The integration of Phishing Protection into Google Workspace requires the configuration of Google Workspace to allow third party filtering. If this step is not completed you will receive a DMARC error.
Unauthenticated email from domain.com is not accepted due to domain's DMARC policy. Please contact the administrator of domain.com domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. f67-v6si16760856plb.460 - gsmtp
This happens when the sending domain has a DMARC record which specifies the "reject" policy (p=reject) for unaligned mail. Google's DMARC enforcement only considers the IP address connecting directly to it for delivery (us) and since we're not listed in the SPF record of the sending domain Google will reject the mail.
The solution is to configure your google account to allow us to be an inbound gateway, which signals to Google that our IPs are a trusted relay and relaxes their DMARC enforcement. Since we enforce DMARC on the mail we receive this poses no additional risk of unauthenticated mail reaching your users. Google's instructions on how to configure us as an Inbound Gateway can be found here:
https://support.google.com/a/answer/60730?hl=en
- NOTE: this feature requires your domain be subscribed to Google Workspace Basic or higher and so is not available to customers using the legacy free edition of Google Apps.
- Skip the first step, "Set up MX records and configure gateway server". If your domain is not already configured to relay mail to us please follow the instructions provided in your client area to do so.
- Under the Gateway IPs section enter our IP addresses: https://support.duocircle.com/support/solutions/articles/5000524218-ip-addresses-for-firewalls
Once completed, future emails with a strict DMARC policy should get properly delivered to your users.
This is an example in our real time Log is an example of this type of failure:
Delivering message to [alt3.aspmx.l.google.com]:25 Connecting to [74.125.23.26]:25 Connection is now using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits) SMTP error: 550 (5.7.1 Unauthenticated email from twilio.com is not accepted due to domain's SMTP error: 550 (5.7.1 DMARC policy. Please contact the administrator of domain.com domain SMTP error: 550 (5.7.1 if this was a legitimate mail. Please visit SMTP error: 550 (5.7.1 https://support.google.com/mail/answer/2451690 to learn about the SMTP error: 550 (5.7.1 DMARC initiative. s2-v6si1703771plr.393 - gsmtp Delivery failed to <user@domain2.com> (retry 0, in 00:00:04.673): SMTP error: 550 5.7.1 Unauthenticated email from domain.com is not accepted due to domain's DMARC policy. Please contact the administrator of domain.com domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. s2-v6si1703771plr.393 - gsmtp SMTP error is permanent: no more tries