Emails are not being received (You do not have permission to send to this recipient) or are going to "bulk" folders

We have had some problems with emails bouncing or not being received for some time now, but recently it has become more prevalent and is now becoming a real issue in trying to communicate with business associates.  We are running an Windows2003 server with  Exchange2000.  Our DNS record (and SPF) are managed through GoDaddy.  We use a local company for our internet connection and IP’s, and I believe they are a reseller of AT&T’s internet services.

Some of the errors we are receiving:

You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <smtp.domain.com #5.7.1 smtp;550 5.7.1 SPF unauthorized mail is prohibited.>

    You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <smtp.domain.com #5.7.1 smtp;554 5.7.1 SPF Record Match Failed on xx.xx.xx.xxx>

Our SPF record is “v=spf1 a mx include:XXX.com -all”  where XXX.com is the ISP that maintains our IP’s.

I also ran a test via EmailReach and got the following:

SpamAssassin Audit
-Spam Assassin "Bayes0"
This message has a low Bayesian spam probabililty
We do not recommend that you change the content of this message.
-Your header Helo is d-d-d-d
Helo is d-d-d-d
Remedy: Use normalized headers.
-Relay HELO'd using suspicious hostname
Relay HELO'd using suspicious hostname (IP addr 1)
Remedy: Use normalized headers.
-SPF: sender does not match SPF record (fail)
SPF: sender does not match SPF record (fail)
Remedy: Review your SPF record.
Failure Details
BAYES_00,FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_IPADDR,SPF_FAIL

GMail Audit
GMail has delivered your test message to a bulk folder.

Yahoo Mail Plus Audit
Yahoo Mail Plus has delivered your test message to a bulk folder.
-Yahoo Mail Plus Test Fail
Yahoo has a number of technologies that underlie its filters.
Yahoo tips: http://help.yahoo.com/l/us/yahoo/mail/original/abuse/index.html . We also recommend fixing your
message based on all other identified issues and retesting. If you are still having problems, try here:
http://help.yahoo.com/l/us/yahoo/mail/postmaster/index.html
Failure Details
Mail was caught in Yahoo Plus Bulk Folder

GMX Webmail Audit
GMX Webmail has delivered your mail to the spam folder.
-GMX Webmail spam filters have seven sophisticated anti-spam modules which work hand-in-hand to provide a nearly
leak-proof spam barrier. Some of these modules include Header Analyzer, Spam Server Blocker, GMX Anti-Spam List
and Global Anti-Spam List.
GMX spam filters identified your mail as spam.
Contact customer care at forum-service@gmx.com.
Failure Details
Mail was caught in GMX Spam Folder

How do I get this fixed so that emails can 1) be received by the servers that validate the SPF record and 2) don’t go to a “bulk” mail folder?
grhelmAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grhelmAuthor Commented:
That helps, somewhat. (I have looked at both of those posts already.)  We have an SPF record.  How do I determine what's wrong with it and why it isn't working? (Or not working completely?)  I used http://old.openspf.org/wizard.html to create this, but I must not have done something right.  (Either that, or there is some other problem in the way the server is configured itself.)
cmorffewCommented:
Where are your exchange servers?  your spf record should point to your actual mail server  e.g. mail.domain.com it has nothing to do with who holds your IP's.

point in case:
Allstream our our ISP, GoDaddy is our domain registrar.  in our spf record we have:

v=spf1 a mx ptr ip4:mail.domain.com ip4:mail2.domain.com -all

and then i have an spf record for each mail server as well:

mail.domain.com      v=spf1 a -all

each of our mail servers have the same SPF record as above e.g. mail2.domain.com    v=spf1 a -all
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

grhelmAuthor Commented:
The exchange server is here, in-house.  Thing is, our in-house domain (via the DC) is "XXCorp.net" but our email is "XXTech.com"  (The exchange server also hosts "XXCorp.net" but this is NOT the primary email domain everyone sends from.  The exchange server can be pinged via smtp.XXTech.com and smtp.XXCorp.net)  

Godaddy configurations are:

For XXTech.com
ARecord      @      xx.xx.xx.56
ARecord      smtp      xx.xx.xx.57
CNAME      www      @
MX      @      smtp.xxtech.com
TXT      @      v=spf1 a mx include:ISP.com -all

For XXCorp.net
ARecord      @      xx.xx.xx.30
ARecord      smtp      xx.xx.xx.57
MX      @      smtp.xxcorp.net


Being that our SPF record (for XXTech.com) is "v=spf1 a mx include:XXTech.com -all", are you saying I should change this to "v=spf1 a mx ptr ip4:smtp.XXTech.com -all"   (Should I include all the domains it sends from?)  There is no SPF record for XXCorp.net at Godaddy as shown above.

What does the "ptr" parameter do?  

There is an SPF record on our DC "v=spf1 mx -all"

Are you saying there should be an SPF record on the Exchange server also??

cmorffewCommented:
The SPF records should all be at GoDaddy - assuming you are using the domain manager and then the Total DNS manager.

ok, the issue is mainly how your exchange server identifies itself to the world.  i have 4 domains inside our organisation, however, the mail server is identified as nxmail01.domain.com therefore i have to have an spf record for that name.

when your mail server sends email - how does it identify itself?  is the server name internally smtp.xxtech.com?  probably not. :-)

According to http://www.kitterman.com/spf/validate.html?
the only spf record for xxtech.com is: v=spf1 -all   which means NO email is sent from  this domain!!!!!! - better check that

ultimately you will need to reference the ACTUAL mail server name  e.g. smtp.xxcorp.net

No need to reference the ISP.com servers at all as they do not send email for your domain.

try this on the xxTech.com domain only
v=spf1 mx ptr ip4:smtp.xxcorp.net include:xxtech.com ~all

you will need to setup spf records for all the domains that you have email for this is my spf records for another domain we have domain2:

v=spf1 mx ptr ip4:x.x.x.50 ip4:x.x.x.51 ptr:domain.com include:domain.com -all

notice how everything points to the actual mail server domain(domain.com)  the IP address are the actual IP address for mail1 and mail2


Conclusion:
You have a small percentage of your total spf records setup.  make sure your main domain, xxcorp.net has all the spf records configured correctly.  Then for each of the domains that you are email authoritive for(e.g. xxTech.com), set up a spf record referencing all xxcorp.net information and configure the mx record for these "extra" domains to point to smtp.xxcorp.net .
grhelmAuthor Commented:
Thanks cmorffew,

I did not want tto include our full domain names, so I used XX as a filler.  When I go to
http://www.kitterman.com/spf/validate.html? and enter the full name, it comes back with the same spf as indicated above (v=spf1 a mx include:ISP.com -all).  

Regarding your question about the server name, you are correct.  Internally it is XXcorpemail04.XXcorp.net, but I did change the fully-qualified domain name of the server (in Exchange) to smtp.XXtech.com.  So, should I change the FQDN back to XXcorpemail04.XXcorp.net and then reference this in the SPF entry?
cmorffewCommented:
i dont think you need to change anything in the FQDN in exchange - my exchange server is set up as mail.domain.com and the server name is nxmail01.domain.com

However, i would change your spf record to reflect the actual name of the server sending the email.

i think this is what your spf record should look like for the xxcorp.net entry

v=spf1 a mx ptr ip4:XXcorpemail04.XXcorp.net ip4:smtp.xxCorp.net -all

then for all other domains e.g. xxTech.com

v=spf1 a mx ptr ip4:xx.xx.xx.57 ptr:xxcorp.net include:xxcorp.net -all

This is assuming that the xx.xx.xx.57 points to your smtp server.

your dns entries will have to have an spf record for your cname entries as well that refer to your mail server.  e.g. you probably have the smtp part of smtp.xxtech.com pointing to the xx.xx.xx.57 address therefore you will need an spf entry for smtp as v-spf1 a -all
grhelmAuthor Commented:
Thanks!!

I have setup the two spf records as indicated and if I go to mxtoolbox.com and run the spf test, everything looks like it passes (for the "-all", it says the prefix description "fail" but maybe that is what it is supposed to do?)  -- Not really sure how to test it for the other errors we were getting other than start sending out emails and see if they still bounce.

I don't really understand what you are saying about the cname entries. I do have "ARecord smtp xx.xx.xx.57", but no cname for smtp.  This is everything that is there:
ARecord @ xx.xx.xx.56
ARecord smtp xx.xx.xx.57
CNAME www @
CNAME imap imap.secureserver.net   (Not sure why we have this one?)
CNAME ftp @
MX @ smtp.xxtech.com

I don't understand how to set an spf entry for smtp as v-spf1 a -all
grhelmAuthor Commented:
I just noticed something when I sent a test email to a yahoo account.  The header looks like this:

From XXXX, XXXX Wed Apr 21 20:33:14 2010
X-Apparently-To: yyyytest@yahoo.com via 98.136.183.16; Wed, 21 Apr 2010 13:33:15 -0700
Return-Path: <xxxxxxxxxxx@xxtech.com>
X-YahooFilteredBulk: xx.xx.xx.90
X-YMailISG: m9ZJ2QYWLDtPpzeomQeuawVzwfD3yARcijg2JjLggF5wBw9BwsUVBCqqvrdR6ONBQEfBPQmbJXXwzODGXdu1VbIVsTlCEB5YY0sxe3JwK14ZHxVap6RxFrZb9r1KWyobG02uusEjry8H7xsKPuRPeB0_DZSmH9XgZIKlabHX0Qq432rpCaggQS.C7yv6Mw--
X-Originating-IP: [xx.xx.xx.90]
Authentication-Results: mta1043.mail.ac4.yahoo.com  from=xxTech.com; domainkeys=neutral (no sig);  from=xxTech.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtp.xxtech.com) (xx.xx.xx.90)
  by mta1043.mail.ac4.yahoo.com with SMTP; Wed, 21 Apr 2010 13:33:15 -0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----_=_NextPart_001_01CAE191.DE239A76"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE:: Test Request
Date: Wed, 21 Apr 2010 13:33:14 -0700
Message-ID: <7FEB8639811AAE4B8FA7D7403231A840073B49F7@xxcorpemail04.xxCorp.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Test Request
Thread-Index: Acrhk3cci9/yR3TVTCuPYQyPQNlF2QAAZkWa
From: "XXX, XXXX" <XXXXX@xxTech.com>
To: <yyyytest@yahoo.com>
Content-Length: 4573

The thing that is off is that the IP address that this references as coming from (Originating-IP & Received from) are all xx.xx.xx.90, which is our public NAT address.  (I also noted that this address is flagged as YahooFilteredBulk.)

Could this be causing some of our problems??
Shreedhar EtteCommented:
Disbale that filter and check.
cmorffewCommented:
it looks like you do not have your router configured to make sure all traffic from your mail server is going out on the xx.xx.xx.57 IP address and is defaulting to your main IP xx.xx.xx.90

You will need to setup your internal router to make all traffic from your mail server go out on xx.xx.xx.57 or you will have to change the address of your SMTP A records to point to the xx.xx.xx.90

In my earlier post i incorrectly referenced CNAME - i should have said your A records.  for each record that you have an A entry for that references your mail servers, you will need an spf record.

i.e.

In your TXT section in GoDaddy Total DNS Control you should have 2 entries for each domain

1. @                              v=spf1 a mx ptr ip4:XXcorpemail04.XXcorp.net ip4:smtp.xxCorp.net -all     - depending on which domain you are editing
2. SMTP.xxCorp.net       v-spf1 a -all

For other domains something like this:
e.g for domain2

1. @                                    v=spf1 mx ptr ip4:xx.xx.xx.50 ip4:xx.xx.xx.51 ptr:domain.com include:domain.com -all
2. mail.domain.com            v=spf1 a -all

For my domains i had the same issue as you regarding the IP address's, so i added the other IP address, in my case xx.xx.xx.51 as another IP address authorised for sending email.


Sounds like you are nearly there.  :-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grhelmAuthor Commented:
Ugh, not really sure how to change the router, so I am going to have to try the second option.

This is what I have now setup via godaddy (excluded CNAME records):

For XXCorp.net
ARecord      @      xx.xx.xx.30
ARecord      smtp      xx.xx.xx.57
MX      @      smtp.xxcorp.net
TXT     @      v=spf1 a mx ptr ip4:xxcorpemail04.xxcorp.net ip4:smtp.xxcorp.net -all
TXT    smtp   v=spf1 a -all

For XXTech.com
ARecord      @      xx.xx.xx.56
ARecord      smtp      xx.xx.xx.57
MX      @      smtp.xxtech.com
TXT     @      v=spf1 a mx ptr ip4:xx.xx.xx.57 ip4:xx.xx.xx.90 ptr:xxcorp.net include:xxcorp.net -all
TXT    smtp   v=spf1 a -all

MXtoolBox.com confirms all four of the SPF records.

So, now I guess I just need to confirm if it works by sending some test mails out...
cmorffewCommented:
that looks good - fingers crossed for you. :-)

Not too sure about your MX record for xxTECH.com - i have all my MX records for other domains pointing to the main domain e.g. for you the mx record for xxtech.com might need to be smtp.xxcorp.com
grhelmAuthor Commented:
Everything, with the exception of Yahoo, seems to be working.  So, I am going to close this question.  I submitted a request to Yahoo to remove us from their "bulk sender" list and hopefully this will resolve the final issue.  If not, I may need some additional help with the router...

Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.