Google Workspace Rejecting Sophos Setup Messages (and other important messages

Messages are being rejected by GMail with DMARC failures. Most of the messages are from well known senders such as Google, Microsoft, and the USDA. The senders' DKIM is in order and we have correct DMARC, SPF and DKIM settings with respect to our DNS. Gateways are in place per the documentation. GMail extra spam checks are turned off. Here's a rejection of the Sophos Central welcome email:

Received from an SMTP server with IP address: 50.112.39.248 (TLS enabled)

550-5.7.26 Unauthenticated email from <a href="">http://microsoftonline.com" target="_blank">microsoftonline.com</a> is not accepted due to 550-5.7.26 domain's DMARC policy. Please contact the administrator of 550-5.7.26 <a href="">http://microsoftonline.com" target="_blank">microsoftonline.com</a> domain if this was a legitimate mail. Please 550-5.7.26 visit 550-5.7.26 <a href="">support.google.com/.../2451690" target="_blank">support.google.com/.../a> to learn about the 550 5.7.26 DMARC initiative.

Mar 24, 2022, 4:32:23 PM

Rejected

Has anyone else encountered this?

Google suppport said that it's an SPF issue, but I've triple-checked my settings and they're correct.

corrected from Whitelist to Gateways
[edited by: Justin Hoeft at 1:49 AM (GMT -7) on 26 Mar 2022]

Top Replies

Draco 1 month ago +1

Confirm you have configured the gateways correctly

https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/ConfigureGSuite/index.html#add-your…

Parents

0 Draco 1 month ago

Confirm you have configured the gateways correctly

https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/ConfigureGSuite/index.html#add-your-domain-and-verify-ownership

According to gmail article https://support.google.com/a/answer/60730?hl=en

"Set up the inbound gateway setting to identify the gateway’s IP address or range of addresses. Gmail doesn't do SPF authentication for messages sent from IP addresses in the Gateway IPs list. The inbound gateway should do DMARC checks. DMARC authentication is bypassed for incoming messages from listed hosts."

So confirm that the correct IP's are on the list and that the email comes from that IP

If these are correct then the question becomes why is gmail checking this?
Cancel
Vote Up +1 Vote Down

Reply

Verify Answer

Cancel
0 Justin Hoeft 22 days ago in reply to Draco

I have double and triple-checked this and the only solution is to add each sender with a DKIM of "-all" who is rejected to the Gateways list. Google's support seems to not be able to see an issue with this, describing the behavior as normal. My solution, for now, is to disable Smart Banners for this tenant and rely on changing the Subject line.
Cancel
Vote Up 0 Vote Down

Reply

Verify Answer

Cancel
0 Draco 21 days ago in reply to Justin Hoeft

Please ask google support to check your Gateway IP list in google workspace The email that fails DMARC does if come from one of those IP's? If so according to their documentation referenced above they should not be doing DMARC. I cannot see how this can be normal behavior if their document says it should not be doing this. It say inbound gateway should do DMARC checks, which is Sophos Central Email.
Cancel
Vote Up 0 Vote Down

Reply

Verify Answer

Cancel

Reply

0 Draco 21 days ago in reply to Justin Hoeft

Please ask google support to check your Gateway IP list in google workspace The email that fails DMARC does if come from one of those IP's? If so according to their documentation referenced above they should not be doing DMARC. I cannot see how this can be normal behavior if their document says it should not be doing this. It say inbound gateway should do DMARC checks, which is Sophos Central Email.
Cancel
Vote Up 0 Vote Down

Reply

Verify Answer

Cancel

Children

No Data