2
Remote host said: 550 5.7.1 to Gmail account
Question asked by CCWH - February 21, 2015 at 12:36 PM
Answered
Hello all,
 
I have an interesting one here....
 
Sending an email to a domain that seems to use Gmail spam protection is being blocked on a 550 5.7.1
 
However, checking all RBL lists, making sure that SPF / DKIM all is aligned and everything looks OK.  I have confirmed all passes using UnlockTheInbox, 'http://dkimvalidator.com' and allaboutspam.com.
 
I sent a test plain text email to the recipient and that still bounced:
 
Could not deliver message to the following recipient(s):
 
Failed Recipient: support@wightbay.com
Reason: Remote host said: 550 5.7.1 [91.232.124.210      12] Our system has detected that this message is
5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,
5.7.1 this message has been blocked. Please visit
5.7.1 more information. f7si9048319wix.75 - gsmtp
 
IP Address stated is our main mail server outgoing IP.
 
Has anyone seen any changes as this was working fine!

5 Replies

Reply to Thread
1
Bruce Barnes Replied
February 21, 2015 at 3:29 PM
Click on the provided link and follow the instructions.
 
Google, along with many other large ISPs have severely tightened up their requirements for sending more than 100 messages per day and they do limit when they believe an ISP is not in compliance.
 
You should check out the FEEDBACK LOOPS requirements, listed at https://www.unlocktheinbox.com/resources/feedbackloops/.
 
You will need to setup DOMAINKEYS, DKIM, and DMARC to become eligible to create the feedback loops and each of the feedback loops, for each domain requiring them, must be setup for every domain you host.
 
These links will probably be helpful, too:
 
 
This information is also covered in my antispam settings document, which can be found at:
 

https://www.chicagonettech.com/docs/pdf/Antispam%20Settings%20-%20SmarterMail.pdf

 

Note that this document is pertinent to SmarterMail 13.X, and is not a final document, so some of the graphics may contain errors.  The document will be updated within the next few weeks to reflect minor issues.

 
 
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
CCWH Replied
February 22, 2015 at 4:23 AM
Thanks for the reply Bruce.
 
The only thing we can find is that the dmarc@ email addresses specified within the _dmarc record.
 
So, the Dmarc record for domain1.com is:
 
v=DMARC1; p=reject; sp=reject; rua=mailto:abuse@domain2.com; ruf=mailto:abuse@domain2.com; rf=afrf; pct=100; ri=86400
 
The result using UnlockTheInbox shows this:
 
 - Failed - The 'rua' tag value is not allowed to receive the report
  • RUA Test - failed, because domain.net is missing the DMARC tag in DNS to allow it to accept DMARC emails from subdomain.net this was added in draft 2 of DMARC to prevent spamming through rua and ruf fields. The DNSTXT Record that is needed would be under subdomain.net._reports._dmarc.domain.net and contain at least a V=DMARC1 value in order for this test to pass.
 
I don't understand the notes above.  Any clarification for this?  I don't really want to create a abuse@ mail forwarder for every clients domain and this that would be tiresome especially on top of having to create DomainKeys etc.
 
Any advice would be appreciated.
0
Bruce Barnes Replied
February 22, 2015 at 8:09 AM
You have to create DMARC DNS records.
 
Again, this is discussed in both my antispam document and at www.UnlocktheInbox.com under DMARC.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
CCWH Replied
February 22, 2015 at 8:38 AM
Bruce,
 
We do have DMARC DNS records created.  We used both your helpful guide along with UnlockTheInbox.  However, the issue we have is not that we do not have DMARC records on the domains but that the DMARC records are failing as the email address stated within them are external domains to the DMARC specified domain.  domain1.com has correct syntax on the DMARC record however the email address is not email@domain1.com but is email@domain2.com.
 
We have looked and cannot find much information about using a different domain for the email address.
 
Using an external domain is mentioned in the following links but we cannot work out what we really need to do:
 
 
All state that an external domain email address can be used within a DMARC record...but doesn't seem to say how.
1
Joe Wolf Replied
February 22, 2015 at 3:16 PM
I think I see your problem.  Your DMARC record:
v=DMARC1; p=reject; sp=reject; rua=mailto:abuse@domain2.com; ruf=mailto:abuse@domain2.com; rf=afrf; pct=100; ri=86400
 
Both your "rua" and "ruf" email addresses fall outside the domain from which the message was sent.
 
To resolve this "domain2.com" must have an additional DNS TXT record:
*._report._dmarc.domain2.com   with the value of that record: "v=DMARC1"
 
Once you add that record to domain2.com your records will be valid.
 
-Joe
 
Thanks,
-Joe

Reply to Thread