Forum Discussion
DMARC rejection after Exchange upgrade
Hello,
This is not a Gmail issue. It is a forwarding and authentication alignment problem introduced by the Exchange upgrade.
What changed is most likely this:
Fasthosts are no longer forwarding mail transparently. Exchange is now re submitting or relaying messages in a way that breaks SPF and DKIM alignment. When the original sender domain has DMARC set to p reject, Gmail enforces DMARC strictly and rejects the message.
Why it fails technically:
- SPF fails after forwarding because Fasthosts servers are not authorised in the original sender’s SPF record.
- DKIM may be broken if headers or body are modified during forwarding.
- DMARC requires either SPF or DKIM to pass with alignment. If both fail, Gmail returns 550 5.7.26.
The error confirms this. Gmail is rejecting due to DMARC policy enforcement for the original sender domain.
What Fasthosts must implement:
They need to enable Sender Rewriting Scheme SRS on their forwarding platform. SRS rewrites the envelope sender during forwarding so SPF validation remains valid after relay.
Without SRS, any forwarded message from a domain with strict DMARC will fail SPF and therefore DMARC.
This is a well known forwarding requirement in modern DMARC enforcement models.
Alternative mitigations:
- Disable catch all forwarding and retrieve mail directly via POP or IMAP from Gmail.
- Replace forwarding with mailbox level SMTP submission using authenticated relay.
- Migrate the domain fully to Google or Microsoft 365 and eliminate intermediate forwarding.
- Relax DMARC on the sending domains, which you do not control in most cases, so not realistic.
Clear conclusion:
This is almost certainly missing SRS implementation on Fasthosts Exchange based forwarding. Ask them explicitly:
- Is SRS enabled on forwarding connectors?
- Is DKIM preserved during transport?
- Is the forwarding implemented as SMTP redirect or re submission?
If they cannot support SRS, forwarding from strict DMARC domains will continue to fail.