Why is google.com trying to send emails from my domain?

Question

I pulled up a DMARC Analyzer report showing emails received on behalf of my domain:

In addition to my normal authorized (SPF+DKIM aligned) personal emails from the protonmail.ch domain, there are unauthorized emails coming from the google.com domain. I don't use any Google email services with this domain, and never have. My domain's DMARC policy is correctly rejecting these unauthorized emails.

I know the emails are truly originating from Google and not just random internet noise, because the emails are signed cryptographically by google.com.

(Rein has pointed out that they are actually signed by my domain, just forwarded by Google.)

Here is a snippet from a DMARC aggregate report (from Google) that shows two emails coming from one of Google's IPs:

<record>
    <row>
      <source_ip>(IP address owned by Google LLC)</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>maxlaumeister.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>maxlaumeister.com</domain>
        <result>pass</result>
        <selector>protonmail</selector>
      </dkim>
      <spf>
        <domain>maxlaumeister.com</domain>
        <result>fail</result>
      </spf>
    </auth_results>
</record>

My SPF/DKIM/DMARC records are:

maxlaumeister.com: TXT "v=spf1 include:_spf.protonmail.ch mx -all"
protonmail._domainkey.maxlaumeister.com: TXT "v=DKIM1; k=rsa; p=(long key)"
_dmarc.maxlaumeister.com: TXT "v=DMARC1; p=reject; rua=mailto:(redacted)@rep.dmarcanalyzer.com,mailto:(redacted)@maxlaumeister.com; ruf=mailto:(redacted)@for.dmarcanalyzer.com,mailto:(redacted)@maxlaumeister.com; fo=1;

My question is: Why is google.com trying to send emails on behalf of my domain in the first place? And could this cause any deliverability problems for my legitimate emails?

Answer 1

Short Answer: You're seeing internally routed emails in your DMARC reports, for recipient domains hosted on Google GSuite.

From the screenshot you share, it seems like these emails sent from Google servers are actually allowed through, based on DKIM signing for your domain (100% DMARC compliance), while failing SPF alignment with your domain. Not visible from your screenshot, but I suspect Google has rewritten the return-path for the email to its own domain. You should be able to find that information in the actual XML files of the Aggregate reports.

Basically, these are forwarded emails. If you send emails to a Distribution List that is hosted in Google's GSuite (Groups for Business), those emails actually get forwarded to the final recipients, usually mailboxes in the same organization as the Distribution List. On an Office 365 Distribution List this type of routing would not appear in your DMARC reports, however, Google is very noisy about this and includes these forwards in their Aggregate Reports that are sent to the domain owner of the sending domain.

Answer 2

Did you accept or reject a Google calendar invite? The creator of the event will get an email from Google using your email address as 'from' address.

Might be the case for other services offered by Google.