Email Security Blog

Why are my Google Calendar Invites Blocked by DMARC?

Todd Weltz June 30, 2017 DMARC, Resources
Fallback Featured Image

Are you sending Google Calendar invites and not getting replies, or maybe your invitees tell you they tried to reply and it was blocked? Or maybe you are trying reply to Google Calendar invites and being blocked saying the mail is not accepted due to your domain’s DMARC policy?

This is an issue I have been seeing, so I did some digging and I have figured out what is going on. Before I get to the cause, let’s look at a little background on Google Calendar invites.

When a Google Calendar invite arrives, you will usually see options within the message space to send your reply – Yes, Maybe or No. You may also see response buttons that are “out-of-band” – which is a fancy way of saying outside the area that contains the actual mail content. This is added by the mail client you are using to view the message.

For example, this is an invitation from a Google Calendar in a yahoo.com mailbox. There’s a green box around the reply options that are added out-of-band by Yahoo outside the message and a red box around the reply options that Google added when the invite was sent.

While you might expect that these would generally function the same way, there is a very important difference that has an effect on domains that are protected by a DMARC reject policy.

If I use the out-of-band response buttons, then Yahoo! generates and sends a response to Google to accept/reject the calendar invite. If I use the Google response options in the body of the invitation, it is Google that generates and sends a response to Google – and this is where we have a problem.

When Google generates the response, it is sent via email, from a Google server. The header From address used is the email address of the person accepting the invite. So in this case, we have a yahoo.com email coming from a Google server and as a result, Google refuses the message in accordance with the Yahoo! DMARC reject policy.

The invite recipient can work around the issue by using the out-of-band response buttons, although they may not know this. And in other cases a recipient may not even have out-of-band options. For example, recipients on aol.com appear to only have the Google response options. I’m using yahoo.com and aol.com as examples because they both have DMARC records using reject policies and this issue will only affect replies for invites sent to domains with DMARC reject policies.

This issue will affect Google Calendar invites for recipients on domains with DMARC reject policies, such as AOL and Yahoo!. However, Microsoft’s webmail domains (outlook.com, hotmail.com, live.com etc.) are unaffected as they have not yet been moved to DMARC reject policies. Likewise, Apple’s domains (me.com, mac.com and cloud.com) are also unaffected.

For invites sent to recipients on corporate domains, dmarc.org has a list of some well-known organizations and the status of their DMARC policies at https://dmarc.org/who-is-using-dmarc/. You can also use our DMARC lookup tool to see if a recipient domain is using a reject policy at this time: https://www.agari.com/project/dmarc.

This issue will only be resolved if Google redesigns the responses generated by these buttons to use a Google domain in the Header From address or if these messages are sent in a way that would not be subject to a DMARC check.

Until then, if you’re having issues replying to Google Calendar invites, I recommend using the out-of-band response options if your mail client includes them. If your mail client doesn’t provide out-of-band response options and your invite responses using the Google buttons are failing, I would suggest replying to the sender as an email. If you’re sending Google Calendar invites, there’s not much you can do, but now you’ll at least be aware that recipients may have issues responding.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

Agari Blog Image

May 23, 2019 Suela Vahdat

DMARC Remains Elusive with 86% of gov.uk Domains Open to Impersonation

More than three-quarters of UK government organisations haven't yet adopted Domain-based Message Authentication and Reporting…

Agari Blog Image

May 21, 2019 Armen Najarian

Why DMARC Could Make or Break Your B2B Email Marketing Programs

In B2B email marketing, nothing says amateur hour like a landing page with the words…

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

mobile image