Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 614
  • Last Modified:

How do I change the 'Message ID' and 'Received From' in Exchange 2013 from being the local Domain

As with many people (according to searches) my client is having email bounced by Microsoft because their recently introduced spam checking system is looking further down the email message Header Block and doing a reverse IP lookup on the internal name of the exchange server. This cannot be an FQDN because when the site was taken over we had to accept what had already been set up.

The scenario is (the names have been changed) that is their registered domain and all email goes out on to the internet as This has been the case for several years, but in August 2016 /.com and address started to bounce. No other email bounces.

The name for the internal domain is '' and there are 2 servers, the domain controller called DCDP and the Exchange Server called EXDP. Unfortunately '' is registered and held by someone else, suddenly trying to sell it!

When emails go out, the Message ID and Received From always have '' and what Microsoft's new system appears to be doing is looking up the IP for '' and the IP is of course not the same as where the email came from, and in addition the IP from the 'shortdomainnamesite' is blacklisted. I have an SPF record that includes '', but on this occasion that is of no use because Microsoft are looking up the IP of ''.

I have blamed Microsoft's new system, but that may not be the case. It may be that some organisation has 'sniffed out' this problem and realized that they could capitalize on my dilemma.  

I have looked up whether something can be done via a Shell cmdlet as there are TransportRuleActions for SetHeader and RemoveHeader, but I cannot truly establish whether it is safe to use these - equally I cannot locate anything that gives me the command structure.

I have found some software (that is $200) called Header-Writer, but I don't want to buy that if it only changes one element such as the Message ID - because Microsoft's system may be using the 'Received: from' for their checking.

Any assistance is greatly appreciated.
  • 8
  • 7
  • 2
2 Solutions
Can you share the exact bounce message ?
davesheppardAuthor Commented:
As this now includes some actual IP address, email addresses and Domain Names, please treat with respect. I trust Experts Exchange implicitly.

I am remote from the client and so the bounce message was forwarded, but it is below.  I have changed the name of the servers to match the question, but the where I was using 'shortdomainname' before, in the below you will see it as MPDP.COM, whereas (again in the below) my client is '' rejected your message to the following email addresses: (
A problem occurred while delivering this message to this email address. Try sending this message again. If the problem continues, please contact your helpdesk. gave this error:
SC-001 (SNT004-MC4F44) Unfortunately, messages from weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to

Diagnostic information for administrators:
Generating server:
Remote Server returned '550 SC-001 (SNT004-MC4F44) Unfortunately, messages from weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to'
Original message headers:
Received: from ( by
 ( with Microsoft SMTP Server (TLS) id 15.0.1156.6; Mon, 5 Sep
 2016 09:00:29 +0100
Received: from ([fe80::2922:7cf5:5d7d:4c5f]) by ([fe80::2922:7cf5:5d7d:4c5f%12]) with mapi id
 15.00.1156.000; Mon, 5 Sep 2016 09:00:29 +0100
From: Reception <>
To: "" <>
Subject: Appointment Reminder
Thread-Topic: Appointment Reminder
Thread-Index: AdIHS4q+KR1Vdss+Q4iOH32fO1DVBQ==
Date: Mon, 5 Sep 2016 08:00:27 +0000
Message-ID: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
I totally understand your concern, I have now copied the NDR if you wish to remove it

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

I really doubt your issue is from the Message ID and Receive From, which you can both remove with a transport rule but I wouldn't advise to do so.

your rejection message is SC-001 which means
# 550 SC-001 Mail rejected by Microsoft  for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation. If you are not an e-mail/network admin please contact your E-mail/Internet Service Provider for help.

For me, so far, it looks like a reverse DNS issue more than anything else.

is the public IP you send from Fixed ? I know it has a PTR record but it looks pretty generic to me
Reading you NDR more carefully it clearly states "Please contact your Internet service provider since part of their network is on our block list" so even if your IP is not on any blocklist it seems that hotmail blocked the whole range of IPs...

you could contact MS and/or your ISP provider
davesheppardAuthor Commented:
Hi Akhater

It is a fixed IP and the clients only public IP.

Apologies if I did not make it clear initially, sometimes it is impossible to explain in a single go.
What happens is that Microsoft are reading down the header and picking out CDPEXDP.MPDP.COM.  They are then doing a reverse look up on the domain MPDP.COM and using the returned IP address from that lookup to check against blacklists.  So they look it up and get an address of and that is on a blacklist. I checked this with MX tools.

I just need to ensure that all of the information in the header relates to and not

I do not know how to withdraw specific information from my earlier response so I will just have to take the risk.
Hello Dave

Your initial post is very clear however I am not convinced that this is the issue. the IP rejected is and not

anyhow you have another issue with your SPF record with has a syntax problem and the IP your sending from is not listed in it....

can I know where did you get the info that it is looking in the headers ? split dns (different names inside and outside) are a very common practice Microsoft would know better
davesheppardAuthor Commented:
My Clients ISP provided the information and when I checked my Clients IP is not on any blacklist, but is. I will check the SPF in the morning as I am out tonight and it is time to go.

Thanks so far.
I agree that you IP is not on the blacklist but Microsoft is blocking the whole range it seems, I do not agree with your ISP assessment but I might be wrong (wouldn't be the first time :) )
davesheppardAuthor Commented:
How do you establish that?
Simon Butler (Sembee)ConsultantCommented:
Microsoft don't use public blacklists - they operate their own.
Therefore it is possible to be blacklisted by Microsoft and no one else. They also don't provide tools to check their blacklists.

I would have to agree with the above that checking further down the headers is a pointless exercise and Microsoft's filtering doesn't do that. There are simply too many sites out there using domains they don't own or non-resolving domains.

I expect if you were to route email via another host (such as your ISPs SMTP server) that the emails will go straight through. Although if you are using SPF then you should ensure the server is listed in the SPF record before changing. I would also encourage you to setup a DMARC record as well.
davesheppardAuthor Commented:
So two questions from these exchanges:

1. If you are both correct and my Client's IP is on a Microsoft Blacklist, how do I appeal to get it removed; and

2. What is the syntax error on my SPF record: v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​include:cm​pdpexch1.m​ in​lcude:rela​y.webhost-​ -​all

Remember that in an effort to protect confidentiality, I was amending the names of the Servers. The actual name of the exchange server is EXCH1, the actual name of the Domain Controller is CMPDP, and the name of the internal Domain is

As mentioned earlier in the question, if you do a Web Search, you will find a lot of people suggesting that organisations are using the internal DNS name in the Header as another spam checker. Of course they could all be wrong as I was just checking what my Client's ISP had said and the number of instances found from searching made be believe them.
davesheppardAuthor Commented:
Thank you Akhater and Simon for your inputs so far.

 Just a further update.

Whilst question 2 from the above still applies (SPF Syntax), I managed to find a form to complete for Microsoft to request mitigation of the IP.  Unfortunately the form only gave the USA options (.com), but hopefully they will replicate across all of their servers.

I have received an automatic email back from Microsoft stating that qualifies for conditional mitigation and that replication could take between 24-48 hours. I will retest on Monday and let you know if this had any effect.
your SPF record is contains inlcude:relay.xxxxx instead of include it is a typo
davesheppardAuthor Commented:
So should it be

1) v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​​pdpexch1.m​ in​lcude:rela​y.webhost-​ -​all

or 2) v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​include:cm​pdpexch1.m​ in​lcude:webhost-​ -​all
Simon Butler (Sembee)ConsultantCommented:
With SPF records you want to limit the number of DNS lookups.
Therefore you need to get it optimised as much as possible.

Take a look online for SPF optimisation and validation checkers - there are a lot of them about. Have you used something to build the SPF record for you?
davesheppardAuthor Commented:
Thank you both very much, I did not know that MS maintained their own Blacklists and therefore only checked the known blacklists.  With your help and assistance, I managed to find the relevant form on the MS site and completed this last Friday.  As they said it could take up to 48 hours to replicate, I could not really answer until today - when  we tested it and all looks fine.  We now have a conditional mitigation on my clients single IP.  The splitting of the points was done automatically by the EE site, I did not have a choice to allocate.

Just in case anyone else finds this question and sees this closure, the website for the form is

Once again many thanks to you both.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 8
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now