The Google for Education Community Platform

ddelboccio · ‎02-06-2024

Hello all! Our school district uses the Follett Destiny library manager product.

They host this system for us in their cloud, and have spun up an SMTP server for communications from the system to parents and students.

For SPF authentication , I have added their IP addresses to my TXT/SPF records (domain: district31.net), and every SPF checker tool I use appears to display them (ip4:50.223.178.203 ip4:50.223.178.208 ip4:50.223.178.201).

When messages are sent from the Follett system to my domain users (district31.net), the messages come right through.

When messages are sent to my personal Gmail account (imitating a parent, or outside address) they are actually bounced back to Follett's system with this message:

550-5.7.26 This mail has been blocked because the sender is
unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with
either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results:
550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [gmail.com] with ip:
[50.223.178.203] = did not pass 550-5.7.26 550-5.7.26

Gmail requires SPF or DKIM. I am unsure as to why it shows 50.223.178.203 as "did not pass SPF".

My only guess at this point is that I only made these changes in my TXT records about 12 hours ago, and maybe DNS has not fully populated around the world just yet?

Kim_Nilsson · ‎02-06-2024

Workspace account, activate 2FA, and create an Application Password.

Then Follett must send through the proper Gmail SMTP and auth with login and pass.

--
https://wheretofind.me/@NoSubstitute

View solution in original post

alexgrutza · ‎02-06-2024

12 hours seems long enough. Did Follett give you the IP addresses, or how did you obtain the addresses? Perhaps their SPF records/emails are coming from some other address. Long shot because you do receive emails from them to your district email, just not personal.

--
CISSP | LinkedIn | @Phyxiis

Kim_Nilsson · ‎02-06-2024

The rules have changed for sending to consumer Gmail users. So this is expected.

https://support.google.com/a/answer/81126?hl=en

Specifically this paragraph.

https://support.google.com/a/answer/81126?hl=en&fl=1&#requirements-5k

This will probably affect Workspace users too sometime in the future, but for now it's only blocking emails to consumer Gmail users. All primary admins should have received several emails about this over the last couple of months.

--
https://wheretofind.me/@NoSubstitute

ddelboccio · ‎02-06-2024

I did see this notification, but are nowhere even CLOSE to sending 5000 messages per day.

alexgrutza · ‎02-06-2024

Because it's Follett and it's using their IP's, they could be sending more than 5k emails per day. Unless those public IP's are dedicated to your district

--
CISSP | LinkedIn | @Phyxiis

ddelboccio · ‎02-06-2024

oh crap.............you make a very good point there!!!

Kim_Nilsson · ‎02-06-2024

SPF isn't enough. DKIM is necessary.

Talk to the email distributor to switch from simple SMTP to a proper mailing service, or even better stop allowing them to spoof your accounts.

Proper email mailing services have proper DKIM signing.

--
https://wheretofind.me/@NoSubstitute

alexgrutza · ‎02-06-2024

Unfortunately some vendors do not support DKIM (or vis versa). According to dmarc.io Follett only supports SPF.

--
CISSP | LinkedIn | @Phyxiis

ddelboccio · ‎02-06-2024

Correct, I was speaking to Follett support yesterday and they do not support DKIM.

Funny, I do not remember why I switched to having Follett using their SMTP server for communications.

Are there any other Follett schools out there?

Should I just be creating a workspace account for this system to generate messages?

Kim_Nilsson · ‎02-06-2024

Workspace account, activate 2FA, and create an Application Password.

Then Follett must send through the proper Gmail SMTP and auth with login and pass.

--
https://wheretofind.me/@NoSubstitute

ddelboccio · ‎02-06-2024

Where can I find the proper Gmail SMTP setting again?

alexgrutza · ‎02-06-2024

For google smtp info https://support.google.com/a/answer/176600?hl=en

For google admin setting https://admin.google.com/u/1/ac/apps/gmail/routing

--
CISSP | LinkedIn | @Phyxiis

ddelboccio · ‎02-06-2024

Hey Kim, I cant seem to find how to create the "application password".......

Can you tell me where this is defined? Thanks

Kim_Nilsson · ‎02-06-2024

Hiya, Dave.

It's only available when logged into the account after 2FA is enabled.

Link is here, deep into the 2FA settings page.

--
https://wheretofind.me/@NoSubstitute

ddelboccio · ‎02-06-2024

Kim, help my thinking process here. Now that I created a unique workspace account with 2FA and application password, I no longer need Follett's IP addresses in my domain's SPF/TXT records, correct?

Kim_Nilsson · ‎02-06-2024

Exactly, as they will be sending directly through Google's SMTP.

--
https://wheretofind.me/@NoSubstitute

ddelboccio · ‎02-06-2024

Gmail's documentation states SPF or DKIM for under 5000 daily messages.

ddelboccio · ‎02-06-2024

Now i am starting to rememeber the headache this was a few years back tring to get Follett to use gmail SMTP settings in ANY capacity.

Is there ANYONE out there who has Follett and has successfully setup their email communications using a Google workspace account?

And is willing to share with me HOW you made it work?

The Google for Education Community Platform

Mail relay and SPF issue