Messages are being rejected by GMail with DMARC failures. Most of the messages are from well known senders such as Google, Microsoft, and the USDA. The senders' DKIM is in order and we have correct DMARC, SPF and DKIM settings with respect to our DNS. Gateways are in place per the documentation. GMail extra spam checks are turned off. Here's a rejection of the Sophos Central welcome email:
During step 2 of step #9 of configuring the GMail Gateway IPs it says:
9. Turn on:
The second step (Reject all mail not from gateway IPs) causes Sophos EMail to stop delivering messages and emails enter the Queuing... state. I have had to leave that setting off for any emails to get through.
Headers show all PASS for everything
Continued troubleshooting indicates that Smart Banners are breaking DKIM - the alteration of the message body causes a mismatch which Google decides must be spam. Creating a group with Smart Banners disabled and Quarantine for Impersonation Protection then adding my Google Workspace users to the new group seems to fix the issue.
Overnight logs indicate that this isn't the problem in it's entirety - DKIM is still indicated as broken in some messages at the GMail user, and a bit of testing indicates that it's due to URL rewrites altering the body of the message. Incidentally, reading headers of successful messages I found that turning off URL rewrites and refraining from adding headers guarantees the integrity of the message.
This is a confirmed issue and Sophos has reached out to Google for a resolution. See https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/ConfigureGoogle/index.htm
If you have turned on Time of Click URL Protection or Smart banners in your email policies, you may see DMARC failures reported for inbound messages.
This is because Google doesn't consistently process emails from IP addresses in its Gateway IPs list.
Google's documentation says: "Gmail doesn't do SPF authentication for messages sent from IP addresses in the Gateway IPs list. The inbound gateway should do DMARC checks. DMARC authentication is bypassed for incoming messages from listed hosts." See Set up an inbound mail gateway.
Our tests show that this doesn't always happen, and Google marks some emails as DMARC failures when it shouldn't be doing DMARC checks. We have raised this with Google.
So what are our options? Who is responsible? Google or Sophos?Who could manage a patch to solve this in his side?