Message from host google.com, sometimes, duplicate delivery with same Message-ID Exim

galileuNet

June 03, 2026 09:01

Hello!
About 48 hours ago, we detected some mails form google.com host sometimes arrive duplicated (sometimes triplicated).
We investigated the headers on we detected all messages have the same Message-ID and X-Received,
We checked this mails with exigrep, and these are the logs:

X-Received:
X-Received: by 2002:a05:600c:4043:b0:490:b2a6:8c2a with SMTP id 5b1f17b1804b1-490b5e748e3mr592495e9.5.1780425702178; Tue, 02 Jun 2026 11:41:42 -0700 (PDT)
X-Received: by 2002:a05:600c:4043:b0:490:b2a6:8c2a with SMTP id 5b1f17b1804b1-490b5e748e3mr592495e9.5.1780425702178; Tue, 02 Jun 2026 11:41:42 -0700 (PDT)
X-Received: by 2002:a05:600c:4043:b0:490:b2a6:8c2a with SMTP id 5b1f17b1804b1-490b5e748e3mr592495e9.5.1780425702178; Tue, 02 Jun 2026 11:41:42 -0700 (PDT)
--------------------------------------

2026-06-02 20:42:24 1wUU4F-0000000CC1s-1R1O H=mail-wm1-f48.google.com [209.85.128.48]:52709 Warning: "SpamAssassin as xxxx detected message as NOT spam (-1.7)"
2026-06-02 20:42:24 1wUU4F-0000000CC1s-1R1O H=mail-wm1-f48.google.com [209.85.128.48]:52709 Warning: Message has been scanned: no virus or other harmful content was found
2026-06-02 20:42:24 1wUU4F-0000000CC1s-1R1O <= xxxxx@gmail.com H=mail-wm1-f48.google.com [209.85.128.48]:52709 P=esmtps X=TLS1.3:TLS_AES_128_GCM_SHA256:128 S=20046 id=00317539-CB39-4879-B36B-A19A62855796@gmail.com T="Re: Subject" for info@xxxxx.com
2026-06-02 20:42:24 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1wUU4F-0000000CC1s-1R1O
2026-06-02 20:42:25 1wUU4F-0000000CC1s-1R1O => info <info@xxxxx.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <info@xxxxx.com> cDR8BxEkH2qIWCwA7bFxZg Saved"
2026-06-02 20:42:25 1wUU4F-0000000CC1s-1R1O Completed

2026-06-02 20:42:34 1wUU4Q-0000000CC28-0QSy H=mail-ej1-f50.google.com [209.85.218.50]:53563 Warning: "SpamAssassin as xxxx detected message as NOT spam (-1.7)"
2026-06-02 20:42:34 1wUU4Q-0000000CC28-0QSy H=mail-ej1-f50.google.com [209.85.218.50]:53563 Warning: Message has been scanned: no virus or other harmful content was found
2026-06-02 20:42:34 1wUU4Q-0000000CC28-0QSy <= xxxxx@gmail.com H=mail-ej1-f50.google.com [209.85.218.50]:53563 P=esmtps X=TLS1.3:TLS_AES_128_GCM_SHA256:128 S=20082 id=00317539-CB39-4879-B36B-A19A62855796@gmail.com T="Re: Subject" for info@xxxxx.com
2026-06-02 20:42:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1wUU4Q-0000000CC28-0QSy
2026-06-02 20:42:35 1wUU4Q-0000000CC28-0QSy => info <info@xxxxx.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <info@xxxxx.com> d/wgCBskH2qSWCwA7bFxZg Saved"
2026-06-02 20:42:35 1wUU4Q-0000000CC28-0QSy Completed

2026-06-02 20:43:05 1wUU4u-0000000CC2q-21ji H=mail-ej1-f45.google.com [209.85.218.45]:53503 Warning: "SpamAssassin as xxxxx detected message as NOT spam (-1.7)"
2026-06-02 20:43:05 1wUU4u-0000000CC2q-21ji H=mail-ej1-f45.google.com [209.85.218.45]:53503 Warning: Message has been scanned: no virus or other harmful content was found
2026-06-02 20:43:05 1wUU4u-0000000CC2q-21ji <= xxxxx@gmail.com H=mail-ej1-f45.google.com [209.85.218.45]:53503 P=esmtps X=TLS1.3:TLS_AES_128_GCM_SHA256:128 S=20083 id=00317539-CB39-4879-B36B-A19A62855796@gmail.com T="Re: Subject" for info@xxxxx.com
2026-06-02 20:43:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1wUU4u-0000000CC2q-21ji
2026-06-02 20:43:05 1wUU4u-0000000CC2q-21ji => info <info@xxxxx.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <info@xxxxx.com> gDtzIDkkH2rCWCwA7bFxZg Saved"
2026-06-02 20:43:05 1wUU4u-0000000CC2q-21ji Completed

As you can see all have same Message-ID: 00317539-CB39-4879-B36B-A19A62855796@gmail.com

The fist on is processed correctly and returms the code 250 2.0.0 in 1 second and it returns Completed. But Google resend two more messages from diferents hosts ¿??¿?¿

Can anyone help us?

Comments

26 comments

Pierre Grandmaison

June 03, 2026 15:16
We are noticing the same issue as well. Sometimes emails arrive 2 times, sometimes 3 times. All from Google.

I tried testing from google to non-cpanel server and the email was only delivered once.

I am seeing some of our hosting servers having exim upgraded/updated in the last 48 hours by the nightly cpanel updates.
0
Daniel Bazaes

June 03, 2026 15:31
same here... but once i "realease" the firewalls deny IP´s the problem fixed... at least for now... will try again on a few minutes.
0
SoporteNTX

June 03, 2026 15:35
Same here!

Daniel Bazaes Could you clarify what action you took in CSF? Did you unblock specific IPs (csf -dr), remove entries from csf.deny, or identify and whitelist any Google Workspace/Gmail IP ranges? thank you!
0
Daniel Bazaes

June 03, 2026 15:41
Just hit "Flush all blocks". Sorry, I didn't look into the details—I just went with my gut. xD
0
galileuNet

June 03, 2026 15:47
Hello Pierre!
Nice to know you have the same issue. (or not... )
As I see, is this a potential cPanel/WHM issue?
I try to find something about this in other forums and nothing appears.
One question: Your server is located in OVH infrastructure?

Thanks!
Marc
0
Daniel Bazaes

June 03, 2026 15:49
No, we're in a private datacenter in Santiago, Chile. In fact, it's a fairly new server running AlmaLinux 9, cPanel, CSF, and Acronis, and it currently hosts only a single domain.
0
interwave

June 03, 2026 15:53
We are in a German Datacenter and have the same problem, going to flush the Ip's and see if that solves
0
galileuNet

June 03, 2026 15:56

Edited
Hello Daniel & SoporteNTX

Can you clarify more about this? Is in cPHulk? No CSF is runing on my server now
Thanks!
Marc
0
SoporteNTX

June 03, 2026 15:55
Daniel Bazaes LOL thanks!! After flushing all blocks, has the issue stayed resolved because the problem is that sometimes, not always that the messages are duplicated; could you let us know later? or did it come back once LFD started blocking IPs again? Also, did you ever determine which specific IP was being blocked, or did you only hit the "Flush all blocks" THANK YOU
0
Daniel Bazaes

June 03, 2026 15:57
I flushed CSF (the firewall), and we don't have cPHulk enabled at the moment.

My current theory is that some response delay may be causing Gmail to think the message wasn't properly delivered, so it attempts to resend it. After flushing CSF, the delay seemed to disappear, but I can't confirm that's the root cause yet.

I'll keep monitoring the server and, once the number of blocked IPs exceeds 200 again, I'll run the same test to see whether the behavior is reproducible.
0
Pierre Grandmaison

June 03, 2026 15:59
I do not personally believe this to be a firewall issue. In the eximlog, I see google successfully delivering the emails and I don't see any google IPs blocked at our firewall level. Plus it wouldn't make sense for the email to deliver twice if it was a firewall issue anyway.
0
Daniel Bazaes

June 03, 2026 15:59
SoporteNTX actually i did get the 200 ip´s i flushed ask claude and none is google related... thats why i think is a timing problem.

https://claude.ai/share/16a542ce-c292-4ab7-8c16-86d4535bf8ea
0
interwave

June 03, 2026 16:04
I Asked claude about it, and it started to point the problem to Greylist, but none of the IP's got caught in greylist

It must be a google problem with timing yes, and also the cpanel mailing system does not have a duplicate messaging filter
0
Daniel Bazaes

June 03, 2026 16:04
I'm not saying it's a blocked IP issue. I think the problem may be a delayed response from the server.

I'm not sure what has changed with all the updates we've been receiving lately, but this is not the only server where I've seen this behavior. The fact that the duplicate emails arrive more than 10 seconds apart gives me the impression that Google is attempting to resend the message because it doesn't receive the SMTP 250 response quickly enough.

The CSF flush may have simply reduced the delay enough for the server to return the 250 response on time. That's only a theory at this point, but it would explain what we're seeing.

My two cents.
0
interwave

June 03, 2026 16:10

Edited
yes that makes sense, but my clients are saying that is happening since last week, is this a problem that will go away ?
0
BH

June 03, 2026 16:09
Same issue here. Duplicate email from gmail and others. Greylisting disabled. Started recently - assuming it's a recent update. Different IDs.
0
Serra

June 03, 2026 16:13
I'm having the same issue. Not greylisting, not using CPHulk, using Immunify360. I don't see any blocks that aren't captcha blocks.
0
RN-Ruben

June 03, 2026 16:18

Edited
What Daniel Bazaes mentions makes sense and reminded me about this option from cPanel itself:

This comes enabled by default. If Gmail reduced the time it waits for the connection to be established, it could be sending retries before the first connection finished.
3
Serra

June 03, 2026 16:23
RN-Ruben This seemed to fix it.
0
interwave

June 03, 2026 16:24
I have users reporting other domains, but they use the Google Servers, so it is a Google Problem

I am going to try that option
0
BH

June 03, 2026 16:25

Edited
It appears one of these has fixed the issue (for now):

Run; system update, update server software and upgrade to the latest version.

Clear cPHulk blocks.

Exim Configuration Manager > Rebuild RDNS Cache.

Disable: Exim Configuration Manager > Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam.

Restart.
1
galileuNet

June 03, 2026 17:13
Hello!
Based on our logs:

2026-06-02 20:42:24 1wUU4F-0000000CC1s-1R1O H=mail-wm1-f48.google.com [209.85.128.48]:52709 Warning: "SpamAssassin as xxxx detected message as NOT spam (-1.7)"
2026-06-02 20:42:24 1wUU4F-0000000CC1s-1R1O H=mail-wm1-f48.google.com [209.85.128.48]:52709 Warning: Message has been scanned: no virus or other harmful content was found
2026-06-02 20:42:24 1wUU4F-0000000CC1s-1R1O <= xxxxx@gmail.com H=mail-wm1-f48.google.com [209.85.128.48]:52709 P=esmtps X=TLS1.3:TLS_AES_128_GCM_SHA256:128 S=20046 id=00317539-CB39-4879-B36B-A19A62855796@gmail.com T="Re: Subject" for info@xxxxx.com
2026-06-02 20:42:24 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1wUU4F-0000000CC1s-1R1O
2026-06-02 20:42:25 1wUU4F-0000000CC1s-1R1O => info <info@xxxxx.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <info@xxxxx.com> cDR8BxEkH2qIWCwA7bFxZg Saved"
2026-06-02 20:42:25 1wUU4F-0000000CC1s-1R1O Completed

Or server process the first email in 1 second (included SpamAssassin) I think this is very correct time.
and returns a 250 and a Complete.
I think the problem is a synchronization time between our server and Google servers.
I think also is not a good practice for Google send another mail whit the same Message ID about 10 seconds after the first email and from anather Google server.
Maybe a problem in database sincronizity in Google servers?
Maybe a lost packages route in between servers DNS from our server to Google?

I hope cPanel explain us what happens:

Marc
0
galileuNet

June 03, 2026 17:19
RN-Ruben good contribution. I lets try!
0
cPRex Jurassic Moderator

June 03, 2026 21:32

Edited
Hey everyone! We're tracking this as part of case CPANEL-53742 where it seems the SMTP delay value of "Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam” being enabled causes this. I'll be sure to post an update if I hear anything on my end as we're not yet sure if this is a change from our side or Gmail.
2
interwave

June 03, 2026 20:05
Ok, for now the disable the option seems to have worked
0
Kent Brockman

June 03, 2026 20:41
Hey guys. And what about whitelisting Google IP's on Exim?
```
dig TXT _spf.google.com +short
```
Then add the IP addresses to: WHM » Service Configuration » Exim Configuration Manager » Basic Editor » Trusted SMTP IP addresses

And also under: WHM » Email » Greylisting
```
74.125.0.0/16
209.85.128.0/17
```
```
2001:4860:4864::/56
2404:6800:4864::/56
2607:f8b0:4864::/56
2800:3f0:4864::/56
2a00:1450:4864::/56
2c0f:fb50:4864::/56
```
It should work, right?
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?