The Amazon SES "email feedback forwarding" notifications (I usually call them "bounce notifications") sent to Google Groups email get rejected every time. These same notifications make it through to normal gmail and Google Workspace email accounts, they only get rejected by Google when they are sent to a group.
Just to give some background, I have ensured that that my Amazon SES settings are all setup correctly for "email feedback forwarding" to work, and my Google Group is setup correctly to receive external email as well (see other post on the topic). And today I spoke with a Google Support Engineer and he also double-checked that my Google Groups is configured properly as well.
Indeed Amazon SES' bounce notifications are being sent to my Google Group, and they are received by Google, but then rejected/bounced. I can see the emails in Google's "Email Log Search" tool, and I can see these messages have a final disposition of "bounced." See screenshot below, which shows an example from Email Search Log of one of these bounce messages.
The Google Support Engineer spoke with their developer team about the problem, and the developer team said that the problem is that the Amazon SES bounce emails are missing an important header which designates the "Sender." Above you see the "Sender" field is empty - and Google said this would be fine for emails destined for a normal google account, but this is not okay when the destination is a Google Group email. The support engineer explained that Google Group emails have some additional checks and security requirements since it acts like a distribution list.
So what exactly does "Sender" mean? The screenshot above's "Sender" field might be referring to the "Sender" header as pointed out in RFC 5322, but from the emails I have analyzed in the Email Log Search tool, the "Sender" field gets populated from the "Reply-Path" header, or maybe from the "smtp.mailfrom" field (which might be the same thing?). One thing Google Support made clear is that the "From" header is not used to evaluate who the "Sender" is. Since the bounce email only specifies the "From" this is a problem - see "More details" section below for more on this.
Potential resolution:
So to summarize what I think needs to be done to resolve: Amazon SES's bounce/complaint notification emails should start including a "Return-Path" header so that companies like mine can use Google Groups as the "email feedback forwarding" options.
Is there any way an Amazon SES engineer could get forwarded this post and reply?
More details:
As I eluded to above, a normal Google email account does get these bounce/complaint emails so I thought that sharing the email headers from one of these could be helpful. Please note that the "Reply-Path" header is not specified (it is set to <>
), and this is what I am advocating gets changed/added.
Delivered-To: shaun@herobullion.com
Received: by 2002:a05:7000:502f:b0:4e4:3beb:d8a6 with SMTP id e15csp3013801mab;
Mon, 26 Jun 2023 09:02:01 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ72sQPYMPAAha51wBFas2S6vr+EJk44J1SQeJsGTrewg1PidSZd1wtIgYgtg4/3pYB+CDrW
X-Received: by 2002:a05:6a00:1a0e:b0:656:8e21:bd37 with SMTP id g14-20020a056a001a0e00b006568e21bd37mr21714506pfv.21.1687795320616;
Mon, 26 Jun 2023 09:02:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687795320; cv=none;
d=google.com; s=arc-20160816;
b=VoJn57mSdQi5kp6Q+EuGk53jOyjsfXg6yODQ+7rtmCVijPQH6WvxeSXGqwBWZ+21t4
aF/1I56O6XX421WCj20czDnDZOtqxkpo9hKTiJs0PP4lxkqKKvCI3+dxcgiTLXbVNt8r
nV6rhDOBKQGtkxItYDO29KYhKK1uhNP+Oozc86DLnF8Nif9TwewIgNFiowgmMq+35rXG
FC7D8SXW6mhoAGb9E/D4eJMueJFgFVCvaAW3atO+u2HUWSAuxR+/Di6/kaj3pLZWdC2E
jd6ss2Y6iZ5ceEydoGxqiuox/3y0QA7u5RX4xIyneTCd0OTRBlPpDvHvTFU6H9J2CDRQ
MfLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=feedback-id:mime-version:subject:message-id:to:from:date
:dkim-signature;
bh=jQR6OgixIZFTLPThRnbr9bLlDJapxQsIpSRod0MrLPk=;
fh=8hgDFfeKFd+6T+sDHgH/Lx9BYrkGWSt+gZ3k0Zh5G+Q=;
b=OCUQYaWFGYQDB3On3I0heWYzmHs8vba7K1deUIxIg43jNWEPVErDmMPF104usCZVnZ
ivQ5GF31f96cViIZHJjtCRD4KIteXuHDObV86sj8FYkgOUPL0REQob8vYOSp4mNG+OMK
iSZDOQ3SnA4u4OXABXLiTrlYq0OFkpHdvu5k2Y2pUTpImoyg1p3tIuGqPVwew2yUHSV6
5rl++8zA2MI/NjeMh/iDH124BUVSQzCzi9eVSwHkoPn/2pmdPAXf4fYwD7hn0YYrFV05
X1J2idbBuahFUsqKQiMsX60JJaJMEx3Kod+zuYXwnOK+xiHP+37fWnseGclrWRpZKMkh
6c9w==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=CiwUZ6wA;
spf=pass (google.com: domain of postmaster@a27-160.smtp-out.us-west-2.amazonses.com designates 54.240.27.160 as permitted sender) smtp.helo=a27-160.smtp-out.us-west-2.amazonses.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazonses.com
Return-Path: <>
Received: from a27-160.smtp-out.us-west-2.amazonses.com (a27-160.smtp-out.us-west-2.amazonses.com. [54.240.27.160])
by mx.google.com with ESMTPS id t18-20020a056a00139200b00678ee482bc7si1759565pfg.251.2023.06.26.09.02.00
for <shaun@herobullion.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 26 Jun 2023 09:02:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of postmaster@a27-160.smtp-out.us-west-2.amazonses.com designates 54.240.27.160 as permitted sender) client-ip=54.240.27.160;
Authentication-Results: mx.google.com;
dkim=pass header.i=@amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=CiwUZ6wA;
spf=pass (google.com: domain of postmaster@a27-160.smtp-out.us-west-2.amazonses.com designates 54.240.27.160 as permitted sender) smtp.helo=a27-160.smtp-out.us-west-2.amazonses.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazonses.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=hsbnp7p3ensaochzwyq5wwmceodymuwv; d=amazonses.com; t=1687795319; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID; bh=VVJoFNPxGcVvodyF9zwlcI5bsH6Z6VFDhSgl7ISSKjk=; b=CiwUZ6wAfKBNDIwF/pfHJau4Zrgqlyi5t3VarnOanqMprEbQ6LBEHs9/lAco7Sef 6nqsTkbfFoM8ma/S05RII+lFn42dBBkBEk+TUMygiufu4kEaIB+AUwHAARKNeZi1PsZ QFn74sahlvc/pItJXZ0iY8vZHaUjOgzNL/uNN6Tc=
Date: Mon, 26 Jun 2023 16:01:59 +0000
From: MAILER-DAEMON@us-west-2.amazonses.com
To: shaun@herobullion.com
Message-ID: <01010188f870c251-1a07f4c2-a2e6-4b1f-8970-4bf286307ad9-000000@us-west-2.amazonses.com>
Subject: Delivery Status Notification (Failure)
MIME-Version: 1.0
Content-Type: multipart/report; boundary="----=_Part_689375_2017634776.1687795319396"; report-type=delivery-status
Feedback-ID: 1.us-west-2.QHuyeCQrGtIIMGKQfVdUhP9hCQR2LglVOrRamBc+Prk=:AmazonSES
X-SES-Outgoing: 2023.06.26-54.240.27.160
Yep the original email my system sends includes the "Return-Path" header correctly. When I set the "Return-Path" to a normal gmail address it works flawlessly, no problems, I get a bounce message from Amazon SES. The only odd thing about that bounce message is that it doesn't include a "Return-Path" - but gmail is fine with that. The problem is that Google Groups addresses have a requirement that to deliver the message it must have a "Return-Path" specified, so since these Amazon SES-generated bounce messages don't have it, they get dropped.
Thanks for your effort but I don't think that the suggestion to debug mail headers via lambda is helpful in my situation, although maybe I don't fully understand. My issue is that the initial instructions say to setup MX records for my domain that point Amazon SES servers... the thing is that this domain already has MX records pointing to Google's servers because we utilize Google Workspace for our business email. I feel like that suggestion might be for a slightly different use case, but would welcome any clarifications you have.