When Gmail rejects your email with error 550-5.7.1 mentioning DMARC policy, it's because your domain has either:
- An explicit DMARC record
- An implied DMARC policy (Gmail's default handling for domains without DMARC)
Your current setup has two critical gaps:
1. Missing DKIM signature (you confirmed you're not using DKIM) 2. SPF alignment failure (your Return-Path doesn't match From header domain)
Your current SPF record:
v=spf1 +a +mx ?include:bluehost.com -allWhile syntactically correct, it has alignment issues because:
- The Return-Path domain (example.com) doesn't match the sending infrastructure (bluehost.com)
- The neutral qualifier (?include:) is too permissive for modern standards
Since 2024, major providers like Gmail enforce stricter DMARC policies. Even without a published DMARC record:
Gmail applies default policies: - p=none for domains without DMARC (monitoring mode) - p=quarantine for some newly registered domains - p=reject for domains with suspicious patterns
To fix this immediately while you implement proper authentication:
# Temporary fix: Update SPF to be more strict
v=spf1 include:bluehost.com -all
# Add this TXT record for temporary DMARC relief
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.com"
Implement full email authentication with DKIM:
# Step 1: Generate DKIM keys (using OpenSSL)
openssl genrsa -out dkim_private.key 2048
openssl rsa -in dkim_private.key -pubout -out dkim_public.key
# Step 2: Configure your MTA (Exim example)
dkim_selector = "selector1"
dkim_domain = example.com
dkim_private_key = ${if exists{/etc/exim4/dkim_private.key}{/etc/exim4/dkim_private.key}}
# Step 3: Publish DKIM DNS record
selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
# Step 4: Update DMARC policy
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; fo=1"
Use these commands to verify your setup:
# Check SPF record
dig +short txt example.com
# Check DKIM record
dig +short txt selector1._domainkey.example.com
# Check DMARC record
dig +short txt _dmarc.example.com
# Test email authentication
sendmail -f sabrina@example.com tanjaschulte@gmail.com <
This is a test message.
EOF
- Key rotation: Remember to update DNS when rotating DKIM keys
- Alignment: Ensure Return-Path domain matches From header domain
- Propagation: DNS changes may take up to 48 hours to propagate
When Gmail rejects your email with error 550-5.7.1 Unauthenticated email from example.com is not accepted due to domain's DMARC policy, it means your messages fail authentication checks. Even though you have SPF configured (v=spf1 +a +mx ?include:bluehost.com -all), modern email providers increasingly require both SPF and DKIM authentication.
Your current setup shows:
Received: from [99.127.228.246] (port=61813 helo=[192.168.1.66])
by server.example.com with esmtpsa (TLSv1:AES128-SHA:128)
(Exim 4.80.1)
(envelope-from <sabrina@example.com>)While SPF verifies the sending IP, DKIM cryptographically signs your message content. Many receivers now enforce DMARC policies that require both authentication methods.
Here's how to generate DKIM keys for your Exim mail server:
# Generate DKIM keys
openssl genrsa -out dkim_private.key 2048
openssl rsa -in dkim_private.key -pubout -out dkim_public.key
# Configure Exim (add to exim.conf)
dkim_private_key = ${if exists{/etc/exim4/dkim_private.key}{/etc/exim4/dkim_private.key}}
dkim_selector = dkim1
dkim_domain = example.comCreate this TXT record in your domain's DNS:
dkim1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."Use the public key from your dkim_public.key file (remove line breaks).
After setup, verify with these tools:
# Command line test
dig TXT dkim1._domainkey.example.com
# Online validators:
# - dkimvalidator.com
# - mxtoolbox.com/dkim.aspxAdd a DMARC record to monitor authentication:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.com"Start with p=none for monitoring, then tighten to p=quarantine or p=reject once authentication is reliable.
If authentication still fails:
- Check for DNS propagation delays (wait 24-48 hours)
- Verify Exim is actually signing outgoing messages (check logs)
- Ensure your mail client isn't modifying headers after signing