AppRiver in front of G Suite (DMARC)

ERROR MESSAGE:

5.7.1 Unauthenticated email from exdomain.com is not accepted due to domain’s
DMARC policy. Please contact the administrator of exdomain.com domain
if this was a legitimate mail. Please visit
https://support.google.com/mail/answer/2451690 to learn about the
DMARC initiative. a3si5756714wrp.253 – gsmtp


WHAT IS HAPPENING?

Email arrives at AppRiver. It is “exploded”, inspected and then repacked for onward delivery to G Suite/Gmail. IF the sender has DKIM-signed the email, then this “explode, inspect and repack” process may break the DKIM signature (hash).

When an email is then handed to G Suite, this broken DKIM hash can cause an issue for mail being delivered to G Suite. G Suite, when faced with a failing DKIM signature, looks up the DMARC settings for the sender domain and takes action according to the set DMARC policy.

  • If there is no DMARC – No action is not taken.
  • If the DMARC is set to “none” – No action is taken.
  • If the DMARC is set to “quarantine” – G Suite puts 5% of the messages that fail the check in the recipients' spam folders.
  • If the DMARC is set to “reject” – G Suite rejects the email and generates the 5.7.1 error.

HOW TO FIX IN THE G SUITE ADMIN PANEL:

1. Sign in to your Google Admin Console using your administrator account (it does not end in @gmail.com).

2. From the Admin console Home page navigate to:
Apps -> G Suite -> Gmail -> Advanced settings
Tip: To see Advanced settings, scroll to the bottom of the Gmail page. 

3. On the left, select your top-level organization (typically your primary domain). 

4. Scroll to the Inbound gateway setting in the Spam section. Hover over the setting and click Configure to create a new setting or click Edit to edit an existing one. 

5. Enter a description. 

6. Under Gateway IPs, click Add and enter the IP address or range of addresses listed below.
If your messages pass through multiple gateways before reaching Gmail, you should include all of the gateway IP addresses in the Gateway IPs list.  Some reports have stated this is under Inbound Gateway (Locally Applied).

We need to add the AppRiver Network ranges.

Network Range
  Subnet Mask
92.52.89.64/26
  255.255.255.192
5.152.184.128/25 or 5.152.184.128
  255.255.255.128
5.152.185.128/26 or 5.152.185.128
  255.255.255.192
8.19.118.0/24 or 8.19.118.0
  255.255.255.0
8.31.233.0/24 or 8.31.233.0
  255.255.255.0
74.205.4.0/24 or 74.205.4.0
  255.255.255.0
207.97.230.0/24 or 207.97.230.0
  255.255.255.0
207.97.242.0/24 or 207.97.242.0
  255.255.255.0
69.20.58.224/28 or 69.20.58.224
  255.255.255.240
69.20.68.128/29 or 69.20.68.128
  255.255.255.248
199.187.164.0/24
  255.255.255.0
199.187.165.0/24
  255.255.255.0
199.187.166.0/24
  255.255.255.0
199.187.167.0/24
  255.255.255.0
69.25.26.128/26
  255.255.255.192

 
Require Inbound Gateway IP: No  
Require Secure (TLS) Connections: No
Disable Gmail Spam Filtering: No

Once set up and applied – this will (as confirmed by G Suite support) stop G Suite panicking about the broken DKIM. This set up essentially exempts emails that arrive via AppRiver from the DKIM checks. (and presumably SPF as well). The AppRiver filter will perform SPF, DKIM and DMARC checks instead of G Suite.

RESULT:

Senders with strict “reject” DMARC policies can now successfully deliver inbound to G Suite.

Sources: