Solved: Problems sending to Gmail

Doug Maxfield · ‎07-05-2018

Good Afternoon,

We are currently using Cloud ESA. We were made aware of an issue with users attempting to send emails to Gmail.com that are being queued by the following message:

(DCID 4525300) Message 5384539 to ***************@gmail.com delayed. Reason: 4.3.2 - Not accepting messages at this time ('421', ['4.7.0 This message does not have authentication information or fails to pass', '4.7.0 authentication checks. To best protect our users from spam, the', '4.7.0 message has been blocked. Please visit', '4.7.0  https://support.google.com/mail/answer/81126#authentication for more', '4.7.0 information. b23-v6si6305592pls.341 - gsmtp']) []

In reviewing our logs, we noticed that this issue has been happening since 6/8/18. When it 1st started, we were seeing delays of about 3 - 4 hours. Now, we are upward of almost 24 hrs. We have opened a TAC on this issue but wanted to see if anyone else is experiencing this problem.

We are not running any SPF, DKIM or DMARC on the Cloud ESA.

Thanks in advance for any help/information.

Doug

dmccabej · ‎07-05-2018

-Removing the dash

v=spf1 exists:%{i}.spf.hc1830.iphmx.com ~all

Yes, that would indeed be the correct record assuming all your external email is only being delivered through the CES devices. If you're also sending email using other sources (ie: O365 / SMTP application / ETC), you'll also need to include the information for those as well within the record.

This should provide Gmail with the ability to authenticate the CES ESA/s against your SPF record, which should hopefully clear up the soft bounces for you.

Thanks!

-Dennis M.

View solution in original post

dmccabej · ‎07-05-2018

Hello,

The URL provided in the soft bounce provides a pretty good description of the possible causes and solutions. More than likely, and the most common cause, you need to edit your public SPF record to include the CES IP's. Has that already been done?

Thanks!

-Dennis M.

Doug Maxfield · ‎07-05-2018

Dennis,

We are not using SPF, DKIM or DMARC currently, but on our "radar". Sounds like we may need to advance this a little quicker.

Since we are using Cloud ESA, we are thinking of adding the following SPF record:

v=spf1 -exists:%{i}.spf.hc1830.iphmx.com -all

Got the above from Cisco Cloud/Hybrid Email Security Overview, Published July 28, 2017, Revised January 25, 2018.

Will this work?

Thanks!!!

Doug

dmccabej · ‎07-05-2018

-Removing the dash

v=spf1 exists:%{i}.spf.hc1830.iphmx.com ~all

Yes, that would indeed be the correct record assuming all your external email is only being delivered through the CES devices. If you're also sending email using other sources (ie: O365 / SMTP application / ETC), you'll also need to include the information for those as well within the record.

This should provide Gmail with the ability to authenticate the CES ESA/s against your SPF record, which should hopefully clear up the soft bounces for you.

Thanks!

-Dennis M.

Doug Maxfield · ‎07-05-2018

Thanks Dennis!!!!

You might want to have someone revise the document that I quoted, if it is still valid. It includes the dash.

Doug

dmccabej · ‎07-05-2018

You're very welcome! ...and I'll definitely take a look at that article, so thank you for bringing it up. :)

Once you add in the SPF record you'll want to give it a few hours for the DNS propagation, but if you run into any snags after the fact just let us know.

Thanks!

-Dennis M.