Emails are not being received (You do not have permission to send to this recipient) or are going to "bulk" folders

We have had some problems with emails bouncing or not being received for some time now, but recently it has become more prevalent and is now becoming a real issue in trying to communicate with business associates.  We are running an Windows2003 server with  Exchange2000.  Our DNS record (and SPF) are managed through GoDaddy.  We use a local company for our internet connection and IP’s, and I believe they are a reseller of AT&T’s internet services.

Some of the errors we are receiving:

You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            < #5.7.1 smtp;550 5.7.1 SPF unauthorized mail is prohibited.>

    You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            < #5.7.1 smtp;554 5.7.1 SPF Record Match Failed on>

Our SPF record is “v=spf1 a mx -all”  where is the ISP that maintains our IP’s.

I also ran a test via EmailReach and got the following:

SpamAssassin Audit
-Spam Assassin "Bayes0"
This message has a low Bayesian spam probabililty
We do not recommend that you change the content of this message.
-Your header Helo is d-d-d-d
Helo is d-d-d-d
Remedy: Use normalized headers.
-Relay HELO'd using suspicious hostname
Relay HELO'd using suspicious hostname (IP addr 1)
Remedy: Use normalized headers.
-SPF: sender does not match SPF record (fail)
SPF: sender does not match SPF record (fail)
Remedy: Review your SPF record.
Failure Details

GMail Audit
GMail has delivered your test message to a bulk folder.

Yahoo Mail Plus Audit
Yahoo Mail Plus has delivered your test message to a bulk folder.
-Yahoo Mail Plus Test Fail
Yahoo has a number of technologies that underlie its filters.
Yahoo tips: . We also recommend fixing your
message based on all other identified issues and retesting. If you are still having problems, try here:
Failure Details
Mail was caught in Yahoo Plus Bulk Folder

GMX Webmail Audit
GMX Webmail has delivered your mail to the spam folder.
-GMX Webmail spam filters have seven sophisticated anti-spam modules which work hand-in-hand to provide a nearly
leak-proof spam barrier. Some of these modules include Header Analyzer, Spam Server Blocker, GMX Anti-Spam List
and Global Anti-Spam List.
GMX spam filters identified your mail as spam.
Contact customer care at
Failure Details
Mail was caught in GMX Spam Folder

How do I get this fixed so that emails can 1) be received by the servers that validate the SPF record and 2) don’t go to a “bulk” mail folder?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grhelmAuthor Commented:
That helps, somewhat. (I have looked at both of those posts already.)  We have an SPF record.  How do I determine what's wrong with it and why it isn't working? (Or not working completely?)  I used to create this, but I must not have done something right.  (Either that, or there is some other problem in the way the server is configured itself.)
Where are your exchange servers?  your spf record should point to your actual mail server  e.g. it has nothing to do with who holds your IP's.

point in case:
Allstream our our ISP, GoDaddy is our domain registrar.  in our spf record we have:

v=spf1 a mx ptr -all

and then i have an spf record for each mail server as well:      v=spf1 a -all

each of our mail servers have the same SPF record as above e.g.    v=spf1 a -all
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

grhelmAuthor Commented:
The exchange server is here, in-house.  Thing is, our in-house domain (via the DC) is "" but our email is ""  (The exchange server also hosts "" but this is NOT the primary email domain everyone sends from.  The exchange server can be pinged via and  

Godaddy configurations are:

ARecord      @      xx.xx.xx.56
ARecord      smtp      xx.xx.xx.57
CNAME      www      @
MX      @
TXT      @      v=spf1 a mx -all

ARecord      @      xx.xx.xx.30
ARecord      smtp      xx.xx.xx.57
MX      @

Being that our SPF record (for is "v=spf1 a mx -all", are you saying I should change this to "v=spf1 a mx ptr -all"   (Should I include all the domains it sends from?)  There is no SPF record for at Godaddy as shown above.

What does the "ptr" parameter do?  

There is an SPF record on our DC "v=spf1 mx -all"

Are you saying there should be an SPF record on the Exchange server also??

The SPF records should all be at GoDaddy - assuming you are using the domain manager and then the Total DNS manager.

ok, the issue is mainly how your exchange server identifies itself to the world.  i have 4 domains inside our organisation, however, the mail server is identified as therefore i have to have an spf record for that name.

when your mail server sends email - how does it identify itself?  is the server name internally  probably not. :-)

According to
the only spf record for is: v=spf1 -all   which means NO email is sent from  this domain!!!!!! - better check that

ultimately you will need to reference the ACTUAL mail server name  e.g.

No need to reference the servers at all as they do not send email for your domain.

try this on the domain only
v=spf1 mx ptr ~all

you will need to setup spf records for all the domains that you have email for this is my spf records for another domain we have domain2:

v=spf1 mx ptr ip4:x.x.x.50 ip4:x.x.x.51 -all

notice how everything points to the actual mail server domain(  the IP address are the actual IP address for mail1 and mail2

You have a small percentage of your total spf records setup.  make sure your main domain, has all the spf records configured correctly.  Then for each of the domains that you are email authoritive for(e.g., set up a spf record referencing all information and configure the mx record for these "extra" domains to point to .
grhelmAuthor Commented:
Thanks cmorffew,

I did not want tto include our full domain names, so I used XX as a filler.  When I go to and enter the full name, it comes back with the same spf as indicated above (v=spf1 a mx -all).  

Regarding your question about the server name, you are correct.  Internally it is, but I did change the fully-qualified domain name of the server (in Exchange) to  So, should I change the FQDN back to and then reference this in the SPF entry?
i dont think you need to change anything in the FQDN in exchange - my exchange server is set up as and the server name is

However, i would change your spf record to reflect the actual name of the server sending the email.

i think this is what your spf record should look like for the entry

v=spf1 a mx ptr -all

then for all other domains e.g.

v=spf1 a mx ptr ip4:xx.xx.xx.57 -all

This is assuming that the xx.xx.xx.57 points to your smtp server.

your dns entries will have to have an spf record for your cname entries as well that refer to your mail server.  e.g. you probably have the smtp part of pointing to the xx.xx.xx.57 address therefore you will need an spf entry for smtp as v-spf1 a -all
grhelmAuthor Commented:

I have setup the two spf records as indicated and if I go to and run the spf test, everything looks like it passes (for the "-all", it says the prefix description "fail" but maybe that is what it is supposed to do?)  -- Not really sure how to test it for the other errors we were getting other than start sending out emails and see if they still bounce.

I don't really understand what you are saying about the cname entries. I do have "ARecord smtp xx.xx.xx.57", but no cname for smtp.  This is everything that is there:
ARecord @ xx.xx.xx.56
ARecord smtp xx.xx.xx.57
CNAME www @
CNAME imap   (Not sure why we have this one?)
CNAME ftp @
MX @

I don't understand how to set an spf entry for smtp as v-spf1 a -all
grhelmAuthor Commented:
I just noticed something when I sent a test email to a yahoo account.  The header looks like this:

From XXXX, XXXX Wed Apr 21 20:33:14 2010
X-Apparently-To: via; Wed, 21 Apr 2010 13:33:15 -0700
Return-Path: <>
X-YahooFilteredBulk: xx.xx.xx.90
X-YMailISG: m9ZJ2QYWLDtPpzeomQeuawVzwfD3yARcijg2JjLggF5wBw9BwsUVBCqqvrdR6ONBQEfBPQmbJXXwzODGXdu1VbIVsTlCEB5YY0sxe3JwK14ZHxVap6RxFrZb9r1KWyobG02uusEjry8H7xsKPuRPeB0_DZSmH9XgZIKlabHX0Qq432rpCaggQS.C7yv6Mw--
X-Originating-IP: [xx.xx.xx.90]
Authentication-Results:; domainkeys=neutral (no sig);; dkim=neutral (no sig)
Received: from  (EHLO (xx.xx.xx.90)
  by with SMTP; Wed, 21 Apr 2010 13:33:15 -0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE:: Test Request
Date: Wed, 21 Apr 2010 13:33:14 -0700
Message-ID: <>
Thread-Topic: Test Request
Thread-Index: Acrhk3cci9/yR3TVTCuPYQyPQNlF2QAAZkWa
From: "XXX, XXXX" <>
To: <>
Content-Length: 4573

The thing that is off is that the IP address that this references as coming from (Originating-IP & Received from) are all xx.xx.xx.90, which is our public NAT address.  (I also noted that this address is flagged as YahooFilteredBulk.)

Could this be causing some of our problems??
Shreedhar EtteCommented:
Disbale that filter and check.
it looks like you do not have your router configured to make sure all traffic from your mail server is going out on the xx.xx.xx.57 IP address and is defaulting to your main IP xx.xx.xx.90

You will need to setup your internal router to make all traffic from your mail server go out on xx.xx.xx.57 or you will have to change the address of your SMTP A records to point to the xx.xx.xx.90

In my earlier post i incorrectly referenced CNAME - i should have said your A records.  for each record that you have an A entry for that references your mail servers, you will need an spf record.


In your TXT section in GoDaddy Total DNS Control you should have 2 entries for each domain

1. @                              v=spf1 a mx ptr -all     - depending on which domain you are editing
2.       v-spf1 a -all

For other domains something like this:
e.g for domain2

1. @                                    v=spf1 mx ptr ip4:xx.xx.xx.50 ip4:xx.xx.xx.51 -all
2.            v=spf1 a -all

For my domains i had the same issue as you regarding the IP address's, so i added the other IP address, in my case xx.xx.xx.51 as another IP address authorised for sending email.

Sounds like you are nearly there.  :-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grhelmAuthor Commented:
Ugh, not really sure how to change the router, so I am going to have to try the second option.

This is what I have now setup via godaddy (excluded CNAME records):

ARecord      @      xx.xx.xx.30
ARecord      smtp      xx.xx.xx.57
MX      @
TXT     @      v=spf1 a mx ptr -all
TXT    smtp   v=spf1 a -all

ARecord      @      xx.xx.xx.56
ARecord      smtp      xx.xx.xx.57
MX      @
TXT     @      v=spf1 a mx ptr ip4:xx.xx.xx.57 ip4:xx.xx.xx.90 -all
TXT    smtp   v=spf1 a -all confirms all four of the SPF records.

So, now I guess I just need to confirm if it works by sending some test mails out...
that looks good - fingers crossed for you. :-)

Not too sure about your MX record for - i have all my MX records for other domains pointing to the main domain e.g. for you the mx record for might need to be
grhelmAuthor Commented:
Everything, with the exception of Yahoo, seems to be working.  So, I am going to close this question.  I submitted a request to Yahoo to remove us from their "bulk sender" list and hopefully this will resolve the final issue.  If not, I may need some additional help with the router...

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.