Solved

Office 365 email to 3rd party bounce back due to "Misconfigured PTR record"

Posted on 2016-08-16
15
526 Views
Last Modified: 2016-08-31
Hi Experts

Here is the setup
1. Sender is using Office 365
2. Sender workplace does not have fixed IP.
3. Sender's workforce is mobile. Could work from many different locations including wifi hotspot, 3G/4G, client wifi, etc
4. ONE Recipient mail server is refusing email from sender. Office 365 (sender mail server) sent an NDR message to the sender - see below

Question 1: Is the recipient mail server reacting to where the emails come from (Office 365 server) or where the emails were created (the IP of where the Outlook was when the email was created)?

Question 2: Is there a solution to this issue? The sender's workplace ISP does not offer fixed IP. The "Outlook's ISP" can change on a daily basis.  So is there a solution to this issue?

Your message to peter@recipient.com couldn't be delivered.

A security check at recipient.com failed due to misconfigured settings at sender.com.

Action Required: Misconfigured PTR record      

How to Fix It
The recipient's email server at recipient.com performed a security check against your message and the check failed. To fix this, forward this non-delivery report (NDR) to your email admin.

Was this helpful? Send feedback to Microsoft.
________________________________________

More Info for Email Admins
Status code: 550 5.7.363

It appears that the recipient's email server at recipient.com performed a reverse DNS (rDNS) lookup security check to verify that the IP address the message is coming from is associated with the sending domain, and the lookup failed. It appears that the pointer (PTR) record for sender.com isn't set up correctly.

Set up or fix your domain's PTR record - If you're the admin for sender.com, work with your DNS hosting provider (your domain registrar, Web hosting provider, or ISP) to correctly set up a PTR record for your domain. If you're using Office 365 to manage your DNS records note that PTR record creation and management isn't supported in Office 365, so you'll have to change your DNS management to a DNS host outside Office 365. Refer to this article for more information and instructions: Change how DNS records are managed with Office 365.

Unfortunately, Office 365 Support can't help you fix these kinds of externally reported errors because Office 365 doesn't support PTR record management.
Original Message Details
Created Date:      12/08/2016 3:54:42 AM
Sender Address:      john@sender.com

Recipient Address:      peter@recipient.com

Subject:      test email


Error Details
Reported error:      550 5.7.363 Remote server returned sender verification failed -> 550 Verification failed for <john@sender.com>;No Such User Here;Sender verify failed
DSN generated by:      HK2PR04MB1700.apcprd04.prod.outlook.com
Remote server:      ctp8kvm5.webhosting.openconnect.com.au

0
Comment
Question by:Alexandre Michel
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
You can add the DNS PTR at your registrar or ask that the recipient white list your domain
See this PAQ:https://www.experts-exchange.com/questions/28958333/Recipient-email-server-rejects-senders-email-Office-365-due-to-incorrect-PTR-record.html
0
 
LVL 4

Author Comment

by:Alexandre Michel
Comment Utility
Hi David

As far as I know, a PTR record can't be added at the registrar end and instead has  to be added at the ISP end as it is an IP > name record rather than name > IP record.

I saw that other Expert Exchange question as well, but the  
I already contacted the recipient email server admin who stated that it was a problem with Office 365 and not their problem which is obviously incorrect

I think we are in a no-win situation unless
1. The recipient changes email provider
2. or the recipient email provider somehow relaxes its own rules


Alexandre
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 500 total points
Comment Utility
well, some action on sender can perform. The question is, is the activity justifiable if more request keep coming in.  the relationship between sender/recipient should be mutual so the recipient should able to relax their rules (they might not have skill to do so).

ANyway, this is my technical way to send (or bypass limitation)

1. you might want to sign up some mail relay services that all email deliver from Office 365 to recipient.com  will go via the mail relay services. most mail relay services should configure properly.
mimecast, mailchimp or etc will also works.

2. in office 365, create outbound rules (go to exchange admin center/mailflow/rules)
create rules
from O365 to Partner organization
name; recipient domain name
select only when email mesage are sent to these domain, and add the domain name
select route email through these smart hosts and add the smarthost
unselect TLS if you want to
then continue


This will force your email traffic to jump additional to the host then to the recipientdomain

it might not work (depends on how strict the recipient is) but worth a try
0
 
LVL 4

Author Comment

by:Alexandre Michel
Comment Utility
Hi Jian

This is a GREAT solution as sender uses Reflexion.net for inbound traffic and could use it for outbound as well... I will need to try this. Will post back an answer when done and tested

Alexandre
0
 
LVL 36

Assisted Solution

by:Jian An Lim
Jian An Lim earned 500 total points
Comment Utility
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You can't setup PTR's for Microsoft - they will have already done that and the problem won't be related to their PTR record.

The problem may stem from how the account has been setup on the device.  If it has been setup as an Exchange account, there shouldn't be a problem as the PTR record will be correct for Microsoft.

If the account has been setup as POP / SMTP, then that isn't the correct way to setup a 365 account, so it should be removed and re-added as an Exchange account which should solve the problem.

To answer your questions:

Question 1: Is the recipient mail server reacting to where the emails come from (Office 365 server) or where the emails were created (the IP of where the Outlook was when the email was created)?

This depends on how the client is setup.  If using an Exchange account, it will be the PTR's at Microsoft.  If using POP/SMTP, it will be the PTR of the client's IP where the computer is located (or if using a 3G dongle or equivalent, the non-static Public IP Address).

Question 2: Is there a solution to this issue? The sender's workplace ISP does not offer fixed IP. The "Outlook's ISP" can change on a daily basis.  So is there a solution to this issue?

Yes - as long as you are using Outlook set for an Exchange account or if on a mobile, using an Exchange account / Activesync account, there shouldn't be any problems at all.

Alan
0
 
LVL 4

Author Comment

by:Alexandre Michel
Comment Utility
Unfortunately, the sender is connecting to Office 365 using Active Sync / Exchange account and not a POP3/IMAP account. So there <shouldn't> be a problem ... but there is one anyway.

What I'm asking is: "Is the recipient server wrong to refuse connection because of a faulty PTR" when the email comes from Office 365???

I just did a test email. The last email hops (from email header) is

Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-sg2apc01on0043.outbound.protection.outlook.com [104.47.125.43])
      by mail106.syd.optusnet.com.au (Postfix) with ESMTPS id 87C573C6BCB
      for <recipient@optusnet.com.au>; Wed, 17 Aug 2016 18:34:28 +1000 (AEST)
I checked and 107.47.47.125.43 has a PTR record.

So why, why, why, why, is the recipient mail server saying that the PTR is misconfigured?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 36

Expert Comment

by:Jian An Lim
Comment Utility
i re-read your question

Error Details
Reported error:      550 5.7.363 Remote server returned sender verification failed -> 550 Verification failed for <john@sender.com>;No Such User Here;Sender verify failed

Sender verify error is very rare so it could be something else.
You might want to move the problem from O365 to Reflexion, if it is fixed, then it will end of the question. but it is not, at least you know it is nothing you can do. It is something on the recipient causing the issues.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I very much doubt that Microsoft will have things setup incorrectly, so it looks like an incorrect check on the receiving server side checking the wrong IP Address (I've never had this problem and I've been using 365 for years and we have over 100 customers using 365 which we manage for them and never had this issue reported to us), but Jian An Lim does make a very good point about the error you are seeing and that may the issue and not PTR problems.

Alan
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Check the year on top of page if you have any contra opinions.
https://tools.ietf.org/html/rfc1123#page-84
Or use Gmail/yahoo/vpn if you cannot understand 3 sentences of 27 years old specification.
0
 
LVL 4

Author Comment

by:Alexandre Michel
Comment Utility
Thanks Jian An.

I still believe the recipient server is misconfigured, but I could not be bothered fighting with them. Your input allowed me to work around the issue
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
You can believe what you want.
MAIL SENDER IS REQUIRED TO HAVE PROPER DNS PTR IN ALL CASES
Thats is so for almost 30 years, no matter how hard your customer pushes you around, their mail will not be accepted at discretion of recipients.
0
 
LVL 4

Author Comment

by:Alexandre Michel
Comment Utility
I agree with you Jian An ... but ...

Recipient is Uber Global, Australia (not the ride booking company), now in the middle of a merge with Melbourne IT

Mail sender is Office 365. Can I assume it was set up properly...?

Is it more likely that Office 365 is misconfigured or that Uber Global support is wrong when it tells me that it is not their problem?

In any case your suggestion fixed the issue :-)
0
 
LVL 36

Expert Comment

by:Jian An Lim
Comment Utility
you mean @Gheist not me.
I aware what happen and i know what i would do (which you have executed what i would do anyway)

and I am in Melbourne so i would know Melbourne IT will not said they have configured them wrongly.
1
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Your customer needs to set up a DNS server with reverse zone(s) and ask upstream provider to delegate reverse zone to it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you don't know how to downgrade, my instructions below should be helpful.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now