Merula
Email deliverability · June 2026

Error 550 5.7.26 “This mail is unauthenticated” — why Gmail rejected your message and how to fix it

What this error means

Google rejected your message at delivery. The bounce typically reads:

550-5.7.26 This mail is unauthenticated, which poses a security
550-5.7.26 risk to the sender and Gmail users, and has been blocked.
550-5.7.26 The sender must authenticate with at least one of SPF or
550-5.7.26 DKIM.

Variants of 5.7.26 mention SPF specifically, DKIM specifically, or alignment. In every case the root cause is the same:Gmail could not cryptographically verify that the message legitimately comes from your domain, and since Google’s bulk-sender requirements took effect in February 2024, unauthenticated mail is increasingly rejected rather than spam-foldered.

Why you’re seeing it

How to fix it

  1. Check your domain for SPF, DKIM and DMARC validity and alignment — a free Merula account covers one domain and runs its first checks within minutes.
  2. Find the sender that failed. Check the bounced message’s original sending service. In Google Workspace, Gmail headers (Authentication-Results) show exactly which check failed.
  3. Authorise it properly: add the service to your SPF record and enable DKIM signing with your own domain in the service’s admin settings. Prefer DKIM — it survives forwarding and is the stronger long-term signal.
  4. Publish DMARC with a reporting address.Aggregate reports from Google arrive within 24–48 hours and show every source sending as your domain, with pass/fail per check — the fastest way to find senders you forgot.
  5. Fix the record, not just the symptom. If your SPF is at or near 10 lookups, consolidate now; the next tool you add will tip it into permerror.

EU context

Google’s requirements apply identically across all member states, and they align with what European security authorities already recommend: national CSIRTs across the EU — following CERT-EU’s DMARC guidance — advise deploying SPF, DKIM and DMARC, starting in monitoring mode and moving to enforcement. For businesses with NIS2-related obligations, or supplying companies that have them, demonstrable email authentication is shifting from best practice to contractual expectation.

Merula watches every authentication record on your domain and alerts you when something stops passing — before the rejections start. Merula is in development and launches after summer 2026.