locked
Exchange 2016 CU5 - Cannot Send emails to gmail.com error 421-4.7.0 This message does not have authentication information or fails to pass RRS feed

All replies

  • Is your certificate using SHA1?

    I have a lab at home with EX2016 and CU5, sending to multiple gmail accounts works fine.

    Even use internal generated certificate from my Root CA.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Wednesday, May 31, 2017 8:24 AM
  • It is a Sha256
    • Edited by SysadminEU Wednesday, May 31, 2017 8:58 AM
    Wednesday, May 31, 2017 8:57 AM
  • According to google : https://support.google.com/a/answer/3726730?hl=en

    Your error points to these options:

    Can you confirm your external IP is not blacklisted? https://mxtoolbox.com/blacklists.aspx

    Best is to check both domain AND IP.

    Sometime it bypass domain, but fails on ip check


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Wednesday, May 31, 2017 10:56 AM
  • Yes, there is no blacklist on any IP or DNS name we are sending to gmail, and I discovered today that it looks like a throttle system because 20 min or 1 hour later, the email got through to google.
    Thursday, June 1, 2017 7:19 AM
  • Hi SysadminEU,

    For this issue, I recommend you create a Sender Policy Framework (SPF) record for your domain, it will help Gmail.com determine whether a message purporting to be from your domain comes from an authorized mail server.

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Niko.Cheng Thursday, June 1, 2017 7:51 AM
    • Proposed as answer by Niko.Cheng Tuesday, June 6, 2017 2:14 AM
    Thursday, June 1, 2017 7:50 AM
  • Hi SysadminEU,

    I'm just writing to check how's everything going? If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Thanks for your understanding.

    Best Regards


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 13, 2017 2:02 AM
  • Has anyone had this issue and resolved it without creating an SPF record?
    I am preparing to migrate more than five thousand mailboxes to Exchange Online, and the one mailbox I have migrated has this issue. Obviously I need a solution before I can migrate the rest since the on-prem users do not have this issue. Our MX records have not changed, and we are using centralized mail transport in the hybrid configuration, so the messages are being delivered outbound from the same place - through our spam filter vendor.
    Is this a "feature" of Exchange Online?

    Wednesday, November 8, 2017 3:36 PM
  • Hi,

    can you confirm that this is your current mailflow:

    Inbound:

    Internet - spam filter - Exchange on-premise - Exchange Online

    Outbound:

    Exchange online - spam filter - internet

    if it is correct, then you only need to add your spam provider to your SPF record. If you use internal relay and sends email out directly from your on-premise, you need to add external ip of your exchange server to spf as well.

    In your case, when exchange online use sends email it goes in junk. This means the message is not going through your spam provider.

    Please check header of that message and analyze it using : https://testconnectivity.microsoft.com/

    Then you will see the correct route of your message. If difficult understanding. please provide the result here so we can help.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Wednesday, November 8, 2017 9:16 PM
  • Well, you have it almost correct. Inbound is Internet - Spam filter - On-prem - EXO
    Outbound also goes through on-Prem so path is EXO - On-Prem - Spam filter - Internet
    (I have confirmed this through the header analysis, which is where I saw the long delay between my spam filter and Google.)

    Unfortunately we do not have a SPF record so I cannot just add the spam filter info to it. I do have what I need to add to a record from them, but we are still in a process of finding all the third party marketing firms that have been hired (globally) over the years and now send out mail with a from address with our domain, so if I just implement SPF now, all of those messages from those marketing firms will get blocked until they are also on my SPF. (And before you ask, all that I have found so far are only opt-in firms, so they do not send unsolicited commercial email.)

    So my question remains - is there a way to resolve this without implementing SPF, DMARC, or DKIM?

    Thanks!

    Wednesday, November 8, 2017 9:40 PM
  • Hello,

    Google is more aggressive on spam.You must do the following things in order to accept incoming mails ( by google)

    1)PTR = Reverse DNS ( should match your public IP to Host name ! Preferably Exchange Server FQDN)

    2)SPF Record - Mandatory 

    3)DKIM - Strongly Advise 

    3)DMRAC = Strongly Advise.

    5) IP Warmup  -Do not Bombard Google with test emails - Have systematically send mails Example hourly 20 , then keep increasing like 40 , 80 , 200 etc . No rate card here :)

    Regards,

    Medha Hosting,

    Server Hosting and Management Company

    Wednesday, November 8, 2017 10:00 PM