Why does Gmail reject a message saying “This message does not have authentication information”?

Sometimes, when you send email to a Gmail address (or forward mail there), Gmail will reject it with a message similar to this:

This message does not pass authentication checks (SPF and DKIM both do not pass). To best protect our users from spam, the message has been blocked. Please visit https://support.google.com/mail/answer/81126#authentication for more information.

Or this:

The MAIL FROM domain [example@aol.com] has an SPF record with a hard fail policy (-all) but it fails to pass SPF checks with the ip. To best protect our users from spam and phishing, the message has been blocked.

If this happens to you, it means Gmail thinks the message might be spam for some reason, and they won’t accept it unless the original sending server uses what’s called a DKIM signature to send it. (DKIM signatures make messages less likely to be wrongly treated as spam.)

Our servers always add DKIM signatures for messages you send, so you probably won’t experience this when you send messages to Gmail from your address with us. But it can still happen if you forward messages from other addresses to Gmail.

Why does this happen when forwarding messages to Gmail?

As an example, let’s say you set up address@example.com to forward incoming mail to example@gmail.com.

You’ll see this problem if:

  1. example@aol.com sends a message to address@example.com;
  2. The message from example@aol.com does not have a DKIM signature;
  3. Our system accepts the message from example@aol.com to address@example.com anyway, because our filters don’t think it’s spam;
  4. Our system sends a second forwarded copy to example@gmail.com;
  5. Gmail rejects the forwarded message because they think it might be spam and it doesn’t have a DKIM signature; and
  6. Our system returns the forwarded message back to example@aol.com because it can’t be delivered to Gmail.

If this happens, it’s important to keep in mind that the problem is not with the address@example.com address. If you’ve added a mailbox for address@example.com on our servers, you’ll find the message was properly delivered there (you can use Webmail to check that if you’re not already reading it another way).

Instead, the problem is a combination of issues at the original sending end and the Gmail end. The mail server at the original sending end isn’t adding the DKIM signature that Gmail wants, and Gmail is rejecting the forwarded copy because without that signature, they think the forwarded copy is coming from an unusual server and therefore might be spam.

How can I fix this?

You probably can’t control whether Gmail treats the forwarded message as suspicious or not, so there are two other possible ways to fix this:

  • Encourage the sender to start using DKIM signatures with their mail. This will help them send mail more reliably to everyone, not just to you. The sender should contact their email administrator to ask about this.
  • Deliver messages to a mailbox on our servers and read them there, rather than directly forwarding them to Gmail. If you do this, there won’t be a problem because Gmail doesn’t have a chance to reject anything. (If you still want the email to be shown in your Gmail mailbox, setting up the Gmail Fetcher without forwarding is another alternative.)

Why am I only hearing about this problem now?

Gmail started rejecting some messages for this reason in late 2023, with the number of messages they actually reject slowly increasing in 2024 (and they’re saying they’ll eventually reject all messages like this).

They used to allow these messages to go through and put them in the Gmail “spam” folder, where the sender didn’t know there was a problem. Although it’s annoying that the sender gets a “bounce” and you can’t simply look in your spam folder for it, their new behavior gives everyone a chance to notice and fix it so the messages aren’t treated as spam at all.

Technical: How does SPF enter into this, and how can senders solve it?

If you’re a mail administrator familiar with SPF, DKIM and DMARC, what’s happening is that:

  • Gmail can’t check DKIM because you aren’t using it, so they only check SPF; and
  • Your SPF policy can’t successfully “pass” at Gmail because the message is being forwarded.

On the modern Internet, it doesn’t really make sense to use an SPF policy without adding DKIM signatures. It sends a signal suggesting that other servers reject your mail unless they can authenticate it... but the missing DKIM signature means that other servers will never be able to authenticate any forwarded messages. Large ISPs, especially Gmail, really want to see DKIM signatures these days.

In short: adding DKIM signatures to your email will fix all of this.

Copyright © 2000-2024 Tiger Technologies LLC