Remote Server returned '<mail.mycompany #5.7.1 smtp; 554 5.7.1 Error: need authentication from>'

Hi People,

I've got this error message today even after registering the SPF record in my public DNS succesfully:

Remote Server returned '<mail.mycompany #5.7.1 smtp; 554 5.7.1 Error: need authentication from>'

Open in new window

What I'm trying to do is that I wanted to allow who is our outsourced marketing partner to send out promotion email on behalf of my users mailbox in, I'm using Exchange Server 2013 while the marketing company is on AWS all in cloud.

How to allow this to work ?
LVL 12
Senior IT System EngineerSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
imo:  Stop right here and review what you are doing.  This is a very bad idea.

The "outsourced marketing partner" probably wants to send mail out using your company's domain not because it will look like it's coming from you, but rather because their CIDR blocks and domain names are blocked by all the major spam lists.  

If you allow them to use your servers for outgoing mail and the mailing list is not absolutely, impeccably clean (none are), shortly thereafter people will start complaining which will result in your domain ending up on Spamhaus and other spam lists.  Once on the major spam lists, no outgoing email from your company will be accepted at any organization using anti-spam filters and it will take a couple of years to get your domain and CIDR block off those lists.

Further, if you give them credentials to route mail out through your servers there's no guarantee those credentials will be protected.  Is there a clause in the contract that says if they get your domain name or servers blocked, they will pay to clean up the mess and buy you a new, clean CIDR block?  Probably not.  All the risk is on your end, not theirs.

Think really, really hard before you go ahead with this.  No matter how honest they are, all it takes is one slip on their end, one crooked employee selling your server's credentials, and you, personally, will end up with all the grief.  At the very least, send a memo around to everybody involved stating that you think this is not a good idea, and detailing the risks to your corporate email if this goes through.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Hi Dr. Klahn,

What sort of credentials that I need to share with them to allow email routing on my Exchange Server ?

I've never heard that before.
I agree with Dr. Klahn. Your email error code (554 5.7.1) suggests an attempt to "relay" through your organization. Reputable email marketing first would  _NOT_  need to use your email system to send email on your behalf.

A reputable email marketing firm should ask you to add an SPF record that "authorizes" then to send email messages from _THEIR_  email servers, but stamped with your email domain on them. This is common, and I've used many high volume email market firms that use this technique. Anyone can stamp your email address on an outgoing email message. But the SPF record is what authorizes them to do so. Without the SPF record, most spam filters will block the message / flag it as spam.

No one should be relaying email through your email system - except  your own staff (like copiers / fax machines / etc.)
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Thanks all,

It turns out that I need to whitelisted the IP address in the SPAM filter to allow this to happens.

Yes, I know the risk, at least with the white listing, I know which IP address can do the relay.

I have added THEIR SPF entry to my public DNS record. Hopefully this is correct action I am taking.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Thanks all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Public DNS

From novice to tech pro — start learning today.