By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Problem with Amazon SES bounce notification emails - they can't be received by Google Group email addresses

1

The Amazon SES "email feedback forwarding" notifications (I usually call them "bounce notifications") sent to Google Groups email get rejected every time. These same notifications make it through to normal gmail and Google Workspace email accounts, they only get rejected by Google when they are sent to a group.

Just to give some background, I have ensured that that my Amazon SES settings are all setup correctly for "email feedback forwarding" to work, and my Google Group is setup correctly to receive external email as well (see other post on the topic). And today I spoke with a Google Support Engineer and he also double-checked that my Google Groups is configured properly as well.

Indeed Amazon SES' bounce notifications are being sent to my Google Group, and they are received by Google, but then rejected/bounced. I can see the emails in Google's "Email Log Search" tool, and I can see these messages have a final disposition of "bounced." See screenshot below, which shows an example from Email Search Log of one of these bounce messages.

Google Email Log Search Shows Email Bounced

The Google Support Engineer spoke with their developer team about the problem, and the developer team said that the problem is that the Amazon SES bounce emails are missing an important header which designates the "Sender." Above you see the "Sender" field is empty - and Google said this would be fine for emails destined for a normal google account, but this is not okay when the destination is a Google Group email. The support engineer explained that Google Group emails have some additional checks and security requirements since it acts like a distribution list.

So what exactly does "Sender" mean? The screenshot above's "Sender" field might be referring to the "Sender" header as pointed out in RFC 5322, but from the emails I have analyzed in the Email Log Search tool, the "Sender" field gets populated from the "Reply-Path" header, or maybe from the "smtp.mailfrom" field (which might be the same thing?). One thing Google Support made clear is that the "From" header is not used to evaluate who the "Sender" is. Since the bounce email only specifies the "From" this is a problem - see "More details" section below for more on this.

Potential resolution:

So to summarize what I think needs to be done to resolve: Amazon SES's bounce/complaint notification emails should start including a "Return-Path" header so that companies like mine can use Google Groups as the "email feedback forwarding" options.

Is there any way an Amazon SES engineer could get forwarded this post and reply?

More details:

As I eluded to above, a normal Google email account does get these bounce/complaint emails so I thought that sharing the email headers from one of these could be helpful. Please note that the "Reply-Path" header is not specified (it is set to <>), and this is what I am advocating gets changed/added.

Delivered-To: shaun@herobullion.com
Received: by 2002:a05:7000:502f:b0:4e4:3beb:d8a6 with SMTP id e15csp3013801mab;
        Mon, 26 Jun 2023 09:02:01 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ72sQPYMPAAha51wBFas2S6vr+EJk44J1SQeJsGTrewg1PidSZd1wtIgYgtg4/3pYB+CDrW
X-Received: by 2002:a05:6a00:1a0e:b0:656:8e21:bd37 with SMTP id g14-20020a056a001a0e00b006568e21bd37mr21714506pfv.21.1687795320616;
        Mon, 26 Jun 2023 09:02:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687795320; cv=none;
        d=google.com; s=arc-20160816;
        b=VoJn57mSdQi5kp6Q+EuGk53jOyjsfXg6yODQ+7rtmCVijPQH6WvxeSXGqwBWZ+21t4
         aF/1I56O6XX421WCj20czDnDZOtqxkpo9hKTiJs0PP4lxkqKKvCI3+dxcgiTLXbVNt8r
         nV6rhDOBKQGtkxItYDO29KYhKK1uhNP+Oozc86DLnF8Nif9TwewIgNFiowgmMq+35rXG
         FC7D8SXW6mhoAGb9E/D4eJMueJFgFVCvaAW3atO+u2HUWSAuxR+/Di6/kaj3pLZWdC2E
         jd6ss2Y6iZ5ceEydoGxqiuox/3y0QA7u5RX4xIyneTCd0OTRBlPpDvHvTFU6H9J2CDRQ
         MfLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:mime-version:subject:message-id:to:from:date
         :dkim-signature;
        bh=jQR6OgixIZFTLPThRnbr9bLlDJapxQsIpSRod0MrLPk=;
        fh=8hgDFfeKFd+6T+sDHgH/Lx9BYrkGWSt+gZ3k0Zh5G+Q=;
        b=OCUQYaWFGYQDB3On3I0heWYzmHs8vba7K1deUIxIg43jNWEPVErDmMPF104usCZVnZ
         ivQ5GF31f96cViIZHJjtCRD4KIteXuHDObV86sj8FYkgOUPL0REQob8vYOSp4mNG+OMK
         iSZDOQ3SnA4u4OXABXLiTrlYq0OFkpHdvu5k2Y2pUTpImoyg1p3tIuGqPVwew2yUHSV6
         5rl++8zA2MI/NjeMh/iDH124BUVSQzCzi9eVSwHkoPn/2pmdPAXf4fYwD7hn0YYrFV05
         X1J2idbBuahFUsqKQiMsX60JJaJMEx3Kod+zuYXwnOK+xiHP+37fWnseGclrWRpZKMkh
         6c9w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=CiwUZ6wA;
       spf=pass (google.com: domain of postmaster@a27-160.smtp-out.us-west-2.amazonses.com designates 54.240.27.160 as permitted sender) smtp.helo=a27-160.smtp-out.us-west-2.amazonses.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazonses.com
Return-Path: <>
Received: from a27-160.smtp-out.us-west-2.amazonses.com (a27-160.smtp-out.us-west-2.amazonses.com. [54.240.27.160])
        by mx.google.com with ESMTPS id t18-20020a056a00139200b00678ee482bc7si1759565pfg.251.2023.06.26.09.02.00
        for <shaun@herobullion.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 26 Jun 2023 09:02:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of postmaster@a27-160.smtp-out.us-west-2.amazonses.com designates 54.240.27.160 as permitted sender) client-ip=54.240.27.160;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=CiwUZ6wA;
       spf=pass (google.com: domain of postmaster@a27-160.smtp-out.us-west-2.amazonses.com designates 54.240.27.160 as permitted sender) smtp.helo=a27-160.smtp-out.us-west-2.amazonses.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazonses.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=hsbnp7p3ensaochzwyq5wwmceodymuwv; d=amazonses.com; t=1687795319; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID; bh=VVJoFNPxGcVvodyF9zwlcI5bsH6Z6VFDhSgl7ISSKjk=; b=CiwUZ6wAfKBNDIwF/pfHJau4Zrgqlyi5t3VarnOanqMprEbQ6LBEHs9/lAco7Sef 6nqsTkbfFoM8ma/S05RII+lFn42dBBkBEk+TUMygiufu4kEaIB+AUwHAARKNeZi1PsZ QFn74sahlvc/pItJXZ0iY8vZHaUjOgzNL/uNN6Tc=
Date: Mon, 26 Jun 2023 16:01:59 +0000
From: MAILER-DAEMON@us-west-2.amazonses.com
To: shaun@herobullion.com
Message-ID: <01010188f870c251-1a07f4c2-a2e6-4b1f-8970-4bf286307ad9-000000@us-west-2.amazonses.com>
Subject: Delivery Status Notification (Failure)
MIME-Version: 1.0
Content-Type: multipart/report; boundary="----=_Part_689375_2017634776.1687795319396"; report-type=delivery-status
Feedback-ID: 1.us-west-2.QHuyeCQrGtIIMGKQfVdUhP9hCQR2LglVOrRamBc+Prk=:AmazonSES
X-SES-Outgoing: 2023.06.26-54.240.27.160
Topics
Front-End Web & MobileBusiness Applications
Tags
Amazon Simple Email Service
Language
English
Shaun
asked 10 months ago556 views
1 Answer
0

Generally bounce emails are sent to "Return-Path". From the header information you have shared, this attribute is empty. If SES is being used as your email sender, could you validate and confirm you are using email feedback forwarding configuration as explained in documentation

Enabling Email Feedback Forwarding https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity-using-notifications-email.html#monitor-sending-activity-using-notifications-email-enabling

Email Feedback Forwarding Destination https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity-using-notifications-email.html#monitor-sending-activity-using-notifications-email-destination

For debugging your mail headers, you can intercept these bounce notifications via lambda and re-send notifications to confirm where this attribute is becoming empty.

Blog https://aws.amazon.com/blogs/messaging-and-targeting/forward-incoming-email-to-an-external-destination/

AWS
pkrshh-aws
answered 10 months ago
  • Shaun
    10 months ago

    Yep the original email my system sends includes the "Return-Path" header correctly. When I set the "Return-Path" to a normal gmail address it works flawlessly, no problems, I get a bounce message from Amazon SES. The only odd thing about that bounce message is that it doesn't include a "Return-Path" - but gmail is fine with that. The problem is that Google Groups addresses have a requirement that to deliver the message it must have a "Return-Path" specified, so since these Amazon SES-generated bounce messages don't have it, they get dropped.

  • Shaun
    10 months ago

    Thanks for your effort but I don't think that the suggestion to debug mail headers via lambda is helpful in my situation, although maybe I don't fully understand. My issue is that the initial instructions say to setup MX records for my domain that point Amazon SES servers... the thing is that this domain already has MX records pointing to Google's servers because we utilize Google Workspace for our business email. I feel like that suggestion might be for a slightly different use case, but would welcome any clarifications you have.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content