• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 369
  • Last Modified:

Exchange, Multiple Domains, Email Being Received As SPAM

Hello,

I have a SBS 2008 server which hosts two domains, primary.com and secondary.com. I have gone through the various tutorials and guides on how to set up two domains on Exchange 2007 and have completed all the steps except isolating the address lists and GAL because we want one address list. The MX and rDNS for the primary.com domain point to remote.primary.com and there is an A record for it and also an SPF record of (v=spf1 ip4:our IP address –all) only our IP sends mail for this domain. Our secondary.com domain has its MX record set to remote.primary.com and the same SPF record as the primary domain and can send and receive email as well. When I look at the header of an email sent from the secondary domain it says it was received from remote.primary.com and passes SPF checks and we route all mail through DNS and don’t use a smarthost.

My problem lies in sending to Gmail, amongst others, email from the primary domain get through fine, however, the secondary domain get seen as spam, this is the case with some other domains we try and send to as well. Neither domain nor our IP is on any blacklist that I can find.

Has anyone any ideas why this might be the case, any help will be gratefully received.

Thanks
0
Declaro
Asked:
Declaro
  • 10
  • 9
1 Solution
 
RadweldCommented:
You do have to maintain seperate SPF or reverse DNS reconrds. These messages are being classified as spam or being rejected because they are being sent from secondary.com however the revese checks come back as primary.com and this is classified as spoofing. You need to fix the rDNS records for the secondary.com domain in order t ofix this problem.
0
 
DeclaroAuthor Commented:
Thanks for the response.

How can I achieve this if the SBS server only has one public IP address?
0
 
PapertripCommented:
The PTR record of the sending server does not need to match the from domain of the email.  If both domains mails are being sent from the same server, and that is what is in your ip4 mechanism in both SPF records, then you are fine.

Paste the headers of one of the mails that is being flagged as spam and I will tell you why it's happening.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
DeclaroAuthor Commented:
Delivered-To: xxxxxxxxx@gmail.com
Received: by 10.xxx.xx.209 with SMTP id i59cs16329wea;
        Fri, 7 Oct 2011 06:53:42 -0700 (PDT)
Received: by 10.xxx.xx5.130 with SMTP id z2mr833590wel.75.1317995622088;
        Fri, 07 Oct 2011 06:53:42 -0700 (PDT)
Return-Path: <izzy@secondary.com>
Received: from remote.primary.co.uk (remote.primary.co.uk. [xxx.xxx.xxx.xxx])
        by mx.google.com with ESMTPS id h62si6668229wed.103.2011.10.07.06.53.41
        (version=TLSv1/SSLv3 cipher=OTHER);
        Fri, 07 Oct 2011 06:53:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of izzy@secondary.com designates xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of izzy@secondary.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mail=izzy@secondary.com
Received: from SERVER.primary.local ([xxxx.xxxx.xxxx.xxxx.xxxx]) by
 SERVER.primary.local ([xxxx.xxxx.xxxxx.xxxx.xxxx]) with mapi; Fri, 7 Oct
 2011 14:53:40 +0100
From: Izzy <izzy@secondary.com>
To: "xxxxxxxxx@gmail.com" <xxxxxxxxx@gmail.com>
Date: Fri, 7 Oct 2011 14:53:39 +0100
Subject: test
Thread-Topic: test
Thread-Index: AQHMhPiE7f4A6EW2u0ykXofqDcV8Cg==
Message-ID: <1C420589A5EC844F9F345F4DBD0B25F2181AE752DE@SERVER.primary.local>
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: multipart/alternative;
&#9;boundary="_000_1C420589A5EC844F9F345F4DBD0B25F2181AE752DESERVERprimary_"
MIME-Version: 1.0

I have to admit there was little in the way of a message body.

Thanks
0
 
PapertripCommented:
Everything looks as it should in those headers.

If you are still being placed in the spam folder, one thing you can do is add another layer for the receiver to authenticate against -- DKIM.  This will accomplish 2 things -- add an extra layer of spoof protection for your domains, and increase the likelihood of being placed in the inbox and not spam.  That still isn't going to insure inbox placement, but depending on how receivers policies are setup, passing 2 verification checks is generally better than one.

Here is how most receivers combine DKIM+SPF for sending domains that are using both.

If SPF passes, continue to DATA portion and validate DKIM if signature exists; Reject if failed, deliver if passed.
If SPF fails, reject message.
If SPF is neutral or softfail, continue to DATA and check DKIM; Reject if failed, deliver if passed.
If no SPF record exists, continue to DATA and validate DKIM if signature exists; Reject if failed, deliver if passed.
0
 
DeclaroAuthor Commented:
The headers may be OK but the issue persists... mail from the second domain do not get to some email domains and are caught in the spam folder of others, this secondary domain is twelve months old but hasn't been used, I have this issue on two exchange servers, both exchange 2007 on SBS 2008 boxes and I'm confident they are set up corrrectly.

Do you have any other ideas as DKIM is not really an option :(

Thanks and sorry for the delay in posting.

Dave
0
 
PapertripCommented:
Do you have any other ideas as DKIM is not really an option :(
That's unfortunate -- why is it not an option?  What about signing with DK instead?

Aside from that, the only things I can of other than contacting each inbox provider, is to take a look at the overall reputation of your sending servers.  I'm not sure if the results are going to help, but really there aren't many other things to consider at this point.  The headers look fine, I have no more ideas as to why you would still be placed in the spam folder.

https://senderscore.org/
http://www.senderbase.org/
0
 
DeclaroAuthor Commented:
I have no experience of DKIM and am wary of installing it on a production server in the first instance.

Having said that have you heard of  EmailArchitect DomainKeys/DKIM for IIS SMTP Service and Exchange Server which can be found here http://www.emailarchitect.net/domainkeys/ and the help file/instructions can be found here http://www.emailarchitect.net/domainkeys/doc/default.asp 

Does it look like what I would need and could I ask for a simplified basic explanation of the steps needed to implement it, I could fill in the details and try it on my own server first I'd just like to know whats involved

Thanks
0
 
PapertripCommented:
I don't run and Exchange server so I have no experience implementing DKIM signing for it.

That app is exactly what you need, but it's far from free unfortunatley.

The docs you pasted look pretty straight forward, but there is one thing to comment on.  When creating the DKIM TXT record, they say to use "t=y;" -- this is good for your testing phases, but you should remove it once you confirm DKIM signing is working properly.

Man that sucks you have to dish out money just to DKIM sign with Exchange.  I would probably just put a Linux relay server between Exchange and the internet to sign your mails, for free of course.
0
 
DeclaroAuthor Commented:
I don't think anything is free with Exchange :(

I've just re read the help files and I think I could implement it but I have a question you may be able to answer... SBS2008 has a DNS server in the box yet the DNS for my domains is handled elswhere, in my case No-IP, do I have to enter the public key in the SBS DNS server or the No-IP DNS settings or both, if I have to do it on my server where do I enter the TXT record, what zone? I know practically nothing about DNS servers.

Thanks for your help with this.
0
 
PapertripCommented:
Public key is used by the receiving servers, so it needs to be publicly available ie: @No-IP.
0
 
PapertripCommented:
Another way of saying that is, put the DKIM TXT record wherever your SPF record is.
0
 
DeclaroAuthor Commented:
Thanks for your help yet again :)

I'm going to try and use DKIM on my server to test it... should be fun

Don't know if your interested but... [EMAIL ADDRESS REMOVED]

Cheers

Dave
0
 
PapertripCommented:
Post on this thread if you have any issues.  Depending on how severe they are, I will either reply here or request you to open a new question.


Good luck!!
0
 
DeclaroAuthor Commented:
Hi Papertrip,

I have implemented DKIM and have No-IP managing my DNS and i'm unsure of some of the settings needed.  i'm supposed to enter TXT records and i'm asked for....

Domain Policy and ADSP...
"Policy"        asks for e.g "0=-"  i'm unsure what to put here or where to get it from
"ADSP" I think i put "dkim=all" here

DKIM TXT Record for mydomain.com
"Selector" tried      "s1024._domainkey.mydomain.com" but says invalid selector name but it what the software tells me
"Record" here i put "k=rsa:; p=MHZ............=bJh67Z" which was generated by the software

can you point me in the right direction

Thanks

Dave

0
 
DeclaroAuthor Commented:
Update....

think i've sorted the selector... it was just "s1024" and it was accepted
0
 
DeclaroAuthor Commented:
Further update...

Got DKIM working but still unsure what to enter for...

Domain Policy and ADSP...
"Policy"        asks for e.g "0=-"  i'm unsure what to put here or where to get it from
"ADSP" I think i put "dkim=all" here

Any advice would be welcomed

Thanks
0
 
PapertripCommented:
Policy is for DK and not DKIM, so unless you are signing with both then just disregard.

ADSP however is for DKIM, and it should be set to "dkim=discardable", which tells the receiver that they should discard any mail from your domain which does not have a valid DKIM signature.

In regards to an earlier question of yours, I'm assuming the colon here is a typo?
"k=rsa:;

Open in new window


Also yes selector name is what will be put into the d= value of your signature, so that should only be the label name of the record you put into DNS.
0
 
DeclaroAuthor Commented:
Thanks, that straightens that out :) yes it was a typo but the software did suggest there was a space there which didn't work in reality.

On a plus note... Gmail and Blueyonder now recieve emails from my secondary domains and i'm hoping other affected domains will too.

Thanks for your help :)

Have a good one
0
 
PapertripCommented:
Awesome!  :)
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now