Connect Application - Troubleshooting Google Workspace Email

This article describes how to fix an issue where Google Workspace hard bounces certain messages that have been processed by Mimecast.

The Issue

If you find that incoming messages from reputable providers are hard bounced by Google Workspace after being processed by the inbound Mimecast filters, the following error message is displayed in Mimecast:

5.7.1 Unauthenticated email from stripe.com is not accepted due to domain’s DMARC policy. Please contact the administrator of stripe.com domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. a3si5756714wrp.253 – gsmtp

This error is caused by Mimecast “exploding" the message to enable its contents to be inspected. Once inspected, it is repacked for onward delivery to Google Workspace. If the sender has DKIM signed the message, the exploding, inspection, and repacking break the DKIM signature.

Take the following example of the email headers from a message with an outlook.com address:

dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=DEOq8NQm

When a message is handed to Google Workspace with a failing DKIM signature/body hash, Google Workspace looks at the DMARC settings for the sender's domain and takes one of the following actions:

The Fix

The solution to this issue is to configure Google Workspace to not worry about the broken DKIM signature and so not to bother looking up the DMARC policy of the sender. To do this:

1. Log on to the Google Admin Console.
2. Navigate to Apps | Google Workspace | Gmail | Spam, phishing, and malware.
3. Locate the Inbound Gateway section.
4. Add the Mimecast IP ranges for your region. See the Data Centers & URLs page for further details.

See Also...

• • • Connect Application- Preparing for Inbound Email
    • Connect Application - Guide