Exchange incoming - A record being seen only ?

Posted on 2014-02-27
Last Modified: 2014-03-08
Working through something and hoping to get some feedback/different perspectives to look at.

Exchange 2010 one primary domain ( with setting to allow incoming from

external filter mxlogic(inbound) only.

suddenly over last several weeks(nothing has changed on servers(exhange or dns) mail from some clients sent to isn't making it through.  Cleints are gettng 554 check smtp settings, their smpt snippets are showing the a record for the domain rather than mx, which is progogated and can be confirmed on external tools like etc...

two things:
1. there was a change from external web person that assigned new ip to due to blacklisting issues before.
2. I tested something that when I sent mail to from hotmail I got the 554 error, sparadically, I think when I unchecked
"automatically update based on email policy" on a user that i added the
alias to the mail went through.   ???  What could be the relationship/things to look at based on this insight?
3. Both domainprimary and acceptotherdomaintoo are A records with same IP on hosted site.

So, not tha most users can accept email from any of the domains with one set as primary.  So for now I have those users that have the issues having their clients use  

Thanks really hoping for some activity on this issue and feedback on thinks i can consider but i'm not clear this isnt our issue and not the senders.
Question by:dee30
  • 5
  • 2

Expert Comment

ID: 39891942
554 is actually "Relay Denied"-message. How have you configured the transport security for the cas and transport role? Can you explain how your environment is set up? How many, and what servers have what roles etc. Any anti-spam gateway?

Author Comment

ID: 39892483
1 server has all roles(Hub, CAS, and Mailbox)
2010 v14.01.0270.001
Server is pat of one primarydomainname with various accepted domains set up under Hub Tranasport.  in this case one of those accepted being which is authoritive. Email to user is having the issue.

The error actually is 550, my typo,...turn on SMTP Auth in your mail client when the sender get's it.  I have two clients that seem to be using same external filtering company and one that has none.  All three have this issue but sometimes they don't get NDR for a while or at all.

I honestly don't see how the internal  exchange server setup is the issue b/c the mail never makes it to our external filters?  We're using the external's mxrecords(mxlogic).  


Author Comment

ID: 39892722
also want to go over the config steps for DNS...

1. mail server external is - from server

2. hosting site cpanl DNS manager for - a record for
3. hosting site DIFFERENT cpanl DNS manager for - a record for they assigned that shouldn't be blacklisted).

4. hosting site cpanl DNS manager for - mx records pointing to our external filtering companies. two different ones at 10 and 20 priority.  
5. hosting site DIFFERENT cpanl DNS manager for - mx records pointing to our external filtering companies. two different ones at 10 and 20 priority.  

6. Exchange 2010 SMTP connector FQN matches A record -

I'm not sure where/IP the rDNS should be registered and also not sure if missing something in the DNS setup above.
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 27

Expert Comment

ID: 39892805
their smpt snippets are showing the a record for the domain rather than mx, which is progogated and can be confirmed on external tools like

in SMTP, when there is no MX record, the A record is used instead

it seems possible that your MX record is missing on one dns server, so the mail gets sent to the A record, which hosts a server that rejects incoming mail (possibly the exchange server, which is likely configured to reject any mail that does not come through your filtering service)

Author Comment

ID: 39893382
Skullnobrains..thanks i get this but as I said the mx records are verifying and I posted the DNS/Exchange config setup hoping someone can point out where something was missed.
Bear in mind this has been working all along.  


Author Comment

ID: 39893390
again to reiterate this is my DNS config for my exchange:

exchange2010 part of one domain trust and forest, set to also accept mail from other domain.

1. Exchange server pub IP12.205.200.1 hosting company cpanl DNS manager A record for same hosting company diff cpanl DNS manager A record

1a. Our internal DNS svr for has A record for

2. MX records for both(via same hosting co but separate/their own cpanl access) set to point to External filtering company that has our public for and MX records to use. Priority 10 and 20.

3. SPF under cpanl of DNS mgr is setup like "v=spf1 +a +mx ip4: -all"

Exchange 2010 SMTP connector FQN matches A record -

Not sure if something is missing, all is right if reverse DNS entry(ptr record) needed somewhere?
LVL 27

Accepted Solution

skullnobrains earned 500 total points
ID: 39894206
would you mind posting the domain name so we can run some basic tests ? and the log snippets you were mentioning earlier ?

please don't rely on external tools or at least post information regarding what they check. most tools that check "dns propagation" will check the caches of the main ISPs but not necessarily perform a recursive dns lookup and check all the NS servers associated with your domain.

Cleints are gettng 554 check smtp settings, their smpt snippets are showing the a record for the domain rather than mx

if the smtp session is targetted to the A record instead of the mx (which i understand from the previous sentence), the mx is definitely not propagated properly. maybe we are talking about internal clients from one domain trying to access the other ? then the checks should be performed internally rather than externally. as a general rule run checks from the location of the machine that reports the failure.

if you're talking about MUAs of internal users such as thunderbird, outlook, .... then the server which receives the connection is hard-coded in their config. post the relevant information : this may not be dns-mx-related at all.


as far as PTRs are concerned :
- your internal dns server does not have one. this is unusual but not required
- your external filtering company does not have one either for 12.... this is likely ok since i'd assume your outgoing mail flows through some different address which does have a PTR. the PTR is not necessary to receive incoming smtp traffic.

but then i'm unsure you are posting the proper addresses. from my location, i can't connect to port 25 on 12....1 but this may also be because i'm at home and my address is probably on the cbl and various other dynamic ip pool lists


there is a mistake in your SPF field : you should NOT include:domainX in the SPF record of domainX. you may and probably should include the spf record of the primary in the spf record of your secondary domain. most spf implementation will probably just ignore the include. some will just ignore spf altogether. it is unlikely but some may decide to defer or reject the message.

Author Closing Comment

ID: 39914698
Thanks think good for now... will monitor next and post again if still help. thx

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question