cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11307
Views
5
Helpful
5
Replies

Problems sending to Gmail

Doug Maxfield
Level 1
Level 1

Good Afternoon,

We are currently using Cloud ESA.  We were made aware of an issue with users attempting to send emails to Gmail.com that are being queued by the following message:

 

(DCID 4525300) Message 5384539 to ***************@gmail.com delayed. Reason: 4.3.2 - Not accepting messages at this time ('421', ['4.7.0 This message does not have authentication information or fails to pass', '4.7.0 authentication checks. To best protect our users from spam, the', '4.7.0 message has been blocked. Please visit', '4.7.0  https://support.google.com/mail/answer/81126#authentication for more', '4.7.0 information. b23-v6si6305592pls.341 - gsmtp']) []

In reviewing our logs, we noticed that this issue has been happening since 6/8/18.  When it 1st started, we were seeing delays of about 3 - 4 hours.  Now, we are upward of almost 24 hrs.  We have opened a TAC on this issue but wanted to see if anyone else is experiencing this problem.

 

We are not running any SPF, DKIM or DMARC on the Cloud ESA.

 

Thanks in advance for any help/information.

 

Doug

1 Accepted Solution

Accepted Solutions

-Removing the dash

v=spf1 exists:%{i}.spf.hc1830.iphmx.com ~all

 

Yes, that would indeed be the correct record assuming all your external email is only being delivered through the CES devices. If you're also sending email using other sources (ie: O365 / SMTP application / ETC), you'll also need to include the information for those as well within the record.

 

This should provide Gmail with the ability to authenticate the CES ESA/s against your SPF record, which should hopefully clear up the soft bounces for you.

 

Thanks!

-Dennis M.

View solution in original post

5 Replies 5

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

The URL provided in the soft bounce provides a pretty good description of the possible causes and solutions. More than likely, and the most common cause, you need to edit your public SPF record to include the CES IP's. Has that already been done?

 

Thanks!

-Dennis M.

Dennis,

We are not using SPF, DKIM or DMARC currently, but on our "radar".  Sounds like we may need to advance this a little quicker.

 

Since we are using Cloud ESA, we are thinking of adding the following SPF record:

v=spf1 -exists:%{i}.spf.hc1830.iphmx.com -all

 

Got the above from Cisco Cloud/Hybrid Email Security Overview, Published July 28, 2017, Revised January 25, 2018.

 

Will this work?

 

Thanks!!!

Doug

-Removing the dash

v=spf1 exists:%{i}.spf.hc1830.iphmx.com ~all

 

Yes, that would indeed be the correct record assuming all your external email is only being delivered through the CES devices. If you're also sending email using other sources (ie: O365 / SMTP application / ETC), you'll also need to include the information for those as well within the record.

 

This should provide Gmail with the ability to authenticate the CES ESA/s against your SPF record, which should hopefully clear up the soft bounces for you.

 

Thanks!

-Dennis M.

Thanks Dennis!!!!  

 

You might want to have someone revise the document that I quoted, if it is still valid.  It includes the dash.

 

Doug

You're very welcome! ...and I'll definitely take a look at that article, so thank you for bringing it up. :) 

 

Once you add in the SPF record you'll want to give it a few hours for the DNS propagation, but if you run into any snags after the fact just let us know.

 

Thanks!

-Dennis M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: