Unable to send emails to Gmail from my domain
-
I recently started having trouble sending emails to Gmail from our domain.
Error:
"mx.google.com gave this error:
Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked. "
The only thing that changed was that I made an SPF record on GoDaddy for our On-Prem Exchange server. I've used Mxtoolbox to troubleshoot.
*I'm still waiting for Budget approval/acquisition for the DMARC stuff.
Mxtoolbox SPF Lookup:
spf:mail.contoso.com - Green on everything
mx:mail.contoso.com - No DMARC Record Found
mx:mail.contoso.com - DNS Record not found
mx:mail.contoso.com - DMARC Quarantine/Reject policy not enabledIt appears to me, as someone with no prior experience configuring an SPF record, that the issue might be the GoDaddy MX record. I'll disclose both in hopes that someone might be able to point out where I went wrong.
GoDaddy TXT Record:
v=spf1 a:mail.contoso.com ip4: 104.200.130.82 -allGoDaddy A Record:
mail.contoso.com > 104.200.130.82GoDaddy MX Record:
@ > mail.contoso.com (should this be mail > mail.contoso.com)?On-Prem Exchange Server: EXCH01 with IP of 172.16.10.100
On-Prem A Records:
EXCH01 > 172.16.10.100
mail > 172.16.10.100On-Prem Reverse Lookup Zone PTR Record:
172.16.10.100 > EXCH01.contoso.com
172.16.10.100 > mail.contoso.com -
Run this. What does it show? Post the results here or you can PM me if you want.
-
DMARC is free. It's just a matter of filling out the details. I did DMARC setup for a customer just this week.
-
@scottalanmiller said in Unable to send emails to Gmail from my domain:
DMARC is free. It's just a matter of filling out the details. I did DMARC setup for a customer just this week.
They were using GoDaddy too! Which no one should be. That should be CLoudFlare or some other enterprise DNS host, never GoDaddy. GD DNS is just for testing use when you purchase a domain, it should be moved off before you start using it.
-
@Mr-Jones said in Unable to send emails to Gmail from my domain:
*I'm still waiting for Budget approval/acquisition for the DMARC stuff.
There is nothing you need to buy to implement it.
You should implement SPF, DKIM and DMARC.
The only thing you might want to buy is a service that will watch your DMARC reports and generate notifications if there is a problem.
I think this is very good and good value as well:
https://www.uriports.com/pricingUse their awesome free service to test your email setup and learn more about DMARC.
https://www.learndmarc.com/ -
@Mr-Jones said in Unable to send emails to Gmail from my domain:
GoDaddy TXT Record:
v=spf1 a:mail.contoso.com ip4: 104.200.130.82 -allThis is invalid. There should be no space between ip4: and the ip address.
Also it's common to do
~allinstead of-allwhen starting out.
~will cause a soft fail on SPF failure while-will cause a hard fail. -
@Pete-S said in Unable to send emails to Gmail from my domain:
@Mr-Jones said in Unable to send emails to Gmail from my domain:
*I'm still waiting for Budget approval/acquisition for the DMARC stuff.
There is nothing you need to buy to implement it.
You should implement SPF, DKIM and DMARC.
The only thing you might want to buy is a service that will watch your DMARC reports and generate notifications if there is a problem.
I think this is very good and good value as well:
https://www.uriports.com/pricingUse their awesome free service to test your email setup and learn more about DMARC.
https://www.learndmarc.com/Exactly, it's just part of the configuration of setting up email. It's a setting.
-
@Pete-S said in Unable to send emails to Gmail from my domain:
@Mr-Jones said in Unable to send emails to Gmail from my domain:
GoDaddy TXT Record:
v=spf1 a:mail.contoso.com ip4: 104.200.130.82 -allThis is invalid. There should be no space between ip4: and the ip address.
Also it's common to do
~allinstead of-allwhen starting out.
~will cause a soft fail on SPF failure while-will cause a hard fail.We did that this week, too! This thread is like "yesterday's project" line for line, basically.
-
@Mr-Jones said in Unable to send emails to Gmail from my domain:
Error:
"mx.google.com gave this error:
Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked. "This doesn't say anything about SPF, DKIM or DMARC failure, but the fact that you don't have them is a sign that your message is spam.
Also the fact that you are sending from your own IP is also a sign that it is spam. Mail servers build up IP reputation on servers that send them emails. This is different from the blacklists.
If you haven't checked your IP against blacklists you must do so as well.
-
@Pete-S said in Unable to send emails to Gmail from my domain:
Also the fact that you are sending from your own IP is also a sign that it is spam. Mail servers build up IP reputation on servers that send them emails. This is different from the blacklists.
If you haven't checked your IP against blacklists you must do so as well.That implies that you are running your own email server which isn't exactly forbidden, but it's a "no no". If you are running your own email server, it's expected that you will proxy through a big sender with clean IPs that have been cleared already.
For all intents and purposes, the modern email frameworks are built around limiting email sending from big senders (Amazon, MS, Google, Zoho) only and all others are suspect and/or blocked outright. Even people running their own email servers typically (without knowing) block or restrict receiving emails from anyone but the giant carriers.
-
@scottalanmiller said in Unable to send emails to Gmail from my domain:
@Pete-S said in Unable to send emails to Gmail from my domain:
@Mr-Jones said in Unable to send emails to Gmail from my domain:
GoDaddy TXT Record:
v=spf1 a:mail.contoso.com ip4: 104.200.130.82 -allThis is invalid. There should be no space between ip4: and the ip address.
Also it's common to do
~allinstead of-allwhen starting out.
~will cause a soft fail on SPF failure while-will cause a hard fail.We did that this week, too! This thread is like "yesterday's project" line for line, basically.
Yeah, I've done it a couple of times as well, but not this week
The only thing I don't have a clue about is how you set up DKIM on on-prem Exchange so all messages are signed.
-
@scottalanmiller said in Unable to send emails to Gmail from my domain:
@Pete-S said in Unable to send emails to Gmail from my domain:
Also the fact that you are sending from your own IP is also a sign that it is spam. Mail servers build up IP reputation on servers that send them emails. This is different from the blacklists.
If you haven't checked your IP against blacklists you must do so as well.That implies that you are running your own email server which isn't exactly forbidden, but it's a "no no". If you are running your own email server, it's expected that you will proxy through a big sender with clean IPs that have been cleared already.
For all intents and purposes, the modern email frameworks are built around limiting email sending from big senders (Amazon, MS, Google, Zoho) only and all others are suspect and/or blocked outright. Even people running their own email servers typically (without knowing) block or restrict receiving emails from anyone but the giant carriers.
Yeah, I agree. But since we are looking at SPF records with IPs then that is what the OP is doing (sending emails from their own IPs).
But it's better to use an email service to send stuff out and have them worry about IP reputation, blacklist etc.
-
@Pete-S
Good catch. There wasn't actually a space there, I just goofed.I'll try ~all.
-
@Pete-S
Very first thing I did.I found one of the issues to be that our Network Firewall was configured with the wrong IP address for outbound traffic of that Exchange Server, so it was picking up the next available (our VPN IP) and using that to pass traffic. The SPF didn't match because of this.
Currently I can send now, but it always goes straight to Spam folder. Likely because we don't have DMARC set up yet.
-
@Mr-Jones said in Unable to send emails to Gmail from my domain:
Currently I can send now, but it always goes straight to Spam folder. Likely because we don't have DMARC set up yet.
Yes, you need all of it to increase your odds. And look at routing your exchange emails through another SMTP gateway as mentioned above.
-
@scottalanmiller said in Unable to send emails to Gmail from my domain:
@Pete-S said in Unable to send emails to Gmail from my domain:
@Mr-Jones said in Unable to send emails to Gmail from my domain:
*I'm still waiting for Budget approval/acquisition for the DMARC stuff.
There is nothing you need to buy to implement it.
You should implement SPF, DKIM and DMARC.
The only thing you might want to buy is a service that will watch your DMARC reports and generate notifications if there is a problem.
I think this is very good and good value as well:
https://www.uriports.com/pricingUse their awesome free service to test your email setup and learn more about DMARC.
https://www.learndmarc.com/Exactly, it's just part of the configuration of setting up email. It's a setting.
Expand on this, please. It's my understanding there is no out-of-the-box support for DMARC or DKIM for On-Prem Exchange Servers.
-
This post is deleted! -
@scottalanmiller said in Unable to send emails to Gmail from my domain:
@Pete-S said in Unable to send emails to Gmail from my domain:
Also the fact that you are sending from your own IP is also a sign that it is spam. Mail servers build up IP reputation on servers that send them emails. This is different from the blacklists.
If you haven't checked your IP against blacklists you must do so as well.That implies that you are running your own email server which isn't exactly forbidden, but it's a "no no". If you are running your own email server, it's expected that you will proxy through a big sender with clean IPs that have been cleared already.
For all intents and purposes, the modern email frameworks are built around limiting email sending from big senders (Amazon, MS, Google, Zoho) only and all others are suspect and/or blocked outright. Even people running their own email servers typically (without knowing) block or restrict receiving emails from anyone but the giant carriers.
Seems like a good time to try convincing the boss we should move our emails to O365. I know he'll say no, but this is ammo for sure.
-
@Pete-S said in Unable to send emails to Gmail from my domain:
@Mr-Jones said in Unable to send emails to Gmail from my domain:
*I'm still waiting for Budget approval/acquisition for the DMARC stuff.
There is nothing you need to buy to implement it.
You should implement SPF, DKIM and DMARC.
The only thing you might want to buy is a service that will watch your DMARC reports and generate notifications if there is a problem.
I think this is very good and good value as well:
https://www.uriports.com/pricingUse their awesome free service to test your email setup and learn more about DMARC.
https://www.learndmarc.com/Really cool links there! Thank you!
-
@Mr-Jones said in Unable to send emails to Gmail from my domain:
@scottalanmiller said in Unable to send emails to Gmail from my domain:
@Pete-S said in Unable to send emails to Gmail from my domain:
Also the fact that you are sending from your own IP is also a sign that it is spam. Mail servers build up IP reputation on servers that send them emails. This is different from the blacklists.
If you haven't checked your IP against blacklists you must do so as well.That implies that you are running your own email server which isn't exactly forbidden, but it's a "no no". If you are running your own email server, it's expected that you will proxy through a big sender with clean IPs that have been cleared already.
For all intents and purposes, the modern email frameworks are built around limiting email sending from big senders (Amazon, MS, Google, Zoho) only and all others are suspect and/or blocked outright. Even people running their own email servers typically (without knowing) block or restrict receiving emails from anyone but the giant carriers.
Seems like a good time to try convincing the boss we should move our emails to O365. I know he'll say no, but this is ammo for sure.
Maybe, maybe not. DMARC updates are the same local or MS365 so not a big "time to switch" moment. But, maybe overall delivery will matter.
