Gmail accounts have begun rejecting Emails without DMARC
The Problem
Gmail accounts have begun rejecting emails from hosts that do not have a DMARC authentication mechanism. It may just be the beginning, as other mail servers may follow suit. DMARC (Domain-based Message Authentication Reporting & Conformance) shows that that mail server is allowed to send emails on behalf of the domain. There are two types of mechanisms, SPF and DKIM. On IONOS shared accounts only SPF is supported which is sufficient.
In this post we will walkthrough how to fix this on IONOS hosting site, but the general idea can be used at any hosting provider.
What does a rejected email look like?
Below is a sample email you can expect to receive from google explaining why your email was rejected. In this case we don't have DMARC set up with an SPF or DKIM record on our domain.
FROM: Mail Delivery System mailer-daemon@perfora.net
BODY:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error.
The following address failed:
example@gmail.com:
SMTP error from remote server for TEXT command, host: gmail-smtp-in.l.google.com (142.250.112.27) reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM
both
550-5.7.26 do not pass). SPF check for [wassam.com] does not pass w
ith
550-5.7.26 ip: [74.208.4.194].To best protect our users from spam, the mes
sage
550-5.7.26 has been blocked. Please visit
550-5.7.26 https://support.google.com/mail/answer/81126#authentication fo
r more
550 5.7.26 information. m2-20020a056870194200b001726951d683si12281173oak.3
13 - gsmtp
How to fix it on IONOS
- Login and go to https://my.ionos.com/domains
- Select the Domain you are sending emails under
- Select DNS
- Add Record and select IONOS SPF (TXT)
5 . Select Save
This will use the default server.
6 . For good measure you can change this and add other IONOS mail servers
v=spf1 include:_spf.perfora.net include:_spf-us.ionos.com include:_spf.kundenserver.de ~all
If you are adding a custom mail server and not IONOS, change the include: <mailer domain> with the mail server you allow to send messages.
7 . Now add a DMARC record by select TXT
8 . Set the values as follows:
host: @
value: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1:s;
Change the email address to appropriate account you need.
Here is some information on what these settings mean:
v= DMARC version
p= policy to use
rua= Where to send the DMARC aggregate reports
ruf= Where to send the DMARC failure reports
For more details on how DMARC works and other parameters available, visit the following site.
What does a DMARC Report Email Report Look like?
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>17590210846965541147</report_id>
<date_range>
<begin>1679961600</begin>
<end>1680047999</end>
</date_range>
</report_metadata>
<policy_published>
<domain>wassam.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>74.208.4.197</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>wassam.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>wassam.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>74.208.4.196</source_ip>
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>wassam.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>wassam.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
What does the report tell us?
- Source IP is the IONOS mail server
- DKIM test fails
- SPF test passes
- Google even provides helpful information on how to address the issue
DKIM Failing is not an issue. You can only install a DKIM private key on a server hosted account with IONOS. The SPF is allowed for shared IONOS servers, and is sufficient to prevent email blocking.
Conclusion
Although IONOS shared server accounts do not support DKIM, these instructions walk you through adding an SPF record. A similar solution can be used at other hosting providers outside of IONOS.