Exchange Server Emails Bounced Back Suddenly

Some of the outbound emails were bounced back suddenly starting yesterday.

There are three types of undeliverable errors:
1. #552 5.2.0 IB212 msg rejected as spam ##, from
2. #554 5.7.1 [P4] Message blocked due to spam content in the message. ##, from
3. #554 Denied (Mode: normal) ##, from

I ran a test on, and didn't find any error for our domain. It isn't on any blacklist. 4 warnings found:

smtp: mail.domain, SMTP Transaction Time, 8.284 seconds - Not good! on Transaction Time
smtp: mail.domain, SMTP TLS, Warning - Does not support TLS.
dns:  domain, DNS SOA Expire Value, SOA Expire Value out of recommended range
dns: domain, DNS SOA Serial Number Format, SOA Serial Number Format is Invalid

What's causing the problem? Can anyone help please?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
If you're not on any blacklists, you should check two other things. First of all, you should have an SPF record for your domain.  Many large ISPs, including for example (I think this is GoDaddy, IIRC), will reject email from domains without an SPF record.  Also, take a look at the TLS issue - some domains may reject email if opportunistic TLS is not enabled.  I can't remember if it's enabled by default on Exchange 2007, although I'm pretty sure it is on Exchange 2010.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hypercat (Deb)Commented:
Also, a third thing I just remembered, is to make sure you have a PTR (rDNS) record for your mail server, if you're hosting your own email.  The absence of a PTR record can also be a common reason for email being rejected as spam.
You should definitely follow hypercat's advice. It may be the issue.

You can sometimes get more information on reasons for failures by tryign to send email using telnet. I have frequently found the reason why email has been denied from places, including GoDaddy (, by doing so.

Instructions on how to email using telnet:

Run that from your Exchange server. If telnet isn't installed go to windows features in the server manager and install the telnet client feature. Run the telnet on port 25 against the first MX record their domain has listed.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

stillsyraAuthor Commented:
I just created a SPF record, and there's a PTR record.

When I use telnet on the Exchange server, with command EHLO, the 250-starttls isn't shown, but the 250-x-anonymoustls is shown. So it looks like the opportunistic TLS isn't enabled.

How do I enable the opportunistic TLS on my Exchange 2007 server?
Did you proceed to try to send the email using telnet and see if you get any errors? I would go through the whole process as you may get a more specific reason why your email is blocked, which I have seen before with GoDaddy.

I'm not familiar with Opportunistic TLS, hopefully hypercat can help you with that if it is the issue.
Hypercat (Deb)Commented:
I just double-checked the documentation and opportunistic TLS IS enabled by default in Exchange 2007. So, if you have an SSL certificate properly installed on your Exchange server, and if Exchange 2007 is configured to use this SSL certificate for SMTP communications, then it will automatically use that certificate if the external server it is sending to is configured to request or require TLS.  

Do you have an SSL certificate configured for SMTP on your Exchange server?
Hypercat (Deb)Commented:
stillsyra - if you don't know the answer to my previous question, then you can check by opening the Exchange Management Shell and typing:

get-exchangecertificate | fl

This will produce a list showing you what, if any, certificates are enabled on your server for Exchange and what services (i.e., SMTP, IIS, etc.) the certificate is used for. It will also tell you if the certificates are valid or expired, which would be important to know.
stillsyraAuthor Commented:
Here's the result of get-exchangecertificate | fl. It doesn't look like the opportunitisct TLS is enabled. If so, how do I enable it?

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyA
CertificateDomains : {mail.domain, www.mail.domain, autodiscover.domain}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=, O=", Inc.", L=Scot
                     tsdale, S=Arizona, C=US
NotAfter           : 8/19/2015 2:24:16 PM
NotBefore          : 8/14/2013 11:38:27 AM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 04968AD1BAE896
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.domain, OU=Domain Control Validated
Thumbprint         : 571C1E094518B6CCA126DC744D7564F7E53E0670
Hypercat (Deb)Commented:
<<Services           : IMAP, POP, IIS, SMTP>>

This shows that the certificate, which is a GoDaddy SSL certificate, is enabled for SMTP, so you're all set with opportunistic TLS.  If you want to confirm that, make sure that your send and receive connectors are set to verbose mode, so that the communications are logged.  Then you can check the SMTP protocol logs (they are in the Exchange folder under [Drive]\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog).  You'll see two folders there, SMTP Receive and SMTP Send.  Look in the SMTP Send folder and open the log in a text reader like Notepad.

What you're looking for is communication like this:

External SMTP Connector,08D0890102A648EF,14,,,>,STARTTLS,
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,15,,,<,220 2.0.0 SMTP server ready,
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,16,,,*,,Sending certificate
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,17,,,*,"CN=[Your SMTP server name], OU=Domain Control Validated",Certificate subject
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,18,,,*,"SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=, O="", Inc."", L=Scottsdale, S=Arizona, C=US",Certificate issuer name
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,19,,,*,4F00CF17A03742,Certificate serial number
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,20,,,*,F037F80DBA3CE48D32CF8BB6368E916B67FC0FBD,Certificate thumbprint
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,21,,,*,[Your certificate valid server names],Certificate alternate names
2013-09-27T00:54:51.331Z,External SMTP Connector,08D0890102A648EF,22,,,*,,Received certificate
2013-09-27T00:54:51.331Z,External SMTP Connector,08D0890102A648EF,23,,,*,D4AC9CAA518865B1EF4BF3050B8AFFDF7074D02E,Certificate thumbprint
stillsyraAuthor Commented:
It's been a few days and looks like the problem is solved. Thanks everyone.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.