Exchange incoming - A record being seen only ?

dee30 used Ask the Experts™
Working through something and hoping to get some feedback/different perspectives to look at.

Exchange 2010 one primary domain ( with setting to allow incoming from

external filter mxlogic(inbound) only.

suddenly over last several weeks(nothing has changed on servers(exhange or dns) mail from some clients sent to isn't making it through.  Cleints are gettng 554 check smtp settings, their smpt snippets are showing the a record for the domain rather than mx, which is progogated and can be confirmed on external tools like etc...

two things:
1. there was a change from external web person that assigned new ip to due to blacklisting issues before.
2. I tested something that when I sent mail to from hotmail I got the 554 error, sparadically, I think when I unchecked
"automatically update based on email policy" on a user that i added the
alias to the mail went through.   ???  What could be the relationship/things to look at based on this insight?
3. Both domainprimary and acceptotherdomaintoo are A records with same IP on hosted site.

So, not tha most users can accept email from any of the domains with one set as primary.  So for now I have those users that have the issues having their clients use  

Thanks really hoping for some activity on this issue and feedback on thinks i can consider but i'm not clear this isnt our issue and not the senders.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

554 is actually "Relay Denied"-message. How have you configured the transport security for the cas and transport role? Can you explain how your environment is set up? How many, and what servers have what roles etc. Any anti-spam gateway?


1 server has all roles(Hub, CAS, and Mailbox)
2010 v14.01.0270.001
Server is pat of one primarydomainname with various accepted domains set up under Hub Tranasport.  in this case one of those accepted being which is authoritive. Email to user is having the issue.

The error actually is 550, my typo,...turn on SMTP Auth in your mail client when the sender get's it.  I have two clients that seem to be using same external filtering company and one that has none.  All three have this issue but sometimes they don't get NDR for a while or at all.

I honestly don't see how the internal  exchange server setup is the issue b/c the mail never makes it to our external filters?  We're using the external's mxrecords(mxlogic).  



also want to go over the config steps for DNS...

1. mail server external is - from server

2. hosting site cpanl DNS manager for - a record for
3. hosting site DIFFERENT cpanl DNS manager for - a record for they assigned that shouldn't be blacklisted).

4. hosting site cpanl DNS manager for - mx records pointing to our external filtering companies. two different ones at 10 and 20 priority.  
5. hosting site DIFFERENT cpanl DNS manager for - mx records pointing to our external filtering companies. two different ones at 10 and 20 priority.  

6. Exchange 2010 SMTP connector FQN matches A record -

I'm not sure where/IP the rDNS should be registered and also not sure if missing something in the DNS setup above.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

their smpt snippets are showing the a record for the domain rather than mx, which is progogated and can be confirmed on external tools like

in SMTP, when there is no MX record, the A record is used instead

it seems possible that your MX record is missing on one dns server, so the mail gets sent to the A record, which hosts a server that rejects incoming mail (possibly the exchange server, which is likely configured to reject any mail that does not come through your filtering service)


Skullnobrains..thanks i get this but as I said the mx records are verifying and I posted the DNS/Exchange config setup hoping someone can point out where something was missed.
Bear in mind this has been working all along.  



again to reiterate this is my DNS config for my exchange:

exchange2010 part of one domain trust and forest, set to also accept mail from other domain.

1. Exchange server pub IP12.205.200.1 hosting company cpanl DNS manager A record for same hosting company diff cpanl DNS manager A record

1a. Our internal DNS svr for has A record for

2. MX records for both(via same hosting co but separate/their own cpanl access) set to point to External filtering company that has our public for and MX records to use. Priority 10 and 20.

3. SPF under cpanl of DNS mgr is setup like "v=spf1 +a +mx ip4: -all"

Exchange 2010 SMTP connector FQN matches A record -

Not sure if something is missing, all is right if reverse DNS entry(ptr record) needed somewhere?
would you mind posting the domain name so we can run some basic tests ? and the log snippets you were mentioning earlier ?

please don't rely on external tools or at least post information regarding what they check. most tools that check "dns propagation" will check the caches of the main ISPs but not necessarily perform a recursive dns lookup and check all the NS servers associated with your domain.

Cleints are gettng 554 check smtp settings, their smpt snippets are showing the a record for the domain rather than mx

if the smtp session is targetted to the A record instead of the mx (which i understand from the previous sentence), the mx is definitely not propagated properly. maybe we are talking about internal clients from one domain trying to access the other ? then the checks should be performed internally rather than externally. as a general rule run checks from the location of the machine that reports the failure.

if you're talking about MUAs of internal users such as thunderbird, outlook, .... then the server which receives the connection is hard-coded in their config. post the relevant information : this may not be dns-mx-related at all.


as far as PTRs are concerned :
- your internal dns server does not have one. this is unusual but not required
- your external filtering company does not have one either for 12.... this is likely ok since i'd assume your outgoing mail flows through some different address which does have a PTR. the PTR is not necessary to receive incoming smtp traffic.

but then i'm unsure you are posting the proper addresses. from my location, i can't connect to port 25 on 12....1 but this may also be because i'm at home and my address is probably on the cbl and various other dynamic ip pool lists


there is a mistake in your SPF field : you should NOT include:domainX in the SPF record of domainX. you may and probably should include the spf record of the primary in the spf record of your secondary domain. most spf implementation will probably just ignore the include. some will just ignore spf altogether. it is unlikely but some may decide to defer or reject the message.


Thanks think good for now... will monitor next and post again if still help. thx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial