EMail blocked due to DMARC Policy

Hi,
I have a client who is getting 550 5.7.26 on all a lot of his emails.
I have setup the SPF, DKIM and DMARC records, but run out of knowledge.

the domain is blackbirdagency.co.uk
Thank you

Welcome to the Cloudflare Community. :logodrop:

That ESMTP response is not going to be enough to determine the issue.

  • Does that recipient send DMARC reports?
  • Have you reviewed the reason that DMARC failed?
  • Are you DKIM signing the messages?
  • Are the messages being sent from Google Workspace, Brevo, or somewhere else?

Unrelated to your question, you have an a mechanism in your SPF that resolves to Cloudflare proxy IPs. Those will never send emails on behalf of your domain. You can remove that a and reduce by one the number of DNS lookups required to evaluate your SPF.

2 Likes

Hi @epic.network ,
Thank you for the reply.

The emails are being sent from the Gmail web interface,

  • Does that recipient send DMARC reports? Yes
  • Have you reviewed the reason that DMARC failed? Yes - 550 5.7.26 Unauthenticated email from blackbrdagency.co.uk is not accepted due to the domains DMARC policy. Please contact the administrator if this was legitimate. I am the administrator.
  • Are you DKIM signing the massages? I believe so as Gmail turns this on automatically.
  • Are the messages being sent from Google Workspace, Brevo, or somewhere else? from the GMail web interface so, Google Workspace.

Was that error copy/pasted? Because there is a typo in the sender address that would explain the problem.

2 Likes

The NDR that you shared in response to the second bullet point is not the DMARC report data that I was asking about. You would need to find that in your DMARC reporting service, which appears to be Cloudflare. It will tell you why your message failed DMARC.

If you haven’t taken steps to publish your Google Workspace DKIM public keys, recipients will not be able to validate signatures. If the parts of the message used to create the signatures are altered after signing, validation will fail. It may be that your recipient doesn’t like your DMARC policy of none.

The best course of action is to work with the intended recipient to identify why their MTA doesn’t want your message. Unless you need to update a related DNS record, there won’t be anything to do with Cloudflare.

2 Likes

Thank you, I tried DMARC with Reject and got the same responce.
I will check with the clints DKIM keys in Google Workspace

1 Like

This is sending from ther clients Google Workspace to my Google Workspace.

You may need to ask Google about it.

2 Likes

I have uploaded an image, but it needs approval

This is sending from Google Workspace to Google Workspace

Looking at both both “client”, and “his emails” here:

The blackbirdagency.co.uk domain name, …

  1. … Is it (also) your domain name?

  2. … Is it the domain name of a third party, that is trying to send email to you?

Your image seems to indicate #2 would be the answer?

One thing you must understand, is that DKIM signing alone isn’t necessarily the same as DKIM signing with alignment, to your own domain name, as DMARC requires.

Google Workspace does with some default DKIM signing using a sub-domain under the “.gappssmtp.com” domain name, whereas Microsoft Office 365 does something similar under the “.onmicrosoft.com” domain name.

There can technically be a dozen of different DKIM signatures on your email, -

However, if the DKIM signing have been made on a different domain name than the one in the “From:” header, it will not be enough, to satisfy a DMARC “reject” policy, as there is no alignment to the alleged sender domain, that appears in the “From:” header.

→

An email address have been sent to you privately.

If you wish, you can try sending an email, from that blackbirdagency.co.uk domain name, in the same way as when it provides you the above error, and I’ll respond to this thread with what I see, at the first possible moment after having received it.

1 Like