Join Log in
Score:2
Armin Hierstetter avatar Server

Gmail blocks mails in case they are forwarded

ba flag
Armin Hierstetter

My website sends mails to users. This has been working wonderfully for years. But since a year or so, gmail blocks mails in the following scenario: A user has the email [email protected]. That email is automatically forwarded to a gmail address, so there is probably not a mailbox installed but just an automatic forwarding.

In that scenario, gmail will block the email with the error:

   host gmail-smtp-in.l.google.com [xx.xx.xx.xx]
   SMTP error from remote mail server after end of data:
   550-5.7.26 This message does not pass authentication checks (SPF and DKIM both
   550-5.7.26 do not pass). SPF check for [xyz.com] does not pass with
   550-5.7.26 ip: [xx.xx.xx.xx].To best protect our users from spam, the message
   550-5.7.26 has been blocked

If the same mail is sent to the gmail address directly, everything works as expected.

I have setup an SPF record like this:

v=spf1 mx ip4:ip.of.web.site ~all

RDNS is setup correctly.

EDIT: Reading about this issue further, one user suggested to add include:_spf.google.com to make the SPF record look like this:

v=spf1 mx ip4:ip.of.web.site include:_spf.google.com ~all

Although I can not see why this would help in my case, the number of failed checks seems to have dropped significantly. Of course, I do not think this qualifies as a proper solution, more as a hack at the most.

I will still try to setup DKIM, though.

1857
1 + 1
jp flag
Esa Jokinen
Sign you messages with DKIM. It survives forwarding.
1
Reply
Score:3
user1686 avatar Server
fr flag
user1686

Forwarded messages will always fail SPF checks, because Gmail does not see them as coming from your server – it sees them as being sent from the forwarder server, which is of course not in your domain's SPF allowed list. (You cannot realistically list all possible forwarders in your SPF record, nor would that make any sense.)

(Your server's rDNS setup is irrelevant at this point, because it is not your server that is talking to Gmail.)

To avoid this problem you need to set up DKIM signing for your messages and add a DMARC policy DNS record for your domain. According to DMARC rules, either SPF or DKIM checks must pass – Gmail will accept your messages forwarded by other servers as long as their original DKIM signature (made by your server) remains intact.

See also:

+ 1
Armin Hierstetter avatar
ba flag
Armin Hierstetter
Thanks! I am working on setting up DKIM but struggle with it. Although it seems to be installed correctly by provider on mail server (and there is the DNS txt record, too) it does not work properly … oh well …
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.