How to tell the internet than an IP is safe.

Hi Experts.
I am doing work for a manufacturer.  They have email that is hosted by the ISP, so it is not in house.
I have a legacy system (AS400/iseries) that is in-house that I am sending emails out to vendors for Purchase orders.  The system creates PDF's then creates the email and sends out.  So it does not go thru the regular email system.    
So, we have had some emails not get delivered and some bounce back.  I have gone thru the option to tell Office 365 to whitelist the ip address we are sending from.    
The question is, Can we tell the world that our IP is safe via DNS in some way?   Otherwise, we are going to have to send emails to companies that we get kickbacks from and request that they white list us.  Issue is small now, but I am getting ready to add customer service to emailing invoices, etc too and it is only going to get bigger.
Kevin CaldwellOwner of RUseeingRed Tech SolutionsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dmitri FarafontovLinux Systems AdminCommented:
Adding SPF records to your DNS would be a great start
https://en.wikipedia.org/wiki/Sender_Policy_Framework
1
Pawan KumarDatabase ExpertCommented:
You can use HTTPS for your site. It is secure version of HTTP.

Read more details about this from Wiki-

https://en.wikipedia.org/wiki/HTTPS
0
Gary PattersonVP Technology / Senior Consultant Commented:
Some mail systems do a lookup on the IP address and see if it is associated with a DNS MX record associated with the domain.  Some use SPF, as noted above.  In both cases, they want to see that the IP address that is establishing an SMTP connection has something in DNS that they can use to verify that the IP is associated with the domain found in FROM addresses.

Best practice is to just forward all mail through the same mail server(s).  The rest of the business forwards mail through the ISP, so, if possible, it would be best to just configure the iSeries to just do the same thing.  Is there an in-house mail server (Exchange, for example), or does each user actually have a mailbox with the ISP?

(Mail isn't delivered over HTTPS, so HTTPS has nothing to do with this conversation.)
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Mal OsborneAlpha GeekCommented:
A few things you can do:

1. Many "blacklists" of untrustworthy IP addresses exist. Some mail systems consult these, and refuse to accept email for them, or regard it with suspicion. You can check if you IP is on a heap of more common blacklists here: https://mxtoolbox.com/blacklists.aspx

2. Most companies have an SPF record in DNS. This tells mail servers what IP email should be expected to come from for a particular domain. If an SPF record is absent, many mail servers will regard that as suspicious, if it is there, but does not include the IP, it will be considered even more dodgy. Make sure you have an SPF in place, and it includes the IP that the AS400 sends on. More on SFP records here:  https://en.wikipedia.org/wiki/Sender_Policy_Framework

3. You might consider DKIM, which adds some authentication data to outgoing emails, however that would need to be supported by the mail program on the AS400, which might be difficult. More here: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

4. There are a few free services that will check email and give you an opinion about how "spammy" they may be. You just send a sample, and it is examined. This one is pretty good: https://www.mail-tester.com/ 

So, to summarise: Checking blacklists is essential, if you are on any email WILL be blocked. No SPF record will mean ALL email sent from our domain will be treated as suspicious, a mismatch for the AS400 IP will cause blocking. Realistically, in 2017 a correct SPF is essential. DKIM would be nice, but you can probably manage without it. Throwing an email at a an online spam checker should tell you anything else that might be problematic. If the online spam checker includes stuff that you don't understand, post the results back here, and someone will probably be able to help you.
0
MurpheyApplication ConsultantCommented:
Use an existing Reply-To address on the companies mailserver, most of the time that will be enough
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
As Dmitri, said, this is handled by correctly setting up an SPF record for your domain.

This record indicates which IPs are valid to be sending email on your behalf.

For example...

lxd: net11-the-sacred-plant # dig +short mailgun.davidfavor.com txt
"v=spf1 include:mailgun.org ~all"

Open in new window


Says all mailgun.org IPs are legal to send email for my personal domain.

Never imagine you'd correctly setup your SPF records. Always verify them with a tool.

https://dmarcian.com/spf-survey/ is a great tool, which does very thorough testing + also provides precise replacement records, to fix any problems found.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kevin CaldwellOwner of RUseeingRed Tech SolutionsAuthor Commented:
I will work on the SPF creation and hopefully get it in place early next week.  
Kevin
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Be sure to user the DMarician tool to verify your SPF records.

I've been setting up mail systems since the mid 1990s + I still check every step of my work, as producing high deliverability email requires many steps + each must be 100% correct, or all subsequent steps make no difference.
0
Kevin CaldwellOwner of RUseeingRed Tech SolutionsAuthor Commented:
Thanks so much for the recommendations.  I need to work on this and get it live.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.