G Suite - Group mail Forwarding rejected by Sophos Central.

Question

Hi,

I have the Google Suite and scanning incoming and outgoing emails. Both direction mail flow is working fine but When an outside user is sending mail on Google Group ID then this mail is delivering on the Google platform and Google is putting in forwarding pipe and the same time it is getting failed/bounced with below error on the Google Gsuite:

Bounced
Google tried to deliver your message, but it was rejected by the server for the recipient domain <a href="relay-us-east-2.prod.hydra.sophos.com" target="_blank">relay-us-east-2.prod.hydra.<wbr>sophos.com</a> [18.221.253.246]. The error that the other server returned was: 550 5.7.1 Command rejected

Bounced
Google tried to deliver your message, but it was rejected by the server for the recipient domain <a href="relay-us-east-2.prod.hydra.sophos.com" target="_blank">relay-us-east-2.prod.hydra.<wbr>sophos.com</a> [18.221.253.246]. The error that the other server returned was: 550 5.7.1 Command rejected

What is happening in the background:

Outside User sending a mail to Group ID abcgroup@mydomain.com -----> Mail received and scanned on the Sophos Central------->mail delivered on the group----> mail Forwarded from group: abcgroup@mydomain.com to Individual recipients of this group as it@mydomain.com (at this point the mail getting bounced)

We noticed an error message on the Sophos central as:

Sender local part <abcgroup+bncbc5o5shs74mbbwgb6trqkgqealgwhzy@mydomain.com> could not be validated for domain <mydomain.com> (as Mail sender).

After a long search on the internet, I found

1). This behavior was changed from Google sometime before to fight with DMARC “P=Reject” policy from various domains/email providers.

2). As Sophos is following RFC 5322 for incoming and outgoing emails but here looking that Google is violating this RFC ( I am not gone through the complete RFC).

Reference URL:

https://serverfault.com/questions/779730/why-dont-my-domains-messages-to-a-google-group-get-their-headers-rewritten-so

http://onlinegroups.net/blog/2014/05/01/dmarc-taking-responsibility-sending-group-email/

https://support.google.com/mail/answer/1311182?hl=en

https://www.spamresource.com/2014/04/google-groups-rewriting-from-addresses.html

https://tools.ietf.org/html/rfc5322#appendix-A.1.3

https://webapps.stackexchange.com/questions/62737/why-does-google-change-my-from-header-to-have-via-me-in-it

https://dmarc.org/wiki/FAQ#s_3

Here, Google is saying that this is normal behavior of Google's group and it will rewrite mail header with a random ID as <abcgroup+bncbc5o5shs74mbbwgb6trqkgqealgwhzy@mydomain.com>. And this issue belongs to the Sophos central.

Looking expert guide to resolving the issue.

Edited tags
[edited by: Raphael Alganes at 5:23 AM (GMT -7) on 8 Jun 2023]

Deepak Verma · Accepted Answer

I had booked a case and we worked more than 4 months with Sophos. Finally, Sophos as accepted that this limitation of Sophos Central as 
 
 We use google groups for distribution lists. This sends the email out and then back in through the gateway. It looks like its coming externally, which will trip the header anomaly feature. We have our settings configured to reject header anomalies. so these wont even get delivered. Subaddressing is a common tactic used in google mail. Google allows you to give different variants of your email address to different third parties, and thus know who leaked your address to spammers. and block it if you want. for example; google will consider celworthy+foobar@gmail.com the same as celworthy@gmail.com Currently, central is blocking sending from subaddressed mailboxes. this has caused an issue with google customers. 
 More details are mentioned in the PM.