When using DuoCircle Email Gateway Server or MX Backup in front of Google G-Suite you may encounter failed deliveries to your destination server with a 550 5.7.1 NDR code and a message similar to this:
Unauthenticated email from domain.com is not accepted due to domain's DMARC policy. Please contact the administrator of domain.com domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. f67-v6si16760856plb.460 - gsmtp
This happens when the sending domain has a DMARC record which specifies the "reject" policy (p=reject) for unaligned mail. Google's DMARC enforcement only considers the IP address connecting directly to it for delivery (us) and since we're not listed in the SPF record of the sending domain Google will reject the mail.
The solution is to configure G Suite to allow us to be an inbound gateway, which signals to G-Suite that our IPs are a trusted relay and relaxes their DMARC enforcement. Since we enforce DMARC on the mail we receive this poses no additional risk of unauthenticated mail reaching your users. Google's instructions on how to configure us as an Inbound Gateway can be found here:
https://support.google.com/a/answer/60730?hl=en
- NOTE: this feature requires your domain be subscribed to G-Suite Basic or higher and so is not available to customers using the legacy free edition of Google Apps.
- Skip the first step, "Set up MX records and configure gateway server". If your domain is not already configured to relay mail to us please follow the instructions provided in your client area to do so.
- Under the Gateway IPs section enter our IP addresses: https://support.duocircle.com/support/solutions/articles/5000524218-ip-addresses-for-firewalls
Once completed, future emails with a strict DMARC policy should get properly delivered to your users.
Text Log example of this type of failure:
Delivering message to [alt3.aspmx.l.google.com]:25 Connecting to [74.125.23.26]:25 Connection is now using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits) SMTP error: 550 (5.7.1 Unauthenticated email from twilio.com is not accepted due to domain's SMTP error: 550 (5.7.1 DMARC policy. Please contact the administrator of domain.com domain SMTP error: 550 (5.7.1 if this was a legitimate mail. Please visit SMTP error: 550 (5.7.1 https://support.google.com/mail/answer/2451690 to learn about the SMTP error: 550 (5.7.1 DMARC initiative. s2-v6si1703771plr.393 - gsmtp Delivery failed to <user@domain2.com> (retry 0, in 00:00:04.673): SMTP error: 550 5.7.1 Unauthenticated email from domain.com is not accepted due to domain's DMARC policy. Please contact the administrator of domain.com domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. s2-v6si1703771plr.393 - gsmtp SMTP error is permanent: no more tries