I used to work on Spam, Abuse and Deliverability for Google Apps and am one of the original authors of those help center articles (although they have been changed a bunch since).
I switched my domain away from Google Apps to Fastmail because Google was hard bouncing emails that I sent to other Google Apps domains. I had both SPF and DKIM set up correctly. I could send emails to gmail.com addresses just fine, and to Google Apps addresses that weren't aliases (which Google implements via groups as I recall). But anything that went to a Google Apps destination address that was a group alias would bounce. I was on the grandfathered free tier so I coudldn't really complain, but it was the final straw the drove me to Fastmail. Now I can email those same addresses which used to bounce just fine.
Google Apps does have email aliases (they are really just pointers to regular Google Apps Gmail accounts).
Google Groups uses a different sub system internally, and if you don't have SPF configured (or configured it wrong) it definitely rejects messages aggressively or queues them for moderation.
Virtually every problem where legitimate mail to any of your Google Apps email addresses (or groups) bounced could be addressed by adding DKIM and SPF. Some folks have strange dual delivery set ups, or perhaps use an outbound gateway server (for compliance filtering, journaling etc) - in those cases you definitely need to adjust the SPF records accordingly.
I never tried Fastmail before, maybe I'll check it out :)
I'm fairly certain I had DKIM and SPF set up correctly. It was literally only when emailing another Google Apps+Google Group address that bounced. It looked like this:
Delivery to the following recipient failed permanently:
hi@smashrun.com
Technical details of permanent failure:
Message rejected by Google Groups. Please visit http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to review our Bulk Email Senders Guidelines.
Full headers:
X-Received: by 10.55.15.30 with SMTP id z30mr25314313qkg.47.1440345211659;
Sun, 23 Aug 2015 08:53:31 -0700 (PDT)
Return-Path: <js2@example.org>
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com. [2607:f8b0:400d:c09::232])
by mx.google.com with ESMTPS id 136si23593726qhc.102.2015.08.23.08.53.31
for <hi@smashrun.com>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 23 Aug 2015 08:53:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of js2@example.org designates 2607:f8b0:400d:c09::232 as permitted sender) client-ip=2607:f8b0:400d:c09::232;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of js2@example.org designates 2607:f8b0:400d:c09::232 as permitted sender) smtp.mailfrom=js2@example.org;
dkim=pass header.i=@example.org
Received: by qkda128 with SMTP id a128so5917057qkd.3
for <hi@smashrun.com>; Sun, 23 Aug 2015 08:53:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.org; s=google;
h=from:content-type:content-transfer-encoding:mime-version:subject
:message-id:date:to;
bh=D6Jgw+8F97OpSz0ORbLuvcih9KdhWrTFusiNkbOms2w=;
b=0X7YTsfGYQ31fR8zT8Vc4+7iYOtUmQT/kNx7SKdNyx9GxPPHo9kTqFxWhBHEKUbLiU
zd0iFHh12IVn993lvSIkBLIBHnTaQSxgt7vpxCKhSGlvuJ1jbocHtCmYvF+FNwyiZAgE
SNiTXBBmxCc7Z4g9GW0PGDz0hNbRp+PBJfabY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:from:content-type:content-transfer-encoding
:mime-version:subject:message-id:date:to;
bh=D6Jgw+8F97OpSz0ORbLuvcih9KdhWrTFusiNkbOms2w=;
b=DfuecqdbbnVwcjQsa8Aon9ukQYC43RYb5V3uWnb3ayZzZagDyT7aVg8StcSjh9HsFZ
+OPKwfULiQc9u3twxq5h/Q7urZQIlY/FVyBAXQbikK+c8rzfb9nB+2cSBZHPYrlgU0hd
ZO/n0x7x6OsCOWePFVcO2sc9EEO6+YsoeapsnzAaWKgYxF2T8v34UPimKPKBtphJ7N3a
W7anf2KbbGcsXSQiz+EfWgeNwhLMKSk5V8g0aXrCSMDXcPf20NW6NnKbcYms/rOIQRSM
+J44wGA+rau6Wv+/0GA+XkGUOYpISMC2ATrEOO9/6XmmQSGmo3vb4oUSg9UmUCNGSVzY
wKWg==
X-Gm-Message-State: ALoCoQkfkZy/EZ2g8DXjWbFZEEaJou2F+r9Vhn5u4/H4A+bq9ZT/2IYeptS95RrShLFAzNDp9Bwd
X-Received: by 10.55.21.140 with SMTP id 12mr3454160qkv.31.1440345211394;
Sun, 23 Aug 2015 08:53:31 -0700 (PDT)
Return-Path: <js2@example.org>
Received: from [192.168.1.131] (cpe-XXX-XX-XXX-XXX.nc.res.rr.com. [XXX.XX.XXX.XXX])
by smtp.gmail.com with ESMTPSA id x201sm9160834qkx.28.2015.08.23.08.53.30
for <hi@smashrun.com>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sun, 23 Aug 2015 08:53:30 -0700 (PDT)
From: js2 <js2@example.org>
This would fail 100% of the time when mailing any other Google Apps+Google Groups address, no matter the message content. I had failures from three separate Google Apps hosted domains over the course of a year. Once I moved my domain from Google Apps to Fastmail, this stopped happening.
Yes, I pay Fastmail and I wasn't paying for Google Apps. But I also get responsive support from Fastmail, IMAP push to iOS devices, more flexibility in delivery rules, etc.
Google Groups has a feature to automatically reject messages it considers to be Spam. That feature has always been quite terrible. The Google Groups Backend hasn't changed in a very long time.
I personally always disable it for public groups and then rely on Spam filtering of the recipient inbox.
By the way - the bounce message you are seeing is what is sent when the Spam Classification Server determined your message to be Spam. The main reasons for that are things like sending from a bad IP, having certain keywords that are strongly correlated with Spam, or having domains in your message that are associated with Spam (based on other messages having been marked as Spam containing those domains).
Re: Spam Classification Server. The problem went away when I moved my domain away from Google Apps. Literally, the exact same test message that I could not send when I had my domain on Google Apps, I could send once my domain was on Fastmail. Nothing changed, but that my message was now routing via Fastmail's SMTP servers vs the Google Apps SMTP servers. Same message content, same client IP, same MUA, same destination (I had a friend with a Google Apps domain setup a test group for me to send to on his domain).
I actually had the same problem and was dealing with it this weekend.
@dang helpfully pointed out an email to him had ended in the spam box, and a bit of investigation later revealed that some Vietnamese and Indian spammers had been sending email as me, to the tune of a few thousand emails per day.
I already had SPF in place, but I've since added DKIM and a strict reject policy via DMARC.
Additionally I added https://dmarcian-eu.com/ (or https://dmarcian.com/ if you're outside the EU), and this allows the DMARC reports to be sent directly there where they can be analysed and reported on.
My buro9.com records now look like:
;; TXT Records
buro9.com. 300 IN TXT "v=spf1 include:_spf.google.com include:spf.mailjet.com -all"
_dmarc.buro9.com. 300 IN TXT "v=DMARC1\; p=reject\; sp=reject\; adkim=s\; aspf=s\; rua=mailto:z3qirov9@ag.dmarcian-eu.com\; ruf=mailto:z3qirov9@fr.dmarcian-eu.com\; rf=afrf\; pct=100\; ri=86400"
mailjet._domainkey.buro9.com. 300 IN TXT "k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzruNqjSTPtVVkkxRUG8H0EXToKtfuccUJNx8ElnhtgtWu30P3YIAd1nwFSfQEzwLn8BycK/S9I0/F+9p5fLpE6maxZxLadVq8cnWYROIWrjZnEJ549xQjX5/TB0uOiKYTVy8q17ZMEoJbpihm/vIKzqibl2cCPTHEDk12AV9kCwIDAQAB"
buro9._domainkey.buro9.com. 300 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0I0/RqPxshGephScWuBUE56L6ro4bS8FWuW3BWx93jLCpaOzY0iTAWGz58nvCSuG081ePqtnATyqcQdKxOaAYIyFyGm5fr6W4FVMAWyOP3OQ889vLFmpIPEaI/GpvBezwUdBvlxd+2xrKckXwUqhFRrG6bP4NyGDZxoSQF55DiQIDAQAB"
Note I've gone strict on SPF (against Google's recommendation), my DMARC is sending aggregate reports and forensics to Dmarcian, and I have DKIM keys for both Google (I'm on Google Apps) as well as Mailjet (I have a mailing list of 37k people and that needs to work too).
So far this appears to be having the desired effect, and I don't yet know of any deliverability issues from my email. Looks like this combination works well.
On domains I send no email from, i.e. buro9.co.uk:
;; TXT Records
buro9.co.uk. 300 IN TXT "v=spf1 -all"
_dmarc.buro9.co.uk. 300 IN TXT "v=DMARC1\; p=reject\; rua=mailto:z3qirov9@ag.dmarcian-eu.com\;"
An SPF that signals everything fails, and a reporting endpoint to find out if people are still trying to send spam as me.
That's funny, because gmail doesn't verify DKIM headers. At least not when I spoof gmail addresses! Maybe because my originating mailserver is whitelisted?
That's odd, GMail is how I check to make sure I have DKIM setup correctly. Just send an email to my gmail account and check the message for "Authentication-Results: mx.google.com; dkim=pass" in the headers.
I'm also getting DMARC reports back from them for all my domains.
Good point, I should have said that the headers correctly fail DKIM auth, but the gmail/inbox interface doesn't flag it as spam or do anything to tell you the email is spoofed! I can demonstrate if you want (email in my user profile).
SPF would be a good start, most mail transport systems will check it. DKIM and then dmarc gets a little deeper down the rabbit hole but both still very worth it.
Can you share the full message headers of one of these bounces you are receiving? Feel free to redact your email address. https://support.google.com/mail/answer/22454?hl=en
Edit: I left Google in 2013