[verst]

Google Apps does have email aliases (they are really just pointers to regular Google Apps Gmail accounts).

Google Groups uses a different sub system internally, and if you don't have SPF configured (or configured it wrong) it definitely rejects messages aggressively or queues them for moderation.

Virtually every problem where legitimate mail to any of your Google Apps email addresses (or groups) bounced could be addressed by adding DKIM and SPF. Some folks have strange dual delivery set ups, or perhaps use an outbound gateway server (for compliance filtering, journaling etc) - in those cases you definitely need to adjust the SPF records accordingly.

I never tried Fastmail before, maybe I'll check it out :)

[js2]

I'm fairly certain I had DKIM and SPF set up correctly. It was literally only when emailing another Google Apps+Google Group address that bounced. It looked like this:

    Delivery to the following recipient failed permanently:

    hi@smashrun.com

    Technical details of permanent failure:

    Message rejected by Google Groups. Please visit http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to review our Bulk Email Senders Guidelines.

Full headers:

    X-Received: by 10.55.15.30 with SMTP id z30mr25314313qkg.47.1440345211659;
           Sun, 23 Aug 2015 08:53:31 -0700 (PDT)
    Return-Path: <js2@example.org>
    Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com. [2607:f8b0:400d:c09::232])
           by mx.google.com with ESMTPS id 136si23593726qhc.102.2015.08.23.08.53.31
           for <hi@smashrun.com>
           (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
           Sun, 23 Aug 2015 08:53:31 -0700 (PDT)
    Received-SPF: pass (google.com: domain of js2@example.org designates 2607:f8b0:400d:c09::232 as permitted sender) client-ip=2607:f8b0:400d:c09::232;
    Authentication-Results: mx.google.com;
          spf=pass (google.com: domain of js2@example.org designates 2607:f8b0:400d:c09::232 as permitted sender) smtp.mailfrom=js2@example.org;
          dkim=pass header.i=@example.org
    Received: by qkda128 with SMTP id a128so5917057qkd.3
           for <hi@smashrun.com>; Sun, 23 Aug 2015 08:53:31 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
           d=example.org; s=google;
           h=from:content-type:content-transfer-encoding:mime-version:subject
            :message-id:date:to;
           bh=D6Jgw+8F97OpSz0ORbLuvcih9KdhWrTFusiNkbOms2w=;
           b=0X7YTsfGYQ31fR8zT8Vc4+7iYOtUmQT/kNx7SKdNyx9GxPPHo9kTqFxWhBHEKUbLiU
            zd0iFHh12IVn993lvSIkBLIBHnTaQSxgt7vpxCKhSGlvuJ1jbocHtCmYvF+FNwyiZAgE
            SNiTXBBmxCc7Z4g9GW0PGDz0hNbRp+PBJfabY=
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
           d=1e100.net; s=20130820;
           h=x-gm-message-state:from:content-type:content-transfer-encoding
            :mime-version:subject:message-id:date:to;
           bh=D6Jgw+8F97OpSz0ORbLuvcih9KdhWrTFusiNkbOms2w=;
           b=DfuecqdbbnVwcjQsa8Aon9ukQYC43RYb5V3uWnb3ayZzZagDyT7aVg8StcSjh9HsFZ
            +OPKwfULiQc9u3twxq5h/Q7urZQIlY/FVyBAXQbikK+c8rzfb9nB+2cSBZHPYrlgU0hd
            ZO/n0x7x6OsCOWePFVcO2sc9EEO6+YsoeapsnzAaWKgYxF2T8v34UPimKPKBtphJ7N3a
            W7anf2KbbGcsXSQiz+EfWgeNwhLMKSk5V8g0aXrCSMDXcPf20NW6NnKbcYms/rOIQRSM
            +J44wGA+rau6Wv+/0GA+XkGUOYpISMC2ATrEOO9/6XmmQSGmo3vb4oUSg9UmUCNGSVzY
            wKWg==
    X-Gm-Message-State: ALoCoQkfkZy/EZ2g8DXjWbFZEEaJou2F+r9Vhn5u4/H4A+bq9ZT/2IYeptS95RrShLFAzNDp9Bwd
    X-Received: by 10.55.21.140 with SMTP id 12mr3454160qkv.31.1440345211394;
           Sun, 23 Aug 2015 08:53:31 -0700 (PDT)
    Return-Path: <js2@example.org>
    Received: from [192.168.1.131] (cpe-XXX-XX-XXX-XXX.nc.res.rr.com. [XXX.XX.XXX.XXX])
           by smtp.gmail.com with ESMTPSA id x201sm9160834qkx.28.2015.08.23.08.53.30
           for <hi@smashrun.com>
           (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
           Sun, 23 Aug 2015 08:53:30 -0700 (PDT)
    From: js2 <js2@example.org>

This would fail 100% of the time when mailing any other Google Apps+Google Groups address, no matter the message content. I had failures from three separate Google Apps hosted domains over the course of a year. Once I moved my domain from Google Apps to Fastmail, this stopped happening.

Yes, I pay Fastmail and I wasn't paying for Google Apps. But I also get responsive support from Fastmail, IMAP push to iOS devices, more flexibility in delivery rules, etc.

[verst]

Google Groups has a feature to automatically reject messages it considers to be Spam. That feature has always been quite terrible. The Google Groups Backend hasn't changed in a very long time.

https://support.google.com/groups/answer/2627595?hl=en

I personally always disable it for public groups and then rely on Spam filtering of the recipient inbox.

By the way - the bounce message you are seeing is what is sent when the Spam Classification Server determined your message to be Spam. The main reasons for that are things like sending from a bad IP, having certain keywords that are strongly correlated with Spam, or having domains in your message that are associated with Spam (based on other messages having been marked as Spam containing those domains).

[js2]

Re: Spam Classification Server. The problem went away when I moved my domain away from Google Apps. Literally, the exact same test message that I could not send when I had my domain on Google Apps, I could send once my domain was on Fastmail. Nothing changed, but that my message was now routing via Fastmail's SMTP servers vs the Google Apps SMTP servers. Same message content, same client IP, same MUA, same destination (I had a friend with a Google Apps domain setup a test group for me to send to on his domain).

[verst]

So you are saying:

Google Apps SMTP -> Google Apps Group (different domain) == FAIL

Fastmail SMTP -> Google Apps Group (different domain) == SUCCESS?

It's been a long time since I looked at this. We did have great internal tools to look up the classification of individual messages, including the top 10 deciding reasons for a given message classification. With a paid Google Apps domain a support rep investigating your ticket would eventually look at this tool to figure out what's going on.

[js2]

Yup, that's what was happening. Re: a paid account, I decided Fastmail was a better fit for my needs. Besides that, the problem was on the receiving end. So I somewhat disagree that I should have had to pay Google for someone to look into that.

[js2]

Yup, that's what was happening. Agree about a paid account, but I decided Fastmail was a better fit for my needs.