Outbound Emails Rejected Due to DMARC Failure – Symantec Email Security.Cloud
search cancel

Outbound Emails Rejected Due to DMARC Failure – Symantec Email Security.Cloud

book

Article ID: 404584

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Recipient mail servers are rejecting a few outbound emails sent by a customer with the following error:

 

Diagnostic information for administrators:

Generating server: xx-xxxxx.example.com

[email protected]

server-xx.tower-xxx.messagelabs.com
Remote Server returned '553-DMARC domain authentication fail. Refer to the 553-Troubleshooting page at https://knowledge.broadcom.com/e 553-xternal/article?legacyId=TECH246726 for more 553 information. (#5.7.1)'

 

Your message couldn't be delivered and there was no valid enhanced status code being issued by the remote mail system to determine the exact cause, status: '553-DMARC domain authentication fail. Refer to the 553-Troubleshooting page at https://knowledge.broadcom.com/e 553-xternal/article?legacyId=TECH246726 for more 553 information. (#5.7.1)'.

The following organization rejected your message: server-xx.tower-xxx.messagelabs.com.

 

The cause is a failed SPF and DMARC alignment check for the sender domain. As the DMARC policy is set to reject, the recipient server rejects the message.

Environment

Symantec Email Security.Cloud

Cause

Scenarios to consider:

1. Sender is non-Symantec Email Security.Cloud customer, but the recipient is Symantec Email Security.Cloud customer.

2. Sender is Symantec Email Security.Cloud customer and also the recipient is Symantec Email Security.Cloud customer.

 

  • Sender IP not listed in SPF:
    The sender's IP address is not included in the SPF record for the domain, resulting in SPF failure.

  • DMARC Policy Set to Reject:
    The domain's DMARC policy enforces strict alignment (adkim=s; aspf=s) with a policy of p=reject, causing recipient servers to reject non-aligned emails.

Resolution

Option 1: Update SPF Record
Add the sender IP address to the domain's SPF record to allow email delivery from this IP.

Example SPF update:

v=spf1 ip4:<Sender_IP_Address> include:your_current_includes -all

Use an SPF lookup tool to verify the update after DNS propagation.

 

Option 2: Modify DMARC Policy (if appropriate)
Consider relaxing the DMARC policy to quarantine instead of reject to prevent outright rejection while maintaining visibility of authentication issues.

Example DMARC policy change:

v=DMARC1; p=quarantine; sp=quarantine; adkim=s; aspf=s;

Changes to SPF or DMARC should be made by the domain administrator after evaluating organisational security requirements.

Additional Information

Powered by Wolken Software