Email delivery failures...Are we blacklisted?

We host our own email in MS Exchange in MSWindowsSBS 2003.  The email is processed locally in MSOutlook 2003.  Most of our email works successfully most of the time.  But there are some issues which I will describe:
Domain 1 - We were communicating with them successfully through about March 1, 2010.  For the last 3 weeks our emails to them (at least 3 individuals) have not reached them.  Can we assume that their domain has blacklisted us?  But now today at least one of these has gone through again.
Domain 2 - One of our personnel sends email to this recipient several times a day.  About 50% of them get through.  So obviously this is an intermittent situation.
Domain 3 - This had been working OK, but the last day or so a few emails were not delivered.  Today it seems they are going through OK again.

It seems that all emails FROM these domains is reaching us successfully.

I don't know even if these are all the same issue.  Of course the intermittency makes it harder to diagnose.  If we get blacklisted, I wouldn't have thought that the blacklist flag would just get lifted for no reason.  Blacklisting would be something done by a receiving domain, I think.  So that would be their issue.  But the fact that we have a similar issue by at least 3 receiving domains makes it look like it's something we on our end can fix.  It's rather difficult to get enough good data on a situation like this... it interrupts business and our clients have to get involved in IT testing.  

Anyway, is there something obvious and straight forward that I can do to troubleshoot this issue?
Josh ChristieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jshaw08Commented:
You should check if you are listed in a Blacklist. They do not typically get removed automatically, you have to request removal. It would be helpful if you could elaborate on what is happening when an email does not go through. Does it get bounced? What's the message?

This site will check your IP against several blacklists and is a good starting point:

http://www.mxtoolbox.com/ 
0
Josh ChristieAuthor Commented:
I checked mxtoolbox.com.  We have 4 MX records.  I get all OKs except that CSMA, NOMOREFUNN, and SPAMRBL show Timeout.

For some of the emails that get lost we get a non-delivery notice, BUT this notice comes about 2-3 weeks later.  It seems that for most of them, they just disappear... no message of any kind.  

Below is an example.  This error message was sent to me on 11/28/09 which was 17 days after I sent the message on 11/11.  A few days after I received this message, I was in touch with this recipient and we successfully exchanged some tests with no problem.
*********************
Your message did not reach some or all of the intended recipients.

      Subject:      training and upgrade
      Sent:      11/11/2009 10:07 AM

The following recipient(s) could not be reached:

      tcrider@staplausa.com on 11/28/2009 9:31 PM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <technicalservicesin.com #4.7.1 smtp;451 4.7.1 Please try again later>
0
jshaw08Commented:
Do you have reverse DNS entries for all of your mail servers?
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Josh ChristieAuthor Commented:
If I enter as the command........
ptr:64.18.7.14 (and similarly for each of the IP addresses of the other 3 MX records) it returns the correct Host name suffix for the corresponding MX record.  Is that what you mean?
0
Josh ChristieAuthor Commented:
What else can we try regarding this issue?
0
Josh ChristieAuthor Commented:
I have some new evidence about this issue.  This weekend I did our monthly updating of our system.  I use WSUS Version: 3.2.7600.226 to do the updating.  Well, on at least 3 work stations, in MS Outlook,  Several messages come in telling about messages that had been sent as much as 3 weeks ago that were not delivered, some saying "You did not have permission to send to this recipient."  This involved 2 or more domains which until now we did not even know we had an issue with.  Also we got at least one reply saying that several messages that had been sent within a few weeks ago and were not delivered, were now delivered.  

So was there a log jam which was opened up via the updating process?
0
Josh ChristieAuthor Commented:
As I mentioned above, we are hosting our own email in MSExchange.  Would the updating be part of the answer?  Or would just the simple matter of rebooting the server point to something?
0
Josh ChristieAuthor Commented:
Actually, the undeliverable messages are giving us quite a variety of reasons as follows:

Could not deliver the message in the time limit specified.

You do not have permission to send to this recipient.

And then there's this one..........

The e-mail system was unable to deliver the message, but did not report a specific reason.  
451 Greylisted, please try again in 900 seconds.  

On this greylisting, SearchExchange.com is suggesting that emails might get stacked up in Queue folder and that doing a daily stopping and starting of the SMTP service could be a work around for that.  Is this maybe what I'm dealing with?
0
Alan HardistyCo-OwnerCommented:
Please have a read of my article and check all is well with your configuration (some is covered above).  Also check the problem domain that you are sending to as they may have multiple MX records and I have seen problems where some of the MX records receiving mail are not configured properly and accept and delete or just reject messages, so this could explain your intermittent delivery problems:
http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Problems-sending-mail-to-one-or-more-external-domains.html 
0
Josh ChristieAuthor Commented:
The domain that we were having trouble with which caused me to dive into this issue... well, that domain did indeed have a problem of their own which evidently they have resolved and we are now communicating with them.  However, there are a number of other domains, probably 4 or 5 that I could name, to which emails have failed to arrive, so I think we have a problem also.  Our domain name is TechnicalServicesin.com.  Our MX records are hosted by the 1and1 company.  I checked each of our 4 MX records using MXToolbox.  I also checked the reverse DNS pointer using the ptr: command.  This domain shows no blacklisting, although there are a few on the blacklist list that returned a Timeout.  The Senderbase reputation is good.  We did not have an SPF record.  The record created by the OpenSPF wizard, I put into the DNS database on our MS Exchange server.  OR DOES THAT NEED TO BE IN THE DATABASE HOSTED BY 1AND1?  

We send email from/via the MS Exchange server in our office.  MX records are hosted by 1and1.  You say, "Check to make sure that the advertised IP Address in DNS for your primary MX record is the same IP address that you are sending mail from."  I'm thinking maybe that's our case.  Our MX records as hosted on 1and1 are 64.18.7.10,  64.18.7.11, 64.18.7.13, and 64.18.7.14.  

But now I'm confused.  Which IS our IP?  When I ask for "Your IP" in WhoIs.net, it gives me 67.76.18.102.  This is also the IP I get in MXTools for the domain ... mail.technicalservicesin.com.  And the command in MXTools ... a:technicalservicesin.com yields the IP ... 74.208.92.1.  I'm thinking I first need to determine for sure from which IP our emails are in fact originating and how they are being routed.  

Anyway, I'm attaching some exhibits that go along with this data.
DNS.JPG
0
Josh ChristieAuthor Commented:
I have some more files to go along with the above.

I'm bewildered where "s221375198.onlinehome.us" this comes from when I do a reverse DNS check on 74.208.92.1, which shows as the A: record for technicalservicesin.com.  I have no idea what that is!!
Network-Tools--DNS-IP-Email.pdf
Network-Tools--DNS-IP-EmailPTR.pdf
Network-Tools--DNS-IP-EmailPTRB.pdf
Network-Tools--DNS-IP-EmailPTRx4.pdf
The-SPF-Setup-Wizard.pdf
0
Alan HardistyCo-OwnerCommented:
If you visit www.whatismyip.com - you should determine your fixed IP Address.
Do you send mail out directly to the world or does it all get sent via Postini ?
0
Josh ChristieAuthor Commented:
Only our incoming mail passes through Postini as far as I can determine.

I just went into our account with 1and1.  Technicalservicesin.com shows as the the main public domain and Mail.technicalservicesin.com  shows as a subdomain.  That unknown s221375198.onlinehome.us shows as a subdomain as well, so that explains that.

Whatismyip gives the same IP as does whois.net........67.76.18.102.  Can I be sure that that is in fact the source IP of my email?

Does it look to you as though I have the A: and PTR: records configured correctly?

Did I create the SPF: record correctly?


0
Alan HardistyCo-OwnerCommented:
Send me an email and I will tell you if you are connecting using that IP.
alan @ it-eye.co.uk.
Alan
0
Alan HardistyCo-OwnerCommented:
Okay - the IP I received mail from is 67.76.18.102 - this has a generic rDNS record from your ISP - so you need to ask them to setup a proper rDNS Record such as mail.yourdomain.com - but mail.yourdomain.com needs to resolve back to IP 67.76.18.102 otherwise you will have problems.
And Yes - you are Blacklisted:
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a67.76.18.102
The listings suggest that you are on a Dynamic IP Address, so your ISP could have Statically allocated you a Dynamic IP Address - which is not good for you as the world sees you as being Dynamic.
0
Josh ChristieAuthor Commented:
OK, from the exhibit file I've attached, mail.technicalservicesin.com resolves to 67.76.18.102.  But PTR:67.76.18.102 points to oh-67-76-18-102.sta.embarqhsd.net.  I assume that this is the generic rDNS record you refer to, and that the "sta" shows the Static allocation.  In the blacklist for FIVETEN, I can see where it refers to the Dynamic IP or the generic rDNS.

So I believe what I need to take to the ISP is.........

"Please give us a Static rDNS which will cause 67.76.18.102 to resolve to mail.technicalservicesin.com instead of, as now, resolving to oh-67-76-18-102.sta.embarqhsd.net."

Do I understand it correctly?  Is this what I should take to the ISP?
677618102DNS.pdf
0
Alan HardistyCo-OwnerCommented:
Yes - ISP should setup your rDNS as mail.technicalservicesin.com - that will hopefully get you off the Dynamic blacklists, but I would also question if you are being allocated a fixed IP address out of a dynamic range as if you are, this will cause you problems.
0
Josh ChristieAuthor Commented:
So there exists a range of IPs available for allocation which are specified for dynamic use, whereas proper Static IPs come from a different range of addresses.  Is that right?  

Then let's say our ISP gives us a proper Static IP address.  Would that cause confusion for people with whom we have an email communication history?
0
Alan HardistyCo-OwnerCommented:
Generally speaking yes - there are two ranges - dynamic and static.  You should be alloctaed one from a Static IP range as this will be clean (or should be), but allocating a dynamic IP to you permanently is the same from the ISP side, but not as far as the world is concerned.
The SORBS-DUHL suggests you may be regularly allocated the same dynamic IP.
0
Josh ChristieAuthor Commented:
So if our ISP gives us a different IP, how will this affect people we've been communicating with?  After it's done, for example, if John Doe replies to me from an old email, will I get it?  Or if I reply to John from one of his old emails, will he get it?
0
Alan HardistyCo-OwnerCommented:
If you get a different IP - you need to change your MX record to point mail to the new IP - this will take between 24 and 48 hours for DNS to replicate around the world, during which time, you will get some delays on your mail, but after the replication has taken place, all will flow as normal.
If you also have an SPF record setup, you need to change that too.  SPF tells the world the IP addresses that you are allowed to send mail from, so if you change your IP, you need to change the SPF record to match your new IP address otherwise your mail will get rejected.
If you don't have an SPF record setup (in your domains DNS records), then you need not worry about this part.
0
Josh ChristieAuthor Commented:
OK, in MXTools I ran MX:mail.technicalservicesin.com and from the attached file you can see the result.  I can see that 1and1 also is hosting this.  That returns still a different IP address.  

Question 1:
Should the A: record and MX: record both resolve to the same IP?

Question 2:
I added an SPF record in our own local domain's DNS records.  Would it be best for me to just delete that after I get the rest cleaned up?
MXmailTS.pdf
0
steveoskhCommented:
hermhart, others can better help you with the DNS and exchange settings.  FWIW, let me throw out one more scenario to consider.
Are all your users working from the same office where the Exchange server is located?  Do they all send mail through the exchange server?
If some of your users are sending mail from home phones or on the road and not routing it through your mail server, that could explain some items.  

Certainly not the solution but could be a factor in some of your described situations.
0
Josh ChristieAuthor Commented:
All our outgoing email is processed by our single local MS Exchange server.
0
Josh ChristieAuthor Commented:
I'm getting some more information about this issue that I want to ask you about shortly.
0
Josh ChristieAuthor Commented:
OK.  I'm back with some more information.
First, based on alanhardisty's entry of 4/1 ID 29336859, and also this site a friend directed me to ...  http://www.simpledns.com/kb.aspx?kbid=1187 .... , I decided to try to get my ISP to setup an rDNS record for us.  Their tech support person told me that that is NOT a service they can provide.  They recommended I obtain the services of a Smart Host.  

Next I contacted tech support of 1and1 company who hosts our domain name on their name servers.  I thought, this is a company we are already working with and perhaps we already have, or could easily have a Smart Host relationship with them.  But they informed me that our current package with them is a Shared Host configuration where we share a server with other customers.  They said that in order for us to get an rDNS record setup, we would need a Dedicated Server package with which we would have full control of a server and of our settings and this would cost at least 20X of our current package.  

Next I found your thread ID 20861301 entitled "Smart Host Service Provider".  In there one of your experts at ID 10200256 recommends using a company like Message Labs as a Smart Host.  

So where would you recommend I go from here?
0
Josh ChristieAuthor Commented:
Our local computer consultant is recommending that we just give up hosting our own email in MS Exchange and let a third party provider like GoDaddy do it.  Is that a good idea?
0
Alan HardistyCo-OwnerCommented:
That depends on cost.  You have already paid for your own Exchange server, and will have to pay yet more to host externally.
Your ISP is the only entity that can setup Reverse DNS records.  If you have a fixed IP Address, then call your ISP back and talk to someone who understands your request, or escalate the call to a manager.
Are you on a fixed IP Address with your ISP?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Josh ChristieAuthor Commented:
Thanks for keeping with me
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.