Gmail Delivery Issues

Gmail rejects or filters Hosted Email messages when authentication checks do not pass. Most of these failures trace back to a misconfigured SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) record on the sending domain. This article shows the typical Gmail reject message, the SPF and DKIM values to publish for the Hosted Email platform, and where to verify them.

Why Gmail rejects Hosted Email messages

Gmail enforces strict authentication requirements on inbound mail. When a message arrives without a passing SPF result and a passing DKIM signature aligned with the From-header domain, Gmail returns a permanent failure (5.7.26) at the end of the DATA command rather than delivering the message — even to spam. Because the rejection is generated by Gmail, OpenSRS cannot retry or override it; the fix is to correct the sending domain's DNS so the next message authenticates.

Typical Gmail rejection message

When Gmail blocks a Hosted Email message for failing authentication, the bounce includes a 550-5.7.26 error similar to the following:

550-5.7.26 This message does not pass authentication checks.
550-5.7.26 To best protect our users from spam, the message has been blocked.
550-5.7.26 Please visit
550-5.7.26  https://support.google.com/mail/answer/81126#authentication
550 5.7.26 for more information.

The link in the error points to Gmail's sender guidelines, which document the SPF and DKIM requirements Google enforces.

SPF configuration for Hosted Email domains

SPF defines which mail servers are authorized to send mail for a domain, allowing receivers to detect forgery and prevent spam. For Gmail to accept Hosted Email messages, the sending domain's SPF record must list _spf.hostedemail.com.

Publish a TXT record at the root of the sending domain:

v=spf1 include:_spf.hostedemail.com ~all

DKIM configuration for Hosted Email domains

DKIM associates a domain name with an email message via a cryptographic signature, allowing the sending domain to claim responsibility for the message. For each Hosted Email domain, enable DKIM in the Mail Administration Console (MAC).

1. In the MAC, navigate to the domain.
2. Open the domain's Settings tab.
3. In the DKIM section, generate or enable the DKIM record for the domain.
4. Publish the resulting DKIM record at the indicated selector in the domain's DNS.

For reseller technical contact domains that send automated notifications, the procedure for adding OpenSRS-managed DKIM CNAMEs is documented in How to Configure DKIM for Automated Outbound Emails.

Verify the message authenticates

• Use the dmarcian DKIM Inspector to confirm the DKIM public key resolves at the expected selector.
• Send a test message to a Gmail address and open Show original: SPF, DKIM, and DMARC should all report PASS.
• If the test still fails with 5.7.26, compare the From-header domain against the SPF Return-Path and DKIM d= values — DMARC requires alignment between them.

Next steps

• Publish DMARC alongside SPF and DKIM — see Gmail, Microsoft, and Yahoo DMARC Requirements on the Hosted Email Platform.
• Check sender reputation — persistent rejections after authentication is fixed often indicate an IP reputation problem. See Hosted Email IP Reputation.
• Review Gmail's published requirements — Google's Email sender guidelines document every check Gmail performs on inbound mail.
• Open a support case — if SPF and DKIM are correct and Gmail continues to reject mail, contact OpenSRS Support with the full bounce text and an example Message-ID.

Questions? Contact OpenSRS Support.