Exchange SMTP 5.5.0 "Not permitted to relay" - possible issues with MX record resolution

Posted on 2009-04-11
Medium Priority
Last Modified: 2013-11-30
We have a member of our staff who is attempting to send e-mail to a partner organization (domain barringtongroup.org) and is periodically receiving SMTP 5.5.0 bounce messages which indicate that our Exchange server is unable to relay.  After a great deal of waiting for the intermittent problem to happen again with SMTP logging enabled, it has and it comes to light that the failed relay attempts are connecting to the wrong SMTP server.

It goes like this:  the partner organization uses a web and email services company called Roar Solutions.  The actual mail servers for the domain barringtongroup.org are listed in their MX records to be:

mx1.emailsrvr.com and

which appear to be part of a mail service provided by Rackspace.  In every instance where we have successfully delivered mail to the barringtongroup.org domain, it's been to one of those hosts.  However, the recently logged failure showed an SMTP session (and subsequent relay rejection) with the host  This machine is tin.niatech.ca, which is the primary nameserver listed in the SOA for barringtongroup.org.

It also happens to be, in addition to a nameserver:

a) the web server for barringtongroup.org
b) an SMTP server

which gels with the relay rejection when we try to deliver to the barringtongroup.org domain.

Anyway, three nameservers are listed in the SOA record for barringtongroup.org:


However, tiger.roarsolutions.com is not listed in the NS records at the parent server, and while the MX records for barringtongroup.org are present on the tiger NS, there are no A records for the aforementioned mx1 and mx2 hosts.

Now, I know that when an MX record can't be resolved for a domain successfully, Exchange will fall back on the A record for the domain.  And, no surprise, the A record for barringtongroup.org is for

Therefore, my thinking goes like this:

Successful instances:

1) DNS resolves using tin.niatech.ca, graphite.niatech.ca, or another server with the appropriate MX and A records
2) SMTP connection is made to mx1 or mx2 and the mail goes through

Failed instances:

1) DNS resolves using tiger.roarsolutions.com, which has the MX records but no A records for the MX hosts.  This NS is authoritative, so MX lookup ultimately fails.
2) Exchange falls back to the A record for barringtongroup.org,
3) tells us to buzz off, given that we're trying to relay.

This is what I have put together from the evidence available to me and my (middling) knowledge of DNS.  What I'm really looking for is a confirmation or denial of my suspicions from someone more knowledgeable about DNS than me, as the technical staff at Roar Solutions have flatly asserted that the problem is on our end and I can't agree with that assessment.  I'm really looking to prove my case to them, more than anything else.

Anyone? :-)
Question by:siskinds
LVL 49

Accepted Solution

Akhater earned 2000 total points
ID: 24122487
well first let me tell you Bravo, i've rarely seen questions put up like this on ee so respects

I have followed your logic and it sounds good to me with one difference

I have used http://network-tools.com/nslook/Default.asp to do the test and it looks like only tin.niatech.ca shows the A records for mx1 and mx2 (http://network-tools.com/nslook/Default.asp?domain=barringtongroup.org&type=15&server=tin.niatech.ca&class=1&port=53&timeout=5000&advanced=true&go.x=0&go.y=0)

whereas graphite.niatech.ca (http://network-tools.com/nslook/Default.asp?domain=barringtongroup.org&type=15&server=graphite.niatech.ca&class=1&port=53&timeout=5000&advanced=true&go.x=12&go.y=9) and tiger.roarsolutions.com (http://network-tools.com/nslook/Default.asp?domain=barringtongroup.org&type=15&server=tiger.roarsolutions.com&class=1&port=53&timeout=5000&advanced=true&go.x=26&go.y=15) fail to do so

I have also noticed that the MX records are pointing to a completely other DNS domain emailsrvr.com. another search on mx1.emailsrvr.com on these same server also shows that tin.niatech.ca can resolve them but graphite.niatech.ca and  tiger.roarsolutions.com doesn't

Author Comment

ID: 24124103

Thanks very much.  You're right, graphite doesn't have the A records either.  Thank you for catching that; I thought it did but I've been looking at too many DNS records recently. ;-)

Here's a quick question to do with the resolution: when the A query is done on tiger or graphite, no direct result is obtained but the A records for the global TLD servers are returned in the ADDITIONAL section of the answer.  If we query one of them for mx1 or mx2, we get the parent nameservers for emailsrvr.com, and then querying one of those parents finally gives an A record for mx1 or 2.

Now, recursive queries are disabled on tin, graphite, and tiger.  Judging from what is happening, it seems that our Exchange server is not making iterative queries back "up" the chain to get the A records; I can understand this, as those queries would add up to a fair bit of latency under certain circumstances.  Am I correct then in guessing that Exchange's default behaviour is to not perform iterative queries and just fall back on the A record as I discussed in my original post?

Do resolvers ever go back "upstream" to parent nameservers based on the records returned in the ADDITIONAL section of a response?

Anyway, that question may be a bit too broad at the end. :-)  I'm just trying to put the final shells in the proverbial arsenal.  Thanks very much again for your help, Akhater, whenever I close this question you've earned your share of the points.

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Organisation is organized in a pattern to flow the day to day business, every application and system is interdepended on each other and when very important “Exchange Server downtime” happened.
Let us take a look at the scenario, you have a database that is corrupt and you run the ESEUTIL command only to find you are unable to repair it. How do you now get the data back?
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question