grhelm
asked on
Emails are not being received (You do not have permission to send to this recipient) or are going to "bulk" folders
We have had some problems with emails bouncing or not being received for some time now, but recently it has become more prevalent and is now becoming a real issue in trying to communicate with business associates. We are running an Windows2003 server with Exchange2000. Our DNS record (and SPF) are managed through GoDaddy. We use a local company for our internet connection and IP’s, and I believe they are a reseller of AT&T’s internet services.
Some of the errors we are receiving:
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<smtp.domain.com #5.7.1 smtp;550 5.7.1 SPF unauthorized mail is prohibited.>
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<smtp.domain.com #5.7.1 smtp;554 5.7.1 SPF Record Match Failed on xx.xx.xx.xxx>
Our SPF record is “v=spf1 a mx include:XXX.com -all” where XXX.com is the ISP that maintains our IP’s.
I also ran a test via EmailReach and got the following:
SpamAssassin Audit
-Spam Assassin "Bayes0"
This message has a low Bayesian spam probabililty
We do not recommend that you change the content of this message.
-Your header Helo is d-d-d-d
Helo is d-d-d-d
Remedy: Use normalized headers.
-Relay HELO'd using suspicious hostname
Relay HELO'd using suspicious hostname (IP addr 1)
Remedy: Use normalized headers.
-SPF: sender does not match SPF record (fail)
SPF: sender does not match SPF record (fail)
Remedy: Review your SPF record.
Failure Details
BAYES_00,FH_HELO_EQ_D_D_D_
GMail Audit
GMail has delivered your test message to a bulk folder.
Yahoo Mail Plus Audit
Yahoo Mail Plus has delivered your test message to a bulk folder.
-Yahoo Mail Plus Test Fail
Yahoo has a number of technologies that underlie its filters.
Yahoo tips: http://help.yahoo.com/l/us/yahoo/mail/original/abuse/index.html . We also recommend fixing your
message based on all other identified issues and retesting. If you are still having problems, try here:
http://help.yahoo.com/l/us/yahoo/mail/postmaster/index.html
Failure Details
Mail was caught in Yahoo Plus Bulk Folder
GMX Webmail Audit
GMX Webmail has delivered your mail to the spam folder.
-GMX Webmail spam filters have seven sophisticated anti-spam modules which work hand-in-hand to provide a nearly
leak-proof spam barrier. Some of these modules include Header Analyzer, Spam Server Blocker, GMX Anti-Spam List
and Global Anti-Spam List.
GMX spam filters identified your mail as spam.
Contact customer care at forum-service@gmx.com.
Failure Details
Mail was caught in GMX Spam Folder
How do I get this fixed so that emails can 1) be received by the servers that validate the SPF record and 2) don’t go to a “bulk” mail folder?
Some of the errors we are receiving:
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<smtp.domain.com #5.7.1 smtp;550 5.7.1 SPF unauthorized mail is prohibited.>
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<smtp.domain.com #5.7.1 smtp;554 5.7.1 SPF Record Match Failed on xx.xx.xx.xxx>
Our SPF record is “v=spf1 a mx include:XXX.com -all” where XXX.com is the ISP that maintains our IP’s.
I also ran a test via EmailReach and got the following:
SpamAssassin Audit
-Spam Assassin "Bayes0"
This message has a low Bayesian spam probabililty
We do not recommend that you change the content of this message.
-Your header Helo is d-d-d-d
Helo is d-d-d-d
Remedy: Use normalized headers.
-Relay HELO'd using suspicious hostname
Relay HELO'd using suspicious hostname (IP addr 1)
Remedy: Use normalized headers.
-SPF: sender does not match SPF record (fail)
SPF: sender does not match SPF record (fail)
Remedy: Review your SPF record.
Failure Details
BAYES_00,FH_HELO_EQ_D_D_D_
GMail Audit
GMail has delivered your test message to a bulk folder.
Yahoo Mail Plus Audit
Yahoo Mail Plus has delivered your test message to a bulk folder.
-Yahoo Mail Plus Test Fail
Yahoo has a number of technologies that underlie its filters.
Yahoo tips: http://help.yahoo.com/l/us/yahoo/mail/original/abuse/index.html . We also recommend fixing your
message based on all other identified issues and retesting. If you are still having problems, try here:
http://help.yahoo.com/l/us/yahoo/mail/postmaster/index.html
Failure Details
Mail was caught in Yahoo Plus Bulk Folder
GMX Webmail Audit
GMX Webmail has delivered your mail to the spam folder.
-GMX Webmail spam filters have seven sophisticated anti-spam modules which work hand-in-hand to provide a nearly
leak-proof spam barrier. Some of these modules include Header Analyzer, Spam Server Blocker, GMX Anti-Spam List
and Global Anti-Spam List.
GMX spam filters identified your mail as spam.
Contact customer care at forum-service@gmx.com.
Failure Details
Mail was caught in GMX Spam Folder
How do I get this fixed so that emails can 1) be received by the servers that validate the SPF record and 2) don’t go to a “bulk” mail folder?
ASKER
That helps, somewhat. (I have looked at both of those posts already.) We have an SPF record. How do I determine what's wrong with it and why it isn't working? (Or not working completely?) I used http://old.openspf.org/wizard.html to create this, but I must not have done something right. (Either that, or there is some other problem in the way the server is configured itself.)
Where are your exchange servers? your spf record should point to your actual mail server e.g. mail.domain.com it has nothing to do with who holds your IP's.
point in case:
Allstream our our ISP, GoDaddy is our domain registrar. in our spf record we have:
v=spf1 a mx ptr ip4:mail.domain.com ip4:mail2.domain.com -all
and then i have an spf record for each mail server as well:
mail.domain.com v=spf1 a -all
each of our mail servers have the same SPF record as above e.g. mail2.domain.com v=spf1 a -all
point in case:
Allstream our our ISP, GoDaddy is our domain registrar. in our spf record we have:
v=spf1 a mx ptr ip4:mail.domain.com ip4:mail2.domain.com -all
and then i have an spf record for each mail server as well:
mail.domain.com v=spf1 a -all
each of our mail servers have the same SPF record as above e.g. mail2.domain.com v=spf1 a -all
ASKER
The exchange server is here, in-house. Thing is, our in-house domain (via the DC) is "XXCorp.net" but our email is "XXTech.com" (The exchange server also hosts "XXCorp.net" but this is NOT the primary email domain everyone sends from. The exchange server can be pinged via smtp.XXTech.com and smtp.XXCorp.net)
Godaddy configurations are:
For XXTech.com
ARecord @ xx.xx.xx.56
ARecord smtp xx.xx.xx.57
CNAME www @
MX @ smtp.xxtech.com
TXT @ v=spf1 a mx include:ISP.com -all
For XXCorp.net
ARecord @ xx.xx.xx.30
ARecord smtp xx.xx.xx.57
MX @ smtp.xxcorp.net
Being that our SPF record (for XXTech.com) is "v=spf1 a mx include:XXTech.com -all", are you saying I should change this to "v=spf1 a mx ptr ip4:smtp.XXTech.com -all" (Should I include all the domains it sends from?) There is no SPF record for XXCorp.net at Godaddy as shown above.
What does the "ptr" parameter do?
There is an SPF record on our DC "v=spf1 mx -all"
Are you saying there should be an SPF record on the Exchange server also??
Godaddy configurations are:
For XXTech.com
ARecord @ xx.xx.xx.56
ARecord smtp xx.xx.xx.57
CNAME www @
MX @ smtp.xxtech.com
TXT @ v=spf1 a mx include:ISP.com -all
For XXCorp.net
ARecord @ xx.xx.xx.30
ARecord smtp xx.xx.xx.57
MX @ smtp.xxcorp.net
Being that our SPF record (for XXTech.com) is "v=spf1 a mx include:XXTech.com -all", are you saying I should change this to "v=spf1 a mx ptr ip4:smtp.XXTech.com -all" (Should I include all the domains it sends from?) There is no SPF record for XXCorp.net at Godaddy as shown above.
What does the "ptr" parameter do?
There is an SPF record on our DC "v=spf1 mx -all"
Are you saying there should be an SPF record on the Exchange server also??
The SPF records should all be at GoDaddy - assuming you are using the domain manager and then the Total DNS manager.
ok, the issue is mainly how your exchange server identifies itself to the world. i have 4 domains inside our organisation, however, the mail server is identified as nxmail01.domain.com therefore i have to have an spf record for that name.
when your mail server sends email - how does it identify itself? is the server name internally smtp.xxtech.com? probably not. :-)
According to http://www.kitterman.com/spf/validate.html?
the only spf record for xxtech.com is: v=spf1 -all which means NO email is sent from this domain!!!!!! - better check that
ultimately you will need to reference the ACTUAL mail server name e.g. smtp.xxcorp.net
No need to reference the ISP.com servers at all as they do not send email for your domain.
try this on the xxTech.com domain only
v=spf1 mx ptr ip4:smtp.xxcorp.net include:xxtech.com ~all
you will need to setup spf records for all the domains that you have email for this is my spf records for another domain we have domain2:
v=spf1 mx ptr ip4:x.x.x.50 ip4:x.x.x.51 ptr:domain.com include:domain.com -all
notice how everything points to the actual mail server domain(domain.com) the IP address are the actual IP address for mail1 and mail2
Conclusion:
You have a small percentage of your total spf records setup. make sure your main domain, xxcorp.net has all the spf records configured correctly. Then for each of the domains that you are email authoritive for(e.g. xxTech.com), set up a spf record referencing all xxcorp.net information and configure the mx record for these "extra" domains to point to smtp.xxcorp.net .
ok, the issue is mainly how your exchange server identifies itself to the world. i have 4 domains inside our organisation, however, the mail server is identified as nxmail01.domain.com therefore i have to have an spf record for that name.
when your mail server sends email - how does it identify itself? is the server name internally smtp.xxtech.com? probably not. :-)
According to http://www.kitterman.com/spf/validate.html?
the only spf record for xxtech.com is: v=spf1 -all which means NO email is sent from this domain!!!!!! - better check that
ultimately you will need to reference the ACTUAL mail server name e.g. smtp.xxcorp.net
No need to reference the ISP.com servers at all as they do not send email for your domain.
try this on the xxTech.com domain only
v=spf1 mx ptr ip4:smtp.xxcorp.net include:xxtech.com ~all
you will need to setup spf records for all the domains that you have email for this is my spf records for another domain we have domain2:
v=spf1 mx ptr ip4:x.x.x.50 ip4:x.x.x.51 ptr:domain.com include:domain.com -all
notice how everything points to the actual mail server domain(domain.com) the IP address are the actual IP address for mail1 and mail2
Conclusion:
You have a small percentage of your total spf records setup. make sure your main domain, xxcorp.net has all the spf records configured correctly. Then for each of the domains that you are email authoritive for(e.g. xxTech.com), set up a spf record referencing all xxcorp.net information and configure the mx record for these "extra" domains to point to smtp.xxcorp.net .
ASKER
Thanks cmorffew,
I did not want tto include our full domain names, so I used XX as a filler. When I go to
http://www.kitterman.com/spf/validate.html? and enter the full name, it comes back with the same spf as indicated above (v=spf1 a mx include:ISP.com -all).
Regarding your question about the server name, you are correct. Internally it is XXcorpemail04.XXcorp.net, but I did change the fully-qualified domain name of the server (in Exchange) to smtp.XXtech.com. So, should I change the FQDN back to XXcorpemail04.XXcorp.net and then reference this in the SPF entry?
I did not want tto include our full domain names, so I used XX as a filler. When I go to
http://www.kitterman.com/spf/validate.html? and enter the full name, it comes back with the same spf as indicated above (v=spf1 a mx include:ISP.com -all).
Regarding your question about the server name, you are correct. Internally it is XXcorpemail04.XXcorp.net, but I did change the fully-qualified domain name of the server (in Exchange) to smtp.XXtech.com. So, should I change the FQDN back to XXcorpemail04.XXcorp.net and then reference this in the SPF entry?
i dont think you need to change anything in the FQDN in exchange - my exchange server is set up as mail.domain.com and the server name is nxmail01.domain.com
However, i would change your spf record to reflect the actual name of the server sending the email.
i think this is what your spf record should look like for the xxcorp.net entry
v=spf1 a mx ptr ip4:XXcorpemail04.XXcorp.n
then for all other domains e.g. xxTech.com
v=spf1 a mx ptr ip4:xx.xx.xx.57 ptr:xxcorp.net include:xxcorp.net -all
This is assuming that the xx.xx.xx.57 points to your smtp server.
your dns entries will have to have an spf record for your cname entries as well that refer to your mail server. e.g. you probably have the smtp part of smtp.xxtech.com pointing to the xx.xx.xx.57 address therefore you will need an spf entry for smtp as v-spf1 a -all
However, i would change your spf record to reflect the actual name of the server sending the email.
i think this is what your spf record should look like for the xxcorp.net entry
v=spf1 a mx ptr ip4:XXcorpemail04.XXcorp.n
then for all other domains e.g. xxTech.com
v=spf1 a mx ptr ip4:xx.xx.xx.57 ptr:xxcorp.net include:xxcorp.net -all
This is assuming that the xx.xx.xx.57 points to your smtp server.
your dns entries will have to have an spf record for your cname entries as well that refer to your mail server. e.g. you probably have the smtp part of smtp.xxtech.com pointing to the xx.xx.xx.57 address therefore you will need an spf entry for smtp as v-spf1 a -all
ASKER
Thanks!!
I have setup the two spf records as indicated and if I go to mxtoolbox.com and run the spf test, everything looks like it passes (for the "-all", it says the prefix description "fail" but maybe that is what it is supposed to do?) -- Not really sure how to test it for the other errors we were getting other than start sending out emails and see if they still bounce.
I don't really understand what you are saying about the cname entries. I do have "ARecord smtp xx.xx.xx.57", but no cname for smtp. This is everything that is there:
ARecord @ xx.xx.xx.56
ARecord smtp xx.xx.xx.57
CNAME www @
CNAME imap imap.secureserver.net (Not sure why we have this one?)
CNAME ftp @
MX @ smtp.xxtech.com
I don't understand how to set an spf entry for smtp as v-spf1 a -all
I have setup the two spf records as indicated and if I go to mxtoolbox.com and run the spf test, everything looks like it passes (for the "-all", it says the prefix description "fail" but maybe that is what it is supposed to do?) -- Not really sure how to test it for the other errors we were getting other than start sending out emails and see if they still bounce.
I don't really understand what you are saying about the cname entries. I do have "ARecord smtp xx.xx.xx.57", but no cname for smtp. This is everything that is there:
ARecord @ xx.xx.xx.56
ARecord smtp xx.xx.xx.57
CNAME www @
CNAME imap imap.secureserver.net (Not sure why we have this one?)
CNAME ftp @
MX @ smtp.xxtech.com
I don't understand how to set an spf entry for smtp as v-spf1 a -all
ASKER
I just noticed something when I sent a test email to a yahoo account. The header looks like this:
From XXXX, XXXX Wed Apr 21 20:33:14 2010
X-Apparently-To: yyyytest@yahoo.com via 98.136.183.16; Wed, 21 Apr 2010 13:33:15 -0700
Return-Path: <xxxxxxxxxxx@xxtech.com>
X-YahooFilteredBulk: xx.xx.xx.90
X-YMailISG: m9ZJ2QYWLDtPpzeomQeuawVzwf
X-Originating-IP: [xx.xx.xx.90]
Authentication-Results: mta1043.mail.ac4.yahoo.com
Received: from 127.0.0.1 (EHLO smtp.xxtech.com) (xx.xx.xx.90)
by mta1043.mail.ac4.yahoo.com
Content-class: urn:content-classes:messag
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE:: Test Request
Date: Wed, 21 Apr 2010 13:33:14 -0700
Message-ID: <7FEB8639811AAE4B8FA7D7403
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Test Request
Thread-Index: Acrhk3cci9/yR3TVTCuPYQyPQN
From: "XXX, XXXX" <XXXXX@xxTech.com>
To: <yyyytest@yahoo.com>
Content-Length: 4573
The thing that is off is that the IP address that this references as coming from (Originating-IP & Received from) are all xx.xx.xx.90, which is our public NAT address. (I also noted that this address is flagged as YahooFilteredBulk.)
Could this be causing some of our problems??
From XXXX, XXXX Wed Apr 21 20:33:14 2010
X-Apparently-To: yyyytest@yahoo.com via 98.136.183.16; Wed, 21 Apr 2010 13:33:15 -0700
Return-Path: <xxxxxxxxxxx@xxtech.com>
X-YahooFilteredBulk: xx.xx.xx.90
X-YMailISG: m9ZJ2QYWLDtPpzeomQeuawVzwf
X-Originating-IP: [xx.xx.xx.90]
Authentication-Results: mta1043.mail.ac4.yahoo.com
Received: from 127.0.0.1 (EHLO smtp.xxtech.com) (xx.xx.xx.90)
by mta1043.mail.ac4.yahoo.com
Content-class: urn:content-classes:messag
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE:: Test Request
Date: Wed, 21 Apr 2010 13:33:14 -0700
Message-ID: <7FEB8639811AAE4B8FA7D7403
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Test Request
Thread-Index: Acrhk3cci9/yR3TVTCuPYQyPQN
From: "XXX, XXXX" <XXXXX@xxTech.com>
To: <yyyytest@yahoo.com>
Content-Length: 4573
The thing that is off is that the IP address that this references as coming from (Originating-IP & Received from) are all xx.xx.xx.90, which is our public NAT address. (I also noted that this address is flagged as YahooFilteredBulk.)
Could this be causing some of our problems??
Disbale that filter and check.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ugh, not really sure how to change the router, so I am going to have to try the second option.
This is what I have now setup via godaddy (excluded CNAME records):
For XXCorp.net
ARecord @ xx.xx.xx.30
ARecord smtp xx.xx.xx.57
MX @ smtp.xxcorp.net
TXT @ v=spf1 a mx ptr ip4:xxcorpemail04.xxcorp.n
TXT smtp v=spf1 a -all
For XXTech.com
ARecord @ xx.xx.xx.56
ARecord smtp xx.xx.xx.57
MX @ smtp.xxtech.com
TXT @ v=spf1 a mx ptr ip4:xx.xx.xx.57 ip4:xx.xx.xx.90 ptr:xxcorp.net include:xxcorp.net -all
TXT smtp v=spf1 a -all
MXtoolBox.com confirms all four of the SPF records.
So, now I guess I just need to confirm if it works by sending some test mails out...
This is what I have now setup via godaddy (excluded CNAME records):
For XXCorp.net
ARecord @ xx.xx.xx.30
ARecord smtp xx.xx.xx.57
MX @ smtp.xxcorp.net
TXT @ v=spf1 a mx ptr ip4:xxcorpemail04.xxcorp.n
TXT smtp v=spf1 a -all
For XXTech.com
ARecord @ xx.xx.xx.56
ARecord smtp xx.xx.xx.57
MX @ smtp.xxtech.com
TXT @ v=spf1 a mx ptr ip4:xx.xx.xx.57 ip4:xx.xx.xx.90 ptr:xxcorp.net include:xxcorp.net -all
TXT smtp v=spf1 a -all
MXtoolBox.com confirms all four of the SPF records.
So, now I guess I just need to confirm if it works by sending some test mails out...
that looks good - fingers crossed for you. :-)
Not too sure about your MX record for xxTECH.com - i have all my MX records for other domains pointing to the main domain e.g. for you the mx record for xxtech.com might need to be smtp.xxcorp.com
Not too sure about your MX record for xxTECH.com - i have all my MX records for other domains pointing to the main domain e.g. for you the mx record for xxtech.com might need to be smtp.xxcorp.com
ASKER
Everything, with the exception of Yahoo, seems to be working. So, I am going to close this question. I submitted a request to Yahoo to remove us from their "bulk sender" list and hopefully this will resolve the final issue. If not, I may need some additional help with the router...
Thanks!
Thanks!
Refer these:
https://www.experts-exchange.com/questions/24671396/Email-bounces-back-with-550-5-7-1-SPF-unauthorized-mail-is-prohibited.html
https://www.experts-exchange.com/questions/24658274/SPF-unauthorized-mail-is-prohibited-error-on-OUTGOING-messages.html
Hope this helps,
Shree