Link to home
Start Free TrialLog in
Avatar of Kostas Harvatis
Kostas HarvatisFlag for Greece

asked on

SMTP 550 errors even though SPF/DKIM/DMARC is set up (vol.2)

I am facing again a problem I had dew months back, which troubled me a lot.

www.experts-exchange.com/dashboard/#/questions/29247193


It is about emails from our customer support (ticketing) system, not being delivered in Gmail accounts (mainly; but some times other systems too). They return with SMTP 550 error (5.7.1 or 5.7.26). For example:


Action: failed
Status: 5.7.26
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.26 This mail is unauthenticated, which poses a
    security risk to the 550-5.7.26 sender and Gmail users, and has been
    blocked. The sender must 550-5.7.26 authenticate with at least one of SPF
    or DKIM. For this message, 550-5.7.26 DKIM checks did not pass and SPF
    check for [goldstar.gr] did not 550-5.7.26 pass with ip: [193.92.3.89]. The
    sender should visit 550-5.7.26
    https://support.google.com/mail/answer/81126#authentication for 550 5.7.26
    instructions on setting up authentication.

Open in new window


Back when I first had the problem, it stopped without me being 100% sure of what exactly in my SPF records made it right (my DNS host is Cloudflare btw), because I had tried so many things. However, some final recipe made it right. This includes -ip4 and -include options for all IPs and server names I could think of. Meaning that our SMTP provider has a general server name to put in our settings, but their mail server farm puts a range of different IPs in the outgoing messages.


So a couple of days ago I got complaints from a single company, that our emails we not reaching them and their antivirus(!) was indicating that we had SPF errors(!)


SPF=PERM-ERROR: (envelope from: someuser@mydomain.com) the SPF record for mydomain.com is invalid  


Weird, but I tried to do something about it, and removed one -include option from my SPF (indicated by the error message above).


Then hell broke loose again, and started having the same Gmail delivery problems. I put the option back in, and I'm already waiting for 2 days with no signs of improvement.


So my question is ...why Gmail is so sensitive, and is there something really solid I can do then my email communications is disrupted?



ASKER CERTIFIED SOLUTION
Avatar of Kimputer
Kimputer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi!

As @Kimputer has mentioned, SPF is an email validation system that helps prevent email spoofing. It verifies that the sending server is authorized to send emails on behalf of your domain. You need to make sure your SPF record is correctly set up and includes all the necessary information. Otherwise, it will just give FAIL result.
Just to clarify

Your record includes "mailgate.forthnet.gr" which does not have a SPF policy which is creating a null record value in your SPF policy which is causing the SPF validation failures

There are only 2 fixes

1) Remove "mailgate.forthnet.gr" from your domains SPF record
2) If it is in your control, Add a SPF record to "mailgate.forthnet.gr"
Avatar of Kostas Harvatis

ASKER

Thank you all for your feedback.


I will reluctantly remove it and see what happens. Let me say again that for several months now everything was running smoothly with this SPF entry. Problems started as soon as I removed it. Any explanation on this?


(And of course will wait for a couple of days to see if there's any improvement)


One example I encountered was "mailgate.forthnet.gr" was an authorized email server on the domain. Subsequently removing it from the SPF record resulted in legitimate email from other domain emails being treated as unauthorized or unauthenticated by recipient servers.