Problem Description:
When using Keyboard Maestro to automate sending emails from a Google Workspace custom-domain-Gmail address or alias through Apple Mail, an authentication error occurs, despite the same process working when done manually.
Specific Error:
The mail delivery subsystem (mailer daemon) returns an error:
"550 5.7.26 Your email has been blocked because the sender is unauthenticated. Gmail requires all senders to authenticate with either SPF or DKIM. Authentication results: DKIM = did not pass SPF [[companyXYZ.tld] with ip: [[snip]] = did not pass For instructions on setting up authentication, go to Email sender guidelines - Google Workspace Admin Help[snip] - gsmtp"
Process Comparison:
Keyboard Maestro Automated Process:
Initiate an email compose window in Apple Mail
Autofills recipient, CC, subject, and body
I click send
Email appears to send successfully
Almost immediately receive a delivery status notification with the authentication error
Manual Process:
Manually open Apple Mail and create a new email
(Run KBM email macro to instantiate compose window to copy from)
Copy all details (to, cc, subject, body) from the Keyboard Maestro-initiated email; confirm "from:" is the same
Send the email
Email sends successfully without any error
Key Observations:
Both emails (automated and manual) appear to send successfully at first.
Only the Keyboard Maestro-initiated email receives the error notification.
The error suggests a lack of proper SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) authentication.
Further Testing:
I simplified the macro like I should've done before posting. I changed the sender in the KBM macro to not use an alias. It used employee@companyXYZ.tld to email recipient@gmail.com. I received the same response 550 5.7.26. A repeat of this test led to the same outcome. Based on these failures, the alias aspect of this issue appears to not be the sole driver.
I also tested from a regular Gmail address to another Gmail address - no Google Workspace involved there - and the messages made it through, although they went to spam (but likely due to "test!" content of the email). After this, just to make sure nothing had changed:
I modified the macro to again send from employee@companyXYZ.tld and the failure response returned.
I sent an email manually via Apple Mail from employee@companyXYZ.tld and it succeeded.
So!
I didn't find anything online to help here - do any of you fabulous people have any suggestions? Maybe I'm missing something simple! Thank you folks.
PS: I blame Apple have their feedback form at the ready just in case
"From" is not the same as "Sender", and I suspect that that is where the problem lies.
Manually send yourself an email from Apple Mail, then do the automated version. Look at the "source" of the received manual mail and that of the rejected mail (should be that "noname" attachment) and compare the headers.
Under Mail / Accounts, which type of account is your default? An iCloud account? A Microsoft Exchange account? A Google account?
Under Mail>Settings>Composing, I tried setting my accounts to various defaults, including a personal Gmail, a Google Workspace Gmail, and iCloud. When I use default in the macro, the email sends without a problem.
So I can set the composing default to a Google Workspace Gmail address, and it will send.
But if I set the KBM macro to send from that same Google Workspace Gmail address by specifically selecting it, I will receive the authentication failure.
Sidebar: thank you for this question alone because it means I have a workable workaround. (I can set my default to my Google Workspace Gmail address and just be careful not to accidentally use it for personal purposes, like report phishing or something.)
Which version of macOS do you have?
I am on macOS Sonoma 14.7 on a 2020 M1 MacBook Pro.
Which version of KM do you have?
Latest & greatest KBM v11.0.3.
Are you using a custom email domain in System Preferences under System Preferences / your account?
No. In System Settings>Apple ID, I use a personal Gmail address.
Under System Settings>Apple ID>iCloud>iCloud+>Custom Email Domain, nothing is set up.
Are you using a VPN?
No. Although I have AdGuard for Safari loading on startup, always running.
Are you logged into an AppleID (I'm not asking for the name of your ID, just if you are logged in.)
Yes, I am logged in to an Apple ID.
Are you using Apple Private Relay?
Yes, I am using iCloud Private Relay. I tried disabling Private Relay under System Settings>Apple ID>iCloud>iCloud+ Private Relay. It only mentions affecting Safari, but in any case, there was no change.
I have "Protect Mail Activity" enabled in Mail>Settings>Privacy. I'll disable that once I double-check whether it is going to suddenly load a bunch of remote content. Or perhaps I can pause syncing for a bit.
Manual Email:
Includes DKIM-Signature & X-Google-DKIM-Signature headers.
KBM Email Set To Non-Default:
Includes X-Google-DKIM-Signature but is missing the first DKIM sig.
I've attempted to partially redact the headers from both messages here:
KBM Message Headers
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1728573166; x=1729177966;
h=to:date:message-id:subject:mime-version:from:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh={snip}=;
b={snip}
X-Gm-Message-State: {snip}
X-Google-Smtp-Source: {snip}
X-Received: by {snip} with SMTP id {snip}
Thu, 10 Oct 2024 08:12:45 -0700 (PDT)
Return-Path: <employee@companyXYZ.tld>
Received: from smtpclient.apple ({snip, ISP hostname?}. [{snip IP}])
by smtp.gmail.com with ESMTPSA id {snip}
for <recipient@gmail.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Thu, 10 Oct 2024 08:12:44 -0700 (PDT)
From: companyXYZ.tld <employee@companyXYZ.tld>
Content-Type: multipart/alternative;
boundary="Apple-Mail={snip}"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \({snip}))
Subject: MessageTestViaKBM
Message-Id: <{snip alphanumeric}@companyXYZ.tld>
Date: Thu, 10 Oct 2024 08:12:44 -0700
To: "First Last (NicknameIThink)" <recipient@gmail.com>
X-Mailer: Apple Mail ({snip})
--Apple-Mail={snip}
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
> Only a test.
--Apple-Mail={snip}
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv="content-type" content="text/html; charset=us-ascii"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div class="Apple-Mail-URLShareUserContentTopClass"><br></div><div class="Apple-Mail-URLShareWrapperClass" style="position: relative !important;"><blockquote type="cite" style="border-left-style: none; color: inherit; padding: inherit; margin: inherit;">
Only a test.
</blockquote></div></body></html>
--Apple-Mail={snip}--
Manual Message Headers
Delivered-To: recipient@gmail.com
Received: by {snip} with SMTP id {snip};
Thu, 10 Oct 2024 08:12:07 -0700 (PDT)
X-Received: by {snip} with SMTP id {snip};
Thu, 10 Oct 2024 08:12:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1728573127; cv=none;
d=google.com; s=arc-20160816;
b={snip}
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:date:message-id:subject:mime-version:content-transfer-encoding
:from:dkim-signature;
bh={snip}==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@companyXYZ-tld.20230601.gappssmtp.com header.s=20230601 header.b={snip};
spf=neutral (google.com: 209.85.220.41 is neither permitted nor denied by best guess record for domain of employee@companyXYZ.tld) smtp.mailfrom=employee@companyXYZ.tld;
dara=pass header.i=@gmail.com
Return-Path: <employee@companyXYZ.tld>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id {snip}
for <recipient@gmail.com>
(Google Transport Security);
Thu, 10 Oct 2024 08:12:07 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.220.41 is neither permitted nor denied by best guess record for domain of employee@companyXYZ.tld) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass header.i=@companyXYZ-tld.20230601.gappssmtp.com header.s=20230601 header.b={snip};
spf=neutral (google.com: 209.85.220.41 is neither permitted nor denied by best guess record for domain of employee@companyXYZ.tld) smtp.mailfrom=employee@companyXYZ.tld;
dara=pass header.i=@gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=companyXYZ-tld.20230601.gappssmtp.com; s=20230601; t=1728573126; x=1729177926; dara=google.com;
h=to:date:message-id:subject:mime-version:content-transfer-encoding
:from:from:to:cc:subject:date:message-id:reply-to;
bh={snip}==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1728573126; x=1729177926;
h=to:date:message-id:subject:mime-version:content-transfer-encoding
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh={snip}==
X-Gm-Message-State: {snip}=
X-Google-Smtp-Source: {snip}+{snip}+{snip}==
X-Received: by {snip} with SMTP id {snip};
Thu, 10 Oct 2024 08:12:06 -0700 (PDT)
Return-Path: <employee@companyXYZ.tld>
Received: from smtpclient.apple ({snip, ISP hostname?}. [{snip}])
by smtp.gmail.com with ESMTPSA id {snip}
for <recipient@gmail.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Thu, 10 Oct 2024 08:12:06 -0700 (PDT)
From: Employee_First_Name Employee_Last_Name <employee@companyXYZ.tld>
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.{snip}\))
Subject: MessageTestSentViaAppleMailManual
Message-Id: <{snip}@companyXYZ.tld>
Date: Thu, 10 Oct 2024 08:12:05 -0700
To: "First Last (NicknameIThink)" <recipient@gmail.com>
X-Mailer: Apple Mail (2.3776.{snip})
Only a test!
Another test: superfluously specifying the default:
Set Mail>Settings>Composing default to GWorkspace Gmail (employee@companyXYZ.tld).
Set KBM, needlessly, to send from the same (instead of setting KBM to send from the default).
Email not DKIM signed.
But:
Immediately after, change the KBM macro to send from the default. Email IS DKIM signed.
Final test of the day: analyzing KBM (from default) vs. manual (from default) sends:
Using the Airy-inspired "leave-it-default" workaround allows for a comparison of an authenticated & delivered KBM-created Mail email vs. an auth'd/delivered manually-created Mail email:
DKIM signatures are very similar. Content Type and Encoding differ:
KBM email: multipart/alternative content type (e.g. plain + HTML versions of the message).
Manual email: text/plain content type.
Final two tests performed via AppMailDev dot com's DKIM Test.
I'm afraid I have no idea on this. I'm not very familiar with DKIM. SPF configures the set of IP addresses that a domain can send from in the DNS for the domain, so unless that includes your email server (whatever Mail is configured to send the email to), then it's probably not going to pass that.
Unfortunately -- but very sensibly -- that includes the useful stuff... Although that may not be there in the rejection notification anyway.
The specific 550 5.7.26 error is from an unauthenticated "sender" IP address -- see the first of the 550 5.7.26 rows here. The link to their Sender Guidelines should help.
If this all being done through a Google Workspace domain (or whatever it's called now) that might make testing more difficult if a Workspace mail account behaves differently to a personal, free, one -- but hopefully someone will be able to chip in.
Thank you folks.
have their feedback form at the ready just in case