Email not accepted for policy reasons.

terrontech
terrontech used Ask the Experts™
on
Hello, ever since I installed my new SBS 2011 server last weekend I can't send to any yahoo.com domain. I can send to EVERYONE else (hotmail, aol, gmail, and every other doamin). I keep getting the message below. I have send several emails to the postmaster, filled out the whitelist form and the ulk sender form (even though I am not a bulk sender) and have not heard back from yahoo. We did not change our IP address, we are not on any blacklist, we have a reverse dns entry, and I created an spf record yesterday. Is there anything else I can do on my end? Yahoo isn't responding. This is nuts!

mta1050.mail.sp2.yahoo.com rejected your message to the following e-mail addresses:

terrontech@yahoo.com (terrontech@yahoo.com)


mta1050.mail.sp2.yahoo.com gave this error:
Message not allowed - [PH01] Email not accepted for policy reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html [120]


A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ChrisLead Infrastructure Architect

Commented:
have you setup R-DNS and SPF records

http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS

http://en.wikipedia.org/wiki/Sender_Policy_Framework

try sending via Telent commands you might get a more meaningful error
http://exchange.mvps.org/smtp_frames.htm
According to Yahoo it looks as though you may have a setting that is forcing them to use specific authentication methods to validate you.

http://help.yahoo.com/kb/index?page=content&y=PROD_MAIL_ML&locale=en_US&id=SLN4382&impressions=true

This error message indicates that your email wasn't accepted because it failed authentication checks against your sending domain's DomainKeys or DKIM policy. DomainKeys and its successor, DKIM, are email authentication technologies, which ensure emails really come from their claimed domain.
We only reject emails for failing DomainKeys or DKIM authentication when both of these conditions apply:
The signing domain (i.e., as identified in the "d=" tag of the DomainKeys/DKIM signature) has given us explicit indication that all emails from the domain must be signed and authenticated with DomainKeys and/or DKIM to prevent forgery.
The rejected email couldn't be authenticated against the sending domain's policy (e.g., due to a missing or bad signature).

Author

Commented:
Yes, please read my post. I stated that I created the spf yesterday. And Yes, I know what the Yahoo error says. I just don't know what it means or how to fix it. I haven't heard anything back from yahoo and I wanted to know if there is anything I can do on my server to rectify this. I even called Microsoft yesterday and they didn't know what this DKIM was either. Is it something I can enable? Again, this is specific to yahoo. Any ideas on how to correct it?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

The domain keys signature is a yahoo thing and you will not be able to "get around it" from what I am reading...

This should help to start with...

http://www.simpledns.com/kb.aspx?kbid=1092

I am working on the policy stuff... but that should help for the dns signature side.
have you ran your domain through mxtoolbox yet?
WORKS2011Managed IT Services, Cyber Security, Backup

Commented:
what happens if you use a smart host. We had similar problems like this where we couldn't send to one domain and setting up the smart host resolved it.

Author

Commented:
Hi Todd, Yes, it comes back with no blacklists and the disgnostics run fine. It just gives a warning about the transaction time, but it does that every time I have ever tested it for any domain. I think that simpledns you sent me is the answer, but I'm confused as to how to write the txt record for my domain. Are there any examples?
ChrisLead Infrastructure Architect

Commented:
sorry i didn't absorb all the content of you post

looking at it exchange doesn't/wont support it out of the box

If you have a third party relayer i.e. messagelabs, webroot etc they might be able to offer it

here is another promising post that may be a little more complex
http://nicholas.piasecki.name/blog/2010/12/dkim-signing-outbound-messages-in-exchange-server-2007/
http://domainkeys.sourceforge.net/

is the SF page for the project but there is not a lot there...

Also try using your domain name here for some assistance...

http://domainkeys.sourceforge.net/policycheck.html

--- try those.. i am working on more.
...also I just tested our new exchange server setup here and I am able to send to my yahoo address...

I am going to take a look at some of the policies to see if there was a specific setup option performed.

Author

Commented:
Thank you, I also found this and I am reading through now....
http://dkimcore.org/tools/
ChrisLead Infrastructure Architect

Commented:
i never have any issues with exchange to yahoo (2010)
I have no specific connector settings, only have SPF setup recently due to another domain and on my test lab have no rDNS.


its possible that you have been added to a specific blacklist within Yahoo
Terrontech...

does your company send out mass mailings of any sort?
WORKS2011Managed IT Services, Cyber Security, Backup

Commented:
I agree I wouldn't go into great detail on your server when Yahoo  could easily be at fault, the probability that your server is incorrect for one domain or that Yahoo is configured to cause the problem?
WORKS2011Managed IT Services, Cyber Security, Backup

Commented:
and the smart host takes 2 minutes to install if you haven't tried it, get your ISP's info and plug it in you're now using your ISP and not your email server, or how Yahoo will see it.
Commented:
DomainKeys/DKIM and SPF Records are not essentially required by Yahoo for receiving mails from your domain.

You have mentioned that PTR Record of your mail server exists.  Now, check your SMTP banner.  It should be matching the FQDN of hostname and also PTR resolves the same.

If you are using any smarthost then configure SMTP banner on the smarthost as per the product.

In case of you are sending mails directly from SBS 2011 then configure it on Send Connector.

Author

Commented:
Yahoo still has me blocked, all attempts at unblocking have gove unanswered. Thank you for the help, but even adding the DKIM record has not helped.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial