and got a 10/10. Why won't my messages deliver.
I verified that the email address you are sending to is valid: Verified Email Address
So like #Synchro says, they just don't like you. It's always a challenge to figure out the exact reason, but contacting their admins is the right way to go. I have a feeling it's because of the .space domain ending, they probably haven't updated the list of domain endings they accept.
Anyway, if you wanted to do additional mail testing, use this Mail Tester.
You are under the unfortunate illusion that it's your fault. A 5.7.1 error means that they just don't like you, and they don't have to give a reason. Welcome to the world of deliverability, or lack thereof. Well-behaved mailers are often punished for no particular reason. If it's just this domain, your best bet might be to contact their admins.
I have a VPS (Droplet) at DigitalOcean.
I am sending mail from a website, but I have configured PHP to use my SMTP server instead of just the usual PHP Mail().
I have DKIM, DMARC, SPF configured correctly.
Here are some of the relevant headers in my message:
Received-SPF: pass (google.com: domain of stockapi#lfto.me designates 104.236.231.177 as permitted sender) client-ip=104.236.231.177;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of stockapi#lfto.me designates 104.236.231.177 as permitted sender) smtp.mailfrom=stockapi#lfto.me;
dkim=pass header.i=#lfto.me;
dkim=pass header.i=#lfto.me;
dmarc=pass (p=QUARANTINE dis=NONE) header.from=lfto.me
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lfto.me; s=mail;
t=1452989846; bh=czrEg02FSPEvWjTq3enrcAZrxmaNPmFuwA/aUIJ/fNY=;
h=From:To:Date:Subject:From;
b=hQ/09WMZxJO692Lg7g/1TmOLbwWp2rMoHhl/P5Eb6auvhIjDG6tEYxgksg5qYBYEq
4NmPO9yddeW/JqLHCL4GWFafYGXorfA6oR/uqwwI0Jt6aflEJunFEVxxon8jvxiVp5
BsuxdU0vu7GPDH289L3Lf3/oG1nKrn22L2PcKreo=
According to these, it seems my message is passing all checks, but still is getting into the "spam" folder. What could be the problem?
Chiefly, to avoid a spam engine classifying your messages as spam you should:
Make sure they aren't spam (i.e. ensure that only users who have really opted in get mailed - make sure you keep an opt-in audit log)Make sure they don't look too much like spam - $$$ MAKE MONEY FAST is not a good subject lineEnsure that the sender address is not spoofed and does not appear to be spoofed. Use a domain that you are authorised to send from (add valid SPF records if you like)Not do anything that looks malware-ish (e.g. HTML emails containing scripts, forms, flash etc)
But by and large the main one is:
Do not send them from an IP address which is known for sending spam.
The last point means that YOU CANNOT USE SHARED HOSTING. Almost all shared hosting providers allow the sending of mails which don't conform to any of the above. Shared hosting providers' relays are almost always on lots of blacklists.
It only takes one vulnerable web app on your shared hosting for it to turn into a spam gateway - something which you can't afford.
It seems like most of the email from unlisted (the list is held by Google) IP addresses will go to junk folder in Gmail, even the sent email are valid according to SMTP.
I'm attempting to help a client get their Google+ profile logo to display as the sender image in Gmail's grid view. I've gone over Google's documentation and I'm obviously missing something… The promotional image does come through so the schema code should be good.
I have verifed the following…
The Google+ Page shows as verified
The sending domain is a delegated subdomain of the verified domain
More than 1,000 emails a week are sent from this domain
Which just leaves the DKIM portion and it's here that I know nothing about what I should be checking. I know I can go into the source of a gmail email and see the following
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of xxxxxxxx.xxxxx#xxxxxx.xxxxx.com designates ###.#.###.### as permitted sender) smtp.mail=xxxxxxxx.xxxxx#xxxxxx.xxxxx.com;
dkim=pass header.i=#x.xxxxxxxx.com;
dmarc=pass (p=NONE dis=NONE) header.from=x.xxxxxxxx.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=xxxxxxxx; d=x.xxxxxxxx.com;
The problem here is I don't really know how to verify that this is correctly setup against the sending domain/company domain or really whatever else I should be checking.
Can someone please guide me through what I should be looking for here?
Just to be sure, do you know for certain that the page is verified? I thought ours was verified because it showed a little icon next to our web address, but it needs to be the little shield icon next to your logo image on the Google+ page.
As far as the email signing goes, it can either be DKIM or SPF, and it looks like both headers are found. They even use a DMARC header, good stuff! :)
We are currently using a webapp that generates outbound emails, but are experiencing a few issues.
When the system sends an email directly to a Gmail user (eg. john.smith#domain.com) it is received fine. If the email is sent to a Google apps group (eg. finance#domain.com) it is never received by any of the group members.
The "finance#domain.com" propogates to approximately 6 users. I have reviewed the Spam folder for a few of them and the email still isn't there either.
If the Google engine does indeed classify the inbound email as spam for a Google group, what does it do with it?
Here's a snippet of the header showing that SPF passes:
Received-SPF: pass (google.com: domain of XXXX designates XXX.XXX.XXX.XXX as permitted sender) client-ip=XXXXX;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of XXXX designates XXX.XXX.XXX.XXX as permitted sender) smtp.mail=XXXXXXX
This could be an issue of the mail being marked as spam by the Group, not the users. Essentially, when you leave spam on for a group, it'll get checked there and also at the user level. More informaiton about this can be found here.
If that doesn't seem to be the root cause, I would check at the Email log search within the Admin console to see what's going on with a bit more detail.
Hope this helps!
I recently moved my transactional email sending to Mailgun
It works good so far however I am wondering about the return-path header.
Consider this email (I removed irrelevant header and replaced email/domain for privacy purposes)
Delivered-To: RECIEVER#gmail.com
Received: by 10.76.154.104 with SMTP id vn8csp478308oab;
Wed, 4 Sep 2013 05:04:44 -0700 (PDT)
X-Received: by 10.50.22.105 with SMTP id c9mr1537992igf.36.1378296283817;
Wed, 04 Sep 2013 05:04:43 -0700 (PDT)
Return-Path: <bounce+a801a1.c2b37-RECIEVER=gmail.com#my-website.com>
Received: from so254-63.mailgun.net (so254-63.mailgun.net. [198.61.254.63])
by mx.google.com with ESMTP id k5si1620852igx.55.1969.12.31.16.00.00;
Wed, 04 Sep 2013 05:04:43 -0700 (PDT)
Received-SPF: ...stripped...
Authentication-Results: ...stripped...
DKIM-Signature: ...stripped...
DomainKey-Signature: ...stripped...
Received: by luna.mailgun.net with HTTP; Wed, 04 Sep 2013 12:04:42 +0000
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Subject: ...stripped...
From: my-website <support#my-website.com>
To: RECIEVER#gmail.com
Message-Id: <20130904120442.1488.88532#my-website.com>
X-Mailgun-Sid: WyI5YmI1OSIsICJqb2Vob3BmK2VlZ2VpN2lkMm9pbW9vYm9vZmFpQGdtYWlsLmNvbSIsICJjMmIzNyJd
Date: Wed, 04 Sep 2013 12:04:43 +0000
Sender: support#my-website.com
Content-Transfer-Encoding: base64
...email body...
This is the Raw email displayed from an actual mail in a gmail inbox.
As you can see the Return-Path header contains an email address that ends in #my-website.com
But I have only set up dns records for outgoing email (spf, domainkey, etc).
Not for incoming email. Meaning, my MX records still point to mailservers somewhere else (In my case google apps).
How is it possible then that the bounce email arrives at mailgun servers?
I would have expected to see an email address ending in #some-mailgun-server.com in the Return-Path header!
I have been using Amazon SES before, and there they had Return-Path header ending in amazonses.com
I asked the mailgun support and got this response:
Nick: your setup is correct, Mailgun will still automatically handle
the bounces even though your mx records are pointing elsewhere
They just assured me that everything was fine but gave me no explanation (which is okay since their job is not to teach me things I don't know but to deliver reliable email service...)
So I hope somebody can explain this to me.
I hope the point is clear, if not please ask and I will try to clarify my question.
EDIT:
One theory of me is that the bounce email is indeed sent to google mail servers where it is discarded. However that this is redundant since the error response is also sent to the sending mailserver during the process (when it opens its tcp connection to the target mail server).
To test this theory and since the Return-Path email is in the form of bounce+SOMETHING#my-website.com, and google delivers all email, regardless of what comes after the + character, to the user in front of it, I went ahead and created the account bounce#my-domain.com on google apps.
I also tried to send an email to bounce+a801a1.c2b37-RECIEVER=gmail.com#my-website.com.
It made it through to my inbox.
Now I expected to receive bounce traffic in my inbox. So I sent an email to an nonexistent hotmail address. I did not receive email on my google apps inbox, and mailgun successfully tracked the bounce.
So... It appears that it does indeed work. I just don't understand why.
One more theory I have is that the mailserver to which the bounce email is delivered is never resolved using its MX records. Rather always the delivering server, in this case luna.mailgun.net is chosen.
The domain ending in the Return-Path address is just the name of the mailbox on the server, but the domain has nothing to do with the server where the mail is actually delivered.
Then it would also make sense to make it like this since it might improve deliverability if the domains of From and Return-Path address match.
However this is only a theory. And it would also mean that a mailbox which is able to receive bounces, must be on the same server that is used for sending.
In other words it would be impossible to have a mailbox to receive bounce email addresses that is hosted somewhere else than the actual server sending the mail. But this sounds strange to me as well...
I hope somebody can enlighten me.
Turns out that there are different kinds of bounces.
When bounces occur they are generally returned to the server that is sending the email, and do not follow the MX records.
Thats why they are sent to the mailgun servers and also arrive there.
However there are also so called "Delayed Bounces" that are sent to the server declared as mailserver using MX records in the domain.
Those delayed bounces are generally difficult to handle and there are opinions out there that they violate RFC.
Those bounces are however very, very rare. Thats why mailgun does not handle them. The reason they use the clients domain in the return-path address is so that they can assign it to the right account. They just encode it that way...
In fact, as I was setting up my mailbox for bounces on my google apps mail, I recieved one such delayed bounce.
It was this email that made proper debugging possible which lead to the understanding of this issue.
So to sum up:
Yes, the address is incorrect. That is no problem for most bounces since the server does not use MX records to send them, but sends them directly to the server that has initated the conneciton.
However in case of delayed bounces, that also some times happen, the bounce will indeed go to the server behind the mx records of the domain specified in the return path address.
Those emails are not properly recognised as bounces at mailgun servers.