Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 19 subscribers
  • Views 7185 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Google Workspace Rejecting Sophos Setup Messages (and other important messages

Justin Hoeft

Messages are being rejected by GMail with DMARC failures. Most of the messages are from well known senders such as Google, Microsoft, and the USDA. The senders' DKIM is in order and we have correct DMARC, SPF and DKIM settings with respect to our DNS. Gateways are in place per the documentation. GMail extra spam checks are turned off. Here's a rejection of the Sophos Central welcome email:

Received from an SMTP server with IP address: 50.112.39.248 (TLS enabled)
550-5.7.26 Unauthenticated email from <a href="">http://microsoftonline.com" target="_blank">microsoftonline.com</a> is not accepted due to 550-5.7.26 domain&#39;s DMARC policy. Please contact the administrator of 550-5.7.26 <a href="">http://microsoftonline.com" target="_blank">microsoftonline.com</a> domain if this was a legitimate mail. Please 550-5.7.26 visit 550-5.7.26 <a href="">support.google.com/.../2451690" target="_blank">support.google.com/.../a> to learn about the 550 5.7.26 DMARC initiative.
Mar 24, 2022, 4:32:23 PM
Rejected
Has anyone else encountered this?
Google suppport said that it's an SPF issue, but I've triple-checked my settings and they're correct.


Edited tags
[edited by: Raphael Alganes at 6:02 AM (GMT -7) on 7 Jun 2023]
Parents
  • 0

    Initial Troubleshooting:

    1. Reset all Gmail settings to default
    2. Start over using the latest Sophos install references linked from Sophos Central

    During step 2 of step #9 of configuring the GMail Gateway IPs it says:

    9. Turn on:

    • Automatically detect external IP (recommended).
    • Reject all mail not from gateway IPs.
    • Require TLS connections from the email gateways listed above.

    The second step (Reject all mail not from gateway IPs) causes Sophos EMail to stop delivering messages and emails enter the Queuing... state. I have had to leave that setting off for any emails to get through.

    Additional Troubleshooting:

    1. Corrected DKIM to match Sophos-recommended setting
    2. Double-checked SPF records for the fifth time

    Headers show all PASS for everything

  • 0 in reply to Justin Hoeft

    Continued troubleshooting indicates that Smart Banners are breaking DKIM - the alteration of the message body causes a mismatch which Google decides must be spam. Creating a group with Smart Banners disabled and Quarantine for Impersonation Protection then adding my Google Workspace users to the new group seems to fix the issue.

Reply
  • 0 in reply to Justin Hoeft

    Continued troubleshooting indicates that Smart Banners are breaking DKIM - the alteration of the message body causes a mismatch which Google decides must be spam. Creating a group with Smart Banners disabled and Quarantine for Impersonation Protection then adding my Google Workspace users to the new group seems to fix the issue.

Children
  • 0 in reply to Justin Hoeft

    Overnight logs indicate that this isn't the problem in it's entirety - DKIM is still indicated as broken in some messages at the GMail user, and a bit of testing indicates that it's due to URL rewrites altering the body of the message. Incidentally, reading headers of successful messages I found that turning off URL rewrites and refraining from adding headers guarantees the integrity of the message.

Unfiltered HTML