The integration of Phishing Protection into Google G-Suite requires the configuration of G Suite to allow third party filtering. If this step is not completed you will receive a DMARC error. 


Unauthenticated email from domain.com is not accepted due to
domain's DMARC policy. Please contact the administrator of
domain.com domain if this was a legitimate mail. Please visit
https://support.google.com/mail/answer/2451690 to learn about the
DMARC initiative. f67-v6si16760856plb.460 - gsmtp


This happens when the sending domain has a DMARC record which specifies the "reject" policy (p=reject) for unaligned mail.  Google's DMARC enforcement only considers the IP address connecting directly to it for delivery (us) and since we're not listed in the SPF record of the sending domain Google will reject the mail. 


The solution is to configure G Suite to allow us to be an inbound gateway, which signals to G-Suite that our IPs are a trusted relay and relaxes their DMARC enforcement.  Since we enforce DMARC on the mail we receive this poses no additional risk of unauthenticated mail reaching your users.  Google's instructions on how to configure us as an Inbound Gateway can be found here:


https://support.google.com/a/answer/60730?hl=en

  • NOTE: this feature requires your domain be subscribed to G-Suite Basic or higher and so is not available to customers using the legacy free edition of Google Apps.
  • Skip the first step, "Set up MX records and configure gateway server".  If your domain is not already configured to relay mail to us please follow the instructions provided in your client area to do so.
     
  • Under the Gateway IPs section enter our IP addresses: https://support.duocircle.com/support/solutions/articles/5000524218-ip-addresses-for-firewalls


Once completed, future emails with a strict DMARC policy should get properly delivered to your users. 


This is an example in our real time Log is an example  of this type of failure:


Delivering message to [alt3.aspmx.l.google.com]:25
Connecting to [74.125.23.26]:25
Connection is now using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits)
SMTP error: 550 (5.7.1 Unauthenticated email from twilio.com is not accepted due to domain's
SMTP error: 550 (5.7.1 DMARC policy. Please contact the administrator of domain.com domain
SMTP error: 550 (5.7.1 if this was a legitimate mail. Please visit
SMTP error: 550 (5.7.1  https://support.google.com/mail/answer/2451690 to learn about the
SMTP error: 550 (5.7.1 DMARC initiative. s2-v6si1703771plr.393 - gsmtp
Delivery failed to <user@domain2.com> (retry 0, in 00:00:04.673): SMTP error: 550 5.7.1 Unauthenticated email from domain.com is not accepted due to domain's DMARC policy. Please contact the administrator of domain.com domain if this was a legitimate mail. Please visit  https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. s2-v6si1703771plr.393 - gsmtp
SMTP error is permanent: no more tries