DMARC Management - Incorrect Reporting?

Spent quite a bit of time troubleshooting DMARC, SPF, DKIM, etc. to ensure my records are all correct, flattened, etc. I’m now seeing what looks to be false positives being reported:

Based on the number of messages, it looks like these are emails that are being sent to a Google Group (Distribution List/Mailing List) that are then being forwarded to the individual members on the list. All of the members are internal and have the same domain name ([email protected]) as the Mailing List ([email protected]).

DMARC passed successfully on the original message but is failing when Forwarded. Authenticated Received Chain (ARC) was developed as extension of DMARC to handle these types of situations. . It preserves email information in a way that helps these messages pass authentication checks.

Read more here:

Looking at the email headers of some of emails, I see the following: (Sanitized)

ARC-Authentication-Results: i=3;;
       dkim=pass [email protected] header.s=20221208 header.b=BzMl3dUi;
       arc=pass (i=2 spf=pass dkim=pass dmarc=pass;
       spf=pass ( domain of [email protected] designates as permitted sender) [email protected];
       dmarc=fail (p=NONE sp=NONE dis=NONE arc=pass)

I updated my RUA so that I might get the XML from google tomorrow but I suspect the Cloudflare DMARC Reporting parser is seeing the dmarc=fail in the header and reporting on it even though it DMARC passed correctly when the message was received.

I’ve also signed up for another DMARC reporting service to see if I get the same reported Failures as I’m getting with Cloudflare to compare but I think my initial hunch is correct…

Anyone have additional insight?

I think I figured out the problem with regards to Google Group / Distribution Lists and posting here incase someone else finds this.

Steps to Reproduce:

  1. Using, I took the email address and added it as a member of my Google Group.
  2. Sent an email from my internal user ([email protected]) to the Group ([email protected])
  3. Reviewed the results

I couldn’t figure out why Google was rewriting the domain and adding a “-” instead of “.”

After quite a bit of searching I ran across this gem:
“Google only rewrites the “From” header when the DMARC policy of the original sender is set to “reject” or “quarantine”. If you have a “none” policy, then from Google’s perspective, failing DMARC with a “none” policy doesn’t actually prevent delivery, so they don’t go through the trouble to re-write the From.”

If your DMARC/DKIM is failing with Google Group / Distribution Lists, make sure your policy “p=” is set to either “reject” or “quarantine” or else Gmail won’t rewrite the headers properly causing DKIM/DMARC to fail.

I need to wait a few days to see if this actually solves my issue in the Cloudflare DMARC Management reporting…