Remote host said: 550 5.7.1 to Gmail account

Question asked by CCWH - 2/21/2015 at 12:36 PM

Answered

Hello all,

I have an interesting one here....

Sending an email to a domain that seems to use Gmail spam protection is being blocked on a 550 5.7.1

However, checking all RBL lists, making sure that SPF / DKIM all is aligned and everything looks OK. I have confirmed all passes using UnlockTheInbox, 'http://dkimvalidator.com' and allaboutspam.com.

I sent a test plain text email to the recipient and that still bounced:

Could not deliver message to the following recipient(s):

Failed Recipient: support@wightbay.com

Reason: Remote host said: 550 5.7.1 [91.232.124.210 12] Our system has detected that this message is

5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,

5.7.1 this message has been blocked. Please visit

5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for

5.7.1 more information. f7si9048319wix.75 - gsmtp

IP Address stated is our main mail server outgoing IP.

Has anyone seen any changes as this was working fine!

6 Replies

Reply to Thread

Bruce Barnes Replied

2/21/2015 at 3:29 PM

Click on the provided link and follow the instructions.

Google, along with many other large ISPs have severely tightened up their requirements for sending more than 100 messages per day and they do limit when they believe an ISP is not in compliance.

You should check out the FEEDBACK LOOPS requirements, listed at https://www.unlocktheinbox.com/resources/feedbackloops/.

You will need to setup DOMAINKEYS, DKIM, and DMARC to become eligible to create the feedback loops and each of the feedback loops, for each domain requiring them, must be setup for every domain you host.

These links will probably be helpful, too:

https://support.google.com/mail/answer/81126?hl=en

https://support.google.com/mail/answer/175365?hl=en

This information is also covered in my antispam settings document, which can be found at:

https://www.chicagonettech.com/docs/pdf/Antispam%20Settings%20-%20SmarterMail.pdf

Note that this document is pertinent to SmarterMail 13.X, and is not a final document, so some of the graphics may contain errors. The document will be updated within the next few weeks to reflect minor issues.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

CCWH Replied

2/22/2015 at 4:23 AM

Thanks for the reply Bruce.

The only thing we can find is that the dmarc@ email addresses specified within the _dmarc record.

So, the Dmarc record for domain1.com is:

v=DMARC1; p=reject; sp=reject; rua=mailto:abuse@domain2.com; ruf=mailto:abuse@domain2.com; rf=afrf; pct=100; ri=86400

The result using UnlockTheInbox shows this:

- Failed - The 'rua' tag value is not allowed to receive the report

RUA Test - failed, because domain.net is missing the DMARC tag in DNS to allow it to accept DMARC emails from subdomain.net this was added in draft 2 of DMARC to prevent spamming through rua and ruf fields. The DNSTXT Record that is needed would be under subdomain.net._reports._dmarc.domain.net and contain at least a V=DMARC1 value in order for this test to pass.

I don't understand the notes above. Any clarification for this? I don't really want to create a abuse@ mail forwarder for every clients domain and this that would be tiresome especially on top of having to create DomainKeys etc.

Any advice would be appreciated.

Bruce Barnes Replied

2/22/2015 at 8:09 AM

You have to create DMARC DNS records.

Again, this is discussed in both my antispam document and at www.UnlocktheInbox.com under DMARC.

CCWH Replied

2/22/2015 at 8:38 AM

Bruce,

We do have DMARC DNS records created. We used both your helpful guide along with UnlockTheInbox. However, the issue we have is not that we do not have DMARC records on the domains but that the DMARC records are failing as the email address stated within them are external domains to the DMARC specified domain. domain1.com has correct syntax on the DMARC record however the email address is not email@domain1.com but is email@domain2.com.

We have looked and cannot find much information about using a different domain for the email address.

Using an external domain is mentioned in the following links but we cannot work out what we really need to do:

http://tools.ietf.org/html/draft-kucherawy-dmarc-base-01#section-7.1

http://www.gettingemaildelivered.com/how-to-set-up-dmarc-email-authentication

https://dmarcian.com/dmarc-inspector/facebookmail.com

All state that an external domain email address can be used within a DMARC record...but doesn't seem to say how.

Joe Wolf Replied

2/22/2015 at 3:16 PM

Marked As Answer

I think I see your problem. Your DMARC record:

v=DMARC1; p=reject; sp=reject; rua=mailto:abuse@domain2.com; ruf=mailto:abuse@domain2.com; rf=afrf; pct=100; ri=86400

Both your "rua" and "ruf" email addresses fall outside the domain from which the message was sent.

To resolve this "domain2.com" must have an additional DNS TXT record:

*._report._dmarc.domain2.com with the value of that record: "v=DMARC1"

Once you add that record to domain2.com your records will be valid.

-Joe

Thanks, -Joe

CCWH Replied

2/25/2015 at 11:07 AM

Thanks Joe. I will give that a go and confirm. Much appreciated.

Back to Community Threads

Please leave this box unchecked

6 Replies

Reply to Thread

Tags

Related Knowledge Base Articles