Google Workspace Rejecting Sophos Setup Messages (and other important messages

Messages are being rejected by GMail with DMARC failures. Most of the messages are from well known senders such as Google, Microsoft, and the USDA. The senders' DKIM is in order and we have correct DMARC, SPF and DKIM settings with respect to our DNS. Gateways are in place per the documentation. GMail extra spam checks are turned off. Here's a rejection of the Sophos Central welcome email:

Received from an SMTP server with IP address: 50.112.39.248 (TLS enabled)
550-5.7.26 Unauthenticated email from <a href="">http://microsoftonline.com" target="_blank">microsoftonline.com</a> is not accepted due to 550-5.7.26 domain&#39;s DMARC policy. Please contact the administrator of 550-5.7.26 <a href="">http://microsoftonline.com" target="_blank">microsoftonline.com</a> domain if this was a legitimate mail. Please 550-5.7.26 visit 550-5.7.26 <a href="">support.google.com/.../2451690" target="_blank">support.google.com/.../a> to learn about the 550 5.7.26 DMARC initiative.
Mar 24, 2022, 4:32:23 PM
Rejected
Has anyone else encountered this?
Google suppport said that it's an SPF issue, but I've triple-checked my settings and they're correct.


corrected from Whitelist to Gateways
[edited by: Justin Hoeft at 1:49 AM (GMT -7) on 26 Mar 2022]
Parents
  • Initial Troubleshooting:

    1. Reset all Gmail settings to default
    2. Start over using the latest Sophos install references linked from Sophos Central

    During step 2 of step #9 of configuring the GMail Gateway IPs it says:

    9. Turn on:

    • Automatically detect external IP (recommended).
    • Reject all mail not from gateway IPs.
    • Require TLS connections from the email gateways listed above.

    The second step (Reject all mail not from gateway IPs) causes Sophos EMail to stop delivering messages and emails enter the Queuing... state. I have had to leave that setting off for any emails to get through.

    Additional Troubleshooting:

    1. Corrected DKIM to match Sophos-recommended setting
    2. Double-checked SPF records for the fifth time

    Headers show all PASS for everything

  • This is a confirmed issue and Sophos has reached out to Google for a resolution. See https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/ConfigureGoogle/index.htm 

    DMARC failures from Google email servers

    If you have turned on Time of Click URL Protection or Smart banners in your email policies, you may see DMARC failures reported for inbound messages.

    This is because Google doesn't consistently process emails from IP addresses in its Gateway IPs list.

    Google's documentation says: "Gmail doesn't do SPF authentication for messages sent from IP addresses in the Gateway IPs list. The inbound gateway should do DMARC checks. DMARC authentication is bypassed for incoming messages from listed hosts." See Set up an inbound mail gateway.

    Our tests show that this doesn't always happen, and Google marks some emails as DMARC failures when it shouldn't be doing DMARC checks. We have raised this with Google.

Reply Children