Salesforce Error "550-5.7.26 Unauthenticated email from" and Email Deliverability

550-5.7.26 Unauthenticated email from [DOMAIN] is not accepted due to the domain's DMARC policy

The message is unambiguous, you have an issue with the DMARC policy.  

You can find the message in the email log, in those lines with a "P" in the Mail Event column.

But ... can we trust the error message? Well ... let's see.

DMARC/DKIM/SPF & NSLOOKUP

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing ... DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From: field presented to end users; how the receiver should deal with failures – and provides a reporting mechanism for actions performed under those policies. (Wikipedia).

And Salesforce recommends those mechanisms to ensure you don't have issues with emails send from your org (check here and here).  

Once we have problems sending emails, we can go and check with the IT department about the existence of DMARC for the reported domain, but we can validate that too with the command nslookup, it is very easy!

Check DMARC

  1. Open a command prompt CMD.
  2. c:> nslookup
  3. > set type=txt
  4. > _dmarc.mydomain.com (replace here mydomain.com with your domain name) 
               _dmarc.mydomain.com =  "v=DMARC1; .......... "

If the output contains v=DMARC1, that means that your domain has a DMARC created.

Check DKIM

This check is probably more difficult and here you will need the help of the IT department because you should know the name of the SELECTOR. By default, it is selector1, let's try first with it! 😏

  1. Open a command prompt CMD.
  2. c:> nslookup
  3. > set type=cname
  4. > selector1._domainkey.mydomain.com (replace here mydomain.com with your domain name) 
               Non-authoritative answer:  selector1._domainkey.mydomain.com canonical name = ...

If the output contains a message like the one shown above, that means that your domain has a DKIM created.

Check SPF

  1. Open a command prompt CMD.
  2. c:> nslookup
  3. > set type=txt
  4. > mydomain.com (replace here mydomain.com with your domain name) 
               Non-authoritative answer:  "v=spf1 mx include: ..."

If the output contains v=spf1 mx, check that the Salesforce SPF is in it.

What happens if everything looks OK and I still have the problem?

I asked myself the same!!! 😅

And then, I went back to the Salesforce configuration and settings. In the Guidelines for Configuring Deliverability Settings for Emails Sent from Salesforce we can find:

  • To comply with your recipients’ email security frameworks like SPF:
    • Check Enable compliance with standard email security mechanisms. This setting modifies the envelope From address of emails sent from Salesforce. The header From address remains set to the sender's email address. Usually security frameworks only check the envelope address.
    • If you have recipients using the sender ID email authentication protocol, which isn’t widely used, check Enable Sender ID compliance. This setting modifies the Sender field in the envelope of emails sent from Salesforce to automatically include no-reply@Salesforce. All replies from the recipients are still delivered to the sender's email address. The recipients’ email client (not Salesforce) may append the phrase “Sent on behalf of” to the From field of emails sent from Salesforce.

In my org, those settings were checked. I unchecked them (together with one called Enforce email privacy settings) and voilà, the problem solved.

Wrap-up

Even when the error message was unambiguous about the DMARC, the problem was solved by unchecking some settings in the Email Deliverability about the SPF.

This means that the settings are wrong? NO, remember that DMARC relies on DKIM and SPF, you should double-check with the IT department if the SPF for Salesforce is well-defined and fully test that you can deliver emails when the SPF settings are checked. It is difficult and time-consuming, but it is a way to ensure that any email sends from your org complies with the security standards.  

I did it!, the Salesforce SPF for the domain was different from _spf.salesforce.com (I misread it the first time), we changed it, checked the SPF settings in Email Deliverability, and everything worked again.

Comments