Why does Gmail reject a message saying “This message does not have authentication information”?

Sometimes, when you send email to a Gmail address (or forward mail there), Gmail will reject it with a message similar to this

This message does not pass authentication checks (SPF and DKIM both do not pass). To best protect our users from spam, the message has been blocked. Please visit https://support.google.com/mail/answer/81126#authentication for more information.

If this happens to you, it means Gmail thinks the message might be spam for some reason, and they won’t accept it unless the original sending server uses what’s called a DKIM signature to send it. (DKIM signatures make messages less likely to be wrongly treated as spam.)

Our servers always add DKIM signatures for messages you send, so you probably won’t experience this when you send messages to Gmail from your address with us. But it can still happen if you forward messages from other addresses to Gmail.

Why does this happen when forwarding messages to Gmail?

As an example, let’s say you set up address@example.com to forward incoming mail to example@gmail.com.

You’ll see this problem if:

  1. example@aol.com sends a message to address@example.com;
  2. The message from example@aol.com does not have a DKIM signature;
  3. Our system accepts the message from example@aol.com to address@example.com anyway, because our filters don’t think it’s spam;
  4. Our system sends a second forwarded copy to example@gmail.com;
  5. Gmail rejects the forwarded message because they think it might be spam and it doesn’t have a DKIM signature; and
  6. Our system returns the forwarded message back to example@aol.com because it can’t be delivered to Gmail.

If this happens to you, it’s important to keep in mind that the problem is not with your address@example.com address. If you’ve added a mailbox for address@example.com on our servers, you’ll find the message was properly delivered there (you can use Webmail to check that if you’re not already reading it another way).

Instead, the problem is a combination of issues at the original sending end and the Gmail end. The mail server at the original sending end isn’t adding the DKIM signature that Gmail wants, and Gmail is rejecting the second copy because without that signature, they think it might be spam.

How can I fix this?

You probably can’t control whether Gmail treats the forwarded message as suspicious or not, so there are two other possible ways to fix this:

  • Encourage the sender to start using DKIM signatures with their mail, especially if they use what’s called an SPF -all policy that makes Gmail less likely to trust forwarded mail. (This will help them send mail more reliably to everyone, not just to you.) The sender should contact their email administrator to ask about this.
  • Deliver messages to a mailbox on our servers, rather than directly forwarding it to Gmail. If you do this, there won’t be a problem because Gmail doesn’t have a chance to reject anything. (If you still want the email to be shown in your Gmail mailbox, setting up the Gmail Fetcher without forwarding is another alternative, but this can sometimes cause delays before the message appears at Gmail.)

Technical: How does SPF enter into this, and how can senders solve it?

If you’re a mail administrator familiar with SPF, DKIM and DMARC, we should mention that we most commonly hear about this problem with forwarded mail if you’re using an SPF -all policy without using DKIM signatures or DMARC. That combination is almost guaranteed to make Gmail (and many other receiving servers) suspicious of your mail if it gets forwarded:

  • Gmail can’t check DKIM because you aren’t using it, so they only check SPF;
  • Your SPF policy can’t successfully “pass” at Gmail because the message is being forwarded;
  • Your SPF -all policy asks receiving servers to reject messages if they don’t pass; and
  • There’s no DMARC policy to override the SPF policy.

On the modern Internet, it doesn’t really make sense to use an SPF -all policy without adding at least DKIM signatures, and preferably a DMARC policy, too. You’re asking other servers to reject your mail unless they can authenticate it, but the missing DKIM signature means that other servers will never be able to authenticate any forwarded messages.

To prevent these rejections, you should either switch your SPF policy to something like a neutral ?all, or add DKIM signatures and DMARC.