G Suite Vacation Responder Email Is Being Blocked!
The Problem
Email from the G Suite GMail vacation responder is being blocked. In my own inbox, I get an email from the Message Delivery System (mailer-daemon@googlemail.com), telling me "Message blocked... Your message to has been blocked. See technical details below for more information." In the details, it says "Message rejected", with a link to a support document.
Solution: The Short Answer
Enable DKIM email authentication. You'll need access to DNS for your doman and to G Suite Admin.
If your domain is not hosted by Google, you'll need to set up an SPF DNS record on your domain. Google doesn't tell you about this part in the "Authenticate Email" portion of their Admin Console -- but getting the SPF record wrong can result in a failure to authenticate emails, even though your DKIM record is correct. You can find details on proper SPF record configuration on this Google support page.
Once you're sure you have the correct SPF record... In the Google Admin Console, navigate to Apps > G Suite > Gmail > Authenticate email. Then follow the instructions to generate a DKIM DNS record, add it to your domain DNS, then start authenticating email.
If you get an error when you click the "Start Authentication" button, you might want to use this tool from Google to see if your SPF record has propagated through DNS. Enter your domain in the name field, then click TXT to see if your correct SPF record is visible to Google. (Don't expect your DKIM TXT record to show up -- it's not public.)
Background
I'm using G Suite for the first time, acting as super admin for a friend's small business. I set up G Suite yesterday afternoon, and today the business owner started setting up her new Gmail account. She enabled her vacation responder, and shortly thereafter started to see "Message Blocked" messages in her G Suite inbox.
After doing a little research, I discovered a couple of things:
- New domains are more aggressively blocked by spam filters
- Unauthenticated email is also more likely to be flagged as dangerous
In my case, it's not a new domain. What I've done is switch email over to G Suite, for a domain that has existed for years. So I decided to focus on issue number 2. Regardless of whether it solves the problem, it's a good practice. It took me only a few minutes to complete setup, since Google automatically takes care of the details of authentication on their side.
Since this solution relies on DNS, and DNS records for your domain are cached all over the Internet, it can take days to take effect.
Unfortunately, by the time my friend disabled her vacation responder, Google had blocked her account. After that, every message she sent out had a (misleading) error message: "You have reached a limit for sending mail. Your message was not sent." When I viewed her user details in the G Suite Admin Console, I found that she was blocked from sending email for 24 HOURS!!! G Suite support staff were unable to remove this block, even after helping me get my SPF record corrected -- which is extremely disappointing to me.