Declaro
asked on
Exchange, Multiple Domains, Email Being Received As SPAM
Hello,
I have a SBS 2008 server which hosts two domains, primary.com and secondary.com. I have gone through the various tutorials and guides on how to set up two domains on Exchange 2007 and have completed all the steps except isolating the address lists and GAL because we want one address list. The MX and rDNS for the primary.com domain point to remote.primary.com and there is an A record for it and also an SPF record of (v=spf1 ip4:our IP address –all) only our IP sends mail for this domain. Our secondary.com domain has its MX record set to remote.primary.com and the same SPF record as the primary domain and can send and receive email as well. When I look at the header of an email sent from the secondary domain it says it was received from remote.primary.com and passes SPF checks and we route all mail through DNS and don’t use a smarthost.
My problem lies in sending to Gmail, amongst others, email from the primary domain get through fine, however, the secondary domain get seen as spam, this is the case with some other domains we try and send to as well. Neither domain nor our IP is on any blacklist that I can find.
Has anyone any ideas why this might be the case, any help will be gratefully received.
Thanks
I have a SBS 2008 server which hosts two domains, primary.com and secondary.com. I have gone through the various tutorials and guides on how to set up two domains on Exchange 2007 and have completed all the steps except isolating the address lists and GAL because we want one address list. The MX and rDNS for the primary.com domain point to remote.primary.com and there is an A record for it and also an SPF record of (v=spf1 ip4:our IP address –all) only our IP sends mail for this domain. Our secondary.com domain has its MX record set to remote.primary.com and the same SPF record as the primary domain and can send and receive email as well. When I look at the header of an email sent from the secondary domain it says it was received from remote.primary.com and passes SPF checks and we route all mail through DNS and don’t use a smarthost.
My problem lies in sending to Gmail, amongst others, email from the primary domain get through fine, however, the secondary domain get seen as spam, this is the case with some other domains we try and send to as well. Neither domain nor our IP is on any blacklist that I can find.
Has anyone any ideas why this might be the case, any help will be gratefully received.
Thanks
Last Comment
Radweld
You do have to maintain seperate SPF or reverse DNS reconrds. These messages are being classified as spam or being rejected because they are being sent from secondary.com however the revese checks come back as primary.com and this is classified as spoofing. You need to fix the rDNS records for the secondary.com domain in order t ofix this problem.
ASKER
Thanks for the response.
How can I achieve this if the SBS server only has one public IP address?
How can I achieve this if the SBS server only has one public IP address?
The PTR record of the sending server does not need to match the from domain of the email. If both domains mails are being sent from the same server, and that is what is in your ip4 mechanism in both SPF records, then you are fine.
Paste the headers of one of the mails that is being flagged as spam and I will tell you why it's happening.
Paste the headers of one of the mails that is being flagged as spam and I will tell you why it's happening.
ASKER
Delivered-To: xxxxxxxxx@gmail.com
Received: by 10.xxx.xx.209 with SMTP id i59cs16329wea;
Fri, 7 Oct 2011 06:53:42 -0700 (PDT)
Received: by 10.xxx.xx5.130 with SMTP id z2mr833590wel.75.131799562
Fri, 07 Oct 2011 06:53:42 -0700 (PDT)
Return-Path: <izzy@secondary.com>
Received: from remote.primary.co.uk (remote.primary.co.uk. [xxx.xxx.xxx.xxx])
by mx.google.com with ESMTPS id h62si6668229wed.103.2011.1
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 07 Oct 2011 06:53:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of izzy@secondary.com designates xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of izzy@secondary.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mail=izzy@secondary.c
Received: from SERVER.primary.local ([xxxx.xxxx.xxxx.xxxx.xxxx
SERVER.primary.local ([xxxx.xxxx.xxxxx.xxxx.xxx
2011 14:53:40 +0100
From: Izzy <izzy@secondary.com>
To: "xxxxxxxxx@gmail.com" <xxxxxxxxx@gmail.com>
Date: Fri, 7 Oct 2011 14:53:39 +0100
Subject: test
Thread-Topic: test
Thread-Index: AQHMhPiE7f4A6EW2u0ykXofqDc
Message-ID: <1C420589A5EC844F9F345F4DB
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: multipart/alternative;
	boundary="_000_1C42058
MIME-Version: 1.0
I have to admit there was little in the way of a message body.
Thanks
Received: by 10.xxx.xx.209 with SMTP id i59cs16329wea;
Fri, 7 Oct 2011 06:53:42 -0700 (PDT)
Received: by 10.xxx.xx5.130 with SMTP id z2mr833590wel.75.131799562
Fri, 07 Oct 2011 06:53:42 -0700 (PDT)
Return-Path: <izzy@secondary.com>
Received: from remote.primary.co.uk (remote.primary.co.uk. [xxx.xxx.xxx.xxx])
by mx.google.com with ESMTPS id h62si6668229wed.103.2011.1
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 07 Oct 2011 06:53:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of izzy@secondary.com designates xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of izzy@secondary.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mail=izzy@secondary.c
Received: from SERVER.primary.local ([xxxx.xxxx.xxxx.xxxx.xxxx
SERVER.primary.local ([xxxx.xxxx.xxxxx.xxxx.xxx
2011 14:53:40 +0100
From: Izzy <izzy@secondary.com>
To: "xxxxxxxxx@gmail.com" <xxxxxxxxx@gmail.com>
Date: Fri, 7 Oct 2011 14:53:39 +0100
Subject: test
Thread-Topic: test
Thread-Index: AQHMhPiE7f4A6EW2u0ykXofqDc
Message-ID: <1C420589A5EC844F9F345F4DB
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: multipart/alternative;
	boundary="_000_1C42058
MIME-Version: 1.0
I have to admit there was little in the way of a message body.
Thanks
Everything looks as it should in those headers.
If you are still being placed in the spam folder, one thing you can do is add another layer for the receiver to authenticate against -- DKIM. This will accomplish 2 things -- add an extra layer of spoof protection for your domains, and increase the likelihood of being placed in the inbox and not spam. That still isn't going to insure inbox placement, but depending on how receivers policies are setup, passing 2 verification checks is generally better than one.
Here is how most receivers combine DKIM+SPF for sending domains that are using both.
If SPF passes, continue to DATA portion and validate DKIM if signature exists; Reject if failed, deliver if passed.
If SPF fails, reject message.
If SPF is neutral or softfail, continue to DATA and check DKIM; Reject if failed, deliver if passed.
If no SPF record exists, continue to DATA and validate DKIM if signature exists; Reject if failed, deliver if passed.
If you are still being placed in the spam folder, one thing you can do is add another layer for the receiver to authenticate against -- DKIM. This will accomplish 2 things -- add an extra layer of spoof protection for your domains, and increase the likelihood of being placed in the inbox and not spam. That still isn't going to insure inbox placement, but depending on how receivers policies are setup, passing 2 verification checks is generally better than one.
Here is how most receivers combine DKIM+SPF for sending domains that are using both.
If SPF passes, continue to DATA portion and validate DKIM if signature exists; Reject if failed, deliver if passed.
If SPF fails, reject message.
If SPF is neutral or softfail, continue to DATA and check DKIM; Reject if failed, deliver if passed.
If no SPF record exists, continue to DATA and validate DKIM if signature exists; Reject if failed, deliver if passed.
ASKER
The headers may be OK but the issue persists... mail from the second domain do not get to some email domains and are caught in the spam folder of others, this secondary domain is twelve months old but hasn't been used, I have this issue on two exchange servers, both exchange 2007 on SBS 2008 boxes and I'm confident they are set up corrrectly.
Do you have any other ideas as DKIM is not really an option :(
Thanks and sorry for the delay in posting.
Dave
Do you have any other ideas as DKIM is not really an option :(
Thanks and sorry for the delay in posting.
Dave
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I have no experience of DKIM and am wary of installing it on a production server in the first instance.
Having said that have you heard of EmailArchitect DomainKeys/DKIM for IIS SMTP Service and Exchange Server which can be found here http://www.emailarchitect.net/domainkeys/ and the help file/instructions can be found here http://www.emailarchitect.net/domainkeys/doc/default.asp
Does it look like what I would need and could I ask for a simplified basic explanation of the steps needed to implement it, I could fill in the details and try it on my own server first I'd just like to know whats involved
Thanks
Having said that have you heard of EmailArchitect DomainKeys/DKIM for IIS SMTP Service and Exchange Server which can be found here http://www.emailarchitect.net/domainkeys/ and the help file/instructions can be found here http://www.emailarchitect.net/domainkeys/doc/default.asp
Does it look like what I would need and could I ask for a simplified basic explanation of the steps needed to implement it, I could fill in the details and try it on my own server first I'd just like to know whats involved
Thanks
I don't run and Exchange server so I have no experience implementing DKIM signing for it.
That app is exactly what you need, but it's far from free unfortunatley.
The docs you pasted look pretty straight forward, but there is one thing to comment on. When creating the DKIM TXT record, they say to use "t=y;" -- this is good for your testing phases, but you should remove it once you confirm DKIM signing is working properly.
Man that sucks you have to dish out money just to DKIM sign with Exchange. I would probably just put a Linux relay server between Exchange and the internet to sign your mails, for free of course.
That app is exactly what you need, but it's far from free unfortunatley.
The docs you pasted look pretty straight forward, but there is one thing to comment on. When creating the DKIM TXT record, they say to use "t=y;" -- this is good for your testing phases, but you should remove it once you confirm DKIM signing is working properly.
Man that sucks you have to dish out money just to DKIM sign with Exchange. I would probably just put a Linux relay server between Exchange and the internet to sign your mails, for free of course.
ASKER
I don't think anything is free with Exchange :(
I've just re read the help files and I think I could implement it but I have a question you may be able to answer... SBS2008 has a DNS server in the box yet the DNS for my domains is handled elswhere, in my case No-IP, do I have to enter the public key in the SBS DNS server or the No-IP DNS settings or both, if I have to do it on my server where do I enter the TXT record, what zone? I know practically nothing about DNS servers.
Thanks for your help with this.
I've just re read the help files and I think I could implement it but I have a question you may be able to answer... SBS2008 has a DNS server in the box yet the DNS for my domains is handled elswhere, in my case No-IP, do I have to enter the public key in the SBS DNS server or the No-IP DNS settings or both, if I have to do it on my server where do I enter the TXT record, what zone? I know practically nothing about DNS servers.
Thanks for your help with this.
Public key is used by the receiving servers, so it needs to be publicly available ie: @No-IP.
Another way of saying that is, put the DKIM TXT record wherever your SPF record is.
ASKER
Thanks for your help yet again :)
I'm going to try and use DKIM on my server to test it... should be fun
Don't know if your interested but... [EMAIL ADDRESS REMOVED]
Cheers
Dave
I'm going to try and use DKIM on my server to test it... should be fun
Don't know if your interested but... [EMAIL ADDRESS REMOVED]
Cheers
Dave
Post on this thread if you have any issues. Depending on how severe they are, I will either reply here or request you to open a new question.
Good luck!!
Good luck!!
ASKER
Hi Papertrip,
I have implemented DKIM and have No-IP managing my DNS and i'm unsure of some of the settings needed. i'm supposed to enter TXT records and i'm asked for....
Domain Policy and ADSP...
"Policy" asks for e.g "0=-" i'm unsure what to put here or where to get it from
"ADSP" I think i put "dkim=all" here
DKIM TXT Record for mydomain.com
"Selector" tried "s1024._domainkey.mydomain
"Record" here i put "k=rsa:; p=MHZ............=bJh67Z" which was generated by the software
can you point me in the right direction
Thanks
Dave
I have implemented DKIM and have No-IP managing my DNS and i'm unsure of some of the settings needed. i'm supposed to enter TXT records and i'm asked for....
Domain Policy and ADSP...
"Policy" asks for e.g "0=-" i'm unsure what to put here or where to get it from
"ADSP" I think i put "dkim=all" here
DKIM TXT Record for mydomain.com
"Selector" tried "s1024._domainkey.mydomain
"Record" here i put "k=rsa:; p=MHZ............=bJh67Z" which was generated by the software
can you point me in the right direction
Thanks
Dave
ASKER
Update....
think i've sorted the selector... it was just "s1024" and it was accepted
think i've sorted the selector... it was just "s1024" and it was accepted
ASKER
Further update...
Got DKIM working but still unsure what to enter for...
Domain Policy and ADSP...
"Policy" asks for e.g "0=-" i'm unsure what to put here or where to get it from
"ADSP" I think i put "dkim=all" here
Any advice would be welcomed
Thanks
Got DKIM working but still unsure what to enter for...
Domain Policy and ADSP...
"Policy" asks for e.g "0=-" i'm unsure what to put here or where to get it from
"ADSP" I think i put "dkim=all" here
Any advice would be welcomed
Thanks
Policy is for DK and not DKIM, so unless you are signing with both then just disregard.
ADSP however is for DKIM, and it should be set to "dkim=discardable", which tells the receiver that they should discard any mail from your domain which does not have a valid DKIM signature.
In regards to an earlier question of yours, I'm assuming the colon here is a typo?
Also yes selector name is what will be put into the d= value of your signature, so that should only be the label name of the record you put into DNS.
ADSP however is for DKIM, and it should be set to "dkim=discardable", which tells the receiver that they should discard any mail from your domain which does not have a valid DKIM signature.
In regards to an earlier question of yours, I'm assuming the colon here is a typo?
"k=rsa:;
Also yes selector name is what will be put into the d= value of your signature, so that should only be the label name of the record you put into DNS.
ASKER
Thanks, that straightens that out :) yes it was a typo but the software did suggest there was a space there which didn't work in reality.
On a plus note... Gmail and Blueyonder now recieve emails from my secondary domains and i'm hoping other affected domains will too.
Thanks for your help :)
Have a good one
On a plus note... Gmail and Blueyonder now recieve emails from my secondary domains and i'm hoping other affected domains will too.
Thanks for your help :)
Have a good one
Awesome! :)
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
