We help IT Professionals succeed at work.
Private
Troubleshooting Question

What am I missing in my DNS to have valid emails and not beeing categorized as spam?

89 Views
Last Modified: 2020-10-27
Hi,
Some clients of us are blocking our mails coming to them.
ProofPoint told them that :
"We're seeing the email coming from an IP of 68.67.41.71. Although 68.67.41.71 resolves to something within the radio-ip.com domain, it's not listed in their SPF or MX record."

My incoming emails goes through Zerospam system and my outgoing emails goes directly to the recipient email system.
What should I put in place so that it is all in good order?
Comment
Watch Question

philjansDirector IT

Author

Commented:
I have added the ip4:68.67.41.71 to my spf to I thing it fixed this.
I have not sure if the "include" is good
And it is not finishing by ~all which I think is required...
So my final spf is v=spf1 include:spf.efwd.registrar-servers.com ip4:68.67.41.71 ~all
thanks for the info
CERTIFIED EXPERT

Commented:
looks good to me.

it is common practice and courteous to stick includes last to preserve resources on the remote servers but it will work either way. also note that if their dns is down, you would have less chances spf returns a failure. the include sytax is ok, and it actually points somewhere.

~all or -all at the end are not "required". if not specified an implicit "?all" is assumed so the result would be neutral. note that remote servers will handle such cases as they see fit.
CERTIFIED EXPERT

Commented:
also add an A record matching your PTR

this is OK
$ host 68.67.41.71
71.41.67.68.in-addr.arpa domain name pointer ripexchg02.radio-ip.com.

this should answer with a number of IPs including 68.67.41.71
$ host ripexchg02.radio-ip.com.
Host ripexchg02.radio-ip.com. not found: 3(NXDOMAIN)

not doing so does not necessarily make you a spammer, but it drastically reduces the chances your mail get rejected
the idea is to proove you own the domain as well as the IP

David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
What you've done might allow SPAM to be sent on behalf of your domain.

You'll only add 68.67.41.71 to your SPF record if you own this IP.

This IP appears as follows...

imac> dig +short -x 68.67.41.71
ripexchg02.radio-ip.com.

imac> dig +short ripexchg02.radio-ip.com a
# NULL output - which means all messages from this IP will likely be classified as SPAM

Open in new window


Checking 68.67.41.71 - IPRev (IP Reverse Lookup) is broken, so adding this to your SPF block will...

a) Most Mailbox Providers will block message submission, if DMARC policy == reject.

b) Most Mailbox Providers will accept message submission, if DMARC policy != reject, then treat message as SPAM.

Tip: Your first step tooling an in-house MTA is to ensure IPRev is correct.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Note: Currently this IP isn't blacklisted, so best fix IPRev before sending more email, to keep this IP off RBLs.
CERTIFIED EXPERT

Commented:
this should answer with a number of IPs including 68.67.41.71
$ host ripexchg02.radio-ip.com.
Host ripexchg02.radio-ip.com. not found: 3(NXDOMAIN)
i see little value in repeating what i said 4 hours earlier.

i would assume the author owns the ip and has a good reason for the include. seems unlikely he picked an ip at random to setup his own spf record.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
@skullnobrains thanks for clarifying my answer.

You did way better than I did!
philjansDirector IT

Author

Commented:
@skullnobrains
So I change it to v=spf1 ip4:68.67.41.71 include:spf.efwd.registrar-servers.com ~all        
And I have added this A record:                  

@David: Yes I do own radio-ip.com and the ip 68.67.41.71 is the ip my server use to email out emails

1- Now that there is an A record for my IP, should my spf be like this?
     v=spf1 a ip4:68.67.41.71 include:spf.efwd.registrar-servers.com ~all
2- So did the change fix the IPRev you talked about?
3- And you mentionned dmarc ... I read about it but I am unsure what I have to put and where to make it work?
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Also be sure the HELO / EHLO announcement from the mail server presents the name ripexch02.radio-ip.com
The next step would be DKIM and then DMARC.
CERTIFIED EXPERT

Commented:
1: looks good. you csn also use the dns name for more flexibility.

2: i am answering from my mobile so it is a pain to check, but is should

3: i would advocate against dkim but that is merely my personnal view.

dmark may or may not be useful. it is essentially a ruleset that was introduced to compensate for faulty spf records. it may help a little, though. but make those chamges one at a time so you have perspective.

+1 for the helo name. that is not a strict requirement but it should help.


philjansDirector IT

Author

Commented:
@Noci:
The HELO / EHLO is not from my emails server but from my antispam provider Zerospam so it is this:


So what should I put in place and where?

CERTIFIED EXPERT

Commented:
there is not much you can do. hopefully, the helo name should map back to the ip which is good enough to qwell complaimts from most spam filters.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
If you send mail, the SMTP receiver is adviced to check if the EHLO name translates to the IP address that connected AND if the reverse DNS lookup of the IP again matches the EHLO/HELO name.  So if you present mx1.validemail.com that is different from ripxech....,  ensure the ip for mx1.validemail.com is in your spf.
add include:validemail.com to your SPF.
$ dig +short validemail.com mx
10 mx1.validemail.com.
$ dig +short validemail.com txt
"v=spf1 mx -all"
The mx1.validemail.com has valid forward/reverse lookup.
(there is no need to have the your domain name as part of the name in the mailserver name.)
philjansDirector IT

Author

Commented:
mx1.validmail.com is not me.
It's a tool on the web to test my email server.

If I test it from internally I get this by doing a telnet ripexchg02 25 I get this after doing a "telnet ripexchg02 25" and typing HELO testing.me.com:

With MxToolBox I did a test and got this back:

Why would MxToolBox see a "::1" ?
And where would it be coming from?
Could that be the source of the issue?
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
::1 is IPv6 localhost. (similar to 127.0.0.1)
Is there a AAAA record in DNS pointing to ::1... if so remove it.

It will create a mail loop on all IPv6 enabled hosts and get mail to you dropped and unable to get delivered.

philjansDirector IT

Author

Commented:
@Noci: My DNS is hold by Namecheap and in my Cpanel I have no AAAA record.
Should I be looking into my Firewall or Exchange server then for the source of the ::1 ?
I don't know if it is MxToolBox that just imagine this ...

CERTIFIED EXPERT
Top Expert 2014

Commented:
Tools like MXToolbox only get the SMTP banner from the receiving side (not really helpful).  It's the SMTP banner on the outbound connector (referring to Exchange here) that matters.
Send an email to helocheck@abuseat.org to verify what yours is set to.  See for more info - https://www.abuseat.org/helocheck.html
philjansDirector IT

Author

Commented:
This is from my Exchange logs: we see ::1 in there if this is usefull.
I removed on all my network cards IPv6 on my laptop sending the email  but still see ::1 in the logs so I don't know where that is coming from?

@footech: really nice your testing tool. I'll keep it in note.
The result is here and I guess that it is normal it is a "Delivery has failed" but what is important is this:
"Diagnostic information for administrators:
Generating server: RIPEXCHG02.radio-ip.com
helocheck@abuseat.org
 emmex.spamhaus.org #550 *** The HELO for IP address 68.67.41.71 was 'ripexchg02.radio-ip.com' (valid syntax) *** ##






nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Here another tool that can evaluate your outgoing mail and the score it gets.
https://www.mail-tester.com/spf-dkim-check

You will receive a unique mail address where you can send a mail and then later receive the verdict through the website.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Where do you see "Blocked"... the blocklist is all valid. (I don't read french.., lucky the link was in the image, you may want to edit that away).
Meaning the address is on no known (to mailtester) blacklist.
I have no idea why ::1 shows up, and ::1 as a mail destination WILL fail, as it redirects any mailer to forward mail destined for you to the own server.  Any mail that passes the same server a few times will be aborted with a DNR mentioning looping to the sender of the mail (not you).

philjansDirector IT

Author

Commented:
It is not block...
Even ProfPoint have a tool to see if you are block and if you are they have button to select "please unblock me" which I don't get since I am not bloqued but I do see my emails beeing transfered to them (see Exchange logs up there) and my clients do are sending me email through Zerospam but Zerospam confirmed that they never reached them so Proofpoint even blocks the sends to us...
(I have removed it, thanks for the heads-up)
CERTIFIED EXPERT
Top Expert 2014

Commented:
Yes, you're correct that diagnostic info is the important part, and that just confirms things are configured as noci suggested in the post -  https://www.experts-exchange.com/questions/29198185/What-am-I-missing-in-my-DNS-to-have-valid-emails-and-not-beeing-categorized-as-spam.html#a43180293

Just going back to your original question, with the SPF record in place now you should be good.  You have forward-confirmed reverse DNS for the IP you're sending from, and a matching SMTP banner.

If you're still being blocked, they should be able to give you an updated reason.

Edit:  I'm just reading your last post, and it seems you're having an issue with incoming mail now, as opposed to outgoing mail.  Is that correct?
philjansDirector IT

Author

Commented:
@footech: I didn't make it clear at first but  the issue is BOTH ways.
My incoming emails are sent to Zerospam antispam systems and they sends it to my Exchange. and this is not working either. Zerospam confirmed that no email from my clients hits them from proofpoints.
And my outgoing is done directly by my Exchange

And yes I think I have all now well setup and ProofPoint should not be blocking anything anymore.

But they do NOT want to talk to non-clients... so that's the main issue here.

They did acknowledge an issue on their side :"“This was caused by an outage we had. This is an isolated incident and it has been resolved. Looks like we were experiencing a production incident impacting legitimate emails being marked for spam 100. On October 20, 2020 at 12:15 UTC, Proofpoint customers began noticing that legitimate email messages were being marked as spam 100”.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Let some of your customers (you can approach for testing) to verify it was a one time event. 
CERTIFIED EXPERT
Top Expert 2014

Commented:
All the info given so far has been about helping ensure your outgoing email isn't blocked (just best practices, nothing can ensure it because it's beyond your control).  As far as incoming email, all you need is the MX record(s) chain properly configured (assuming a properly functioning email server).  So if mail isn't making it to your filter, then the problem lies with the sender, and I've yet to ever hear of a sender that would block sending emails to a particular recipient or domain based on the recipient's SPF, or other items related to outgoing email.

I have heard of a sender (SendGrid in particular) who would block sending emails to a recipient if a previous email they tried to deliver was rejected, essentially caching the rejection and not trying for any subsequent emails.  I think it's more likely in this case that any problem with receiving email from Proofpoint customers was due to their event, but if not it's up to that customer to fix.
CERTIFIED EXPERT

Commented:
the remaining ::1 in the logs are locally submitted email. i guess either your tests or webmail users. you cannot remove ipv6 from the loopback interface in windows as far as i know.

receiving email either works or does not unless you setup complex filters. let proofpoint handle things if the issue is on their side.

is your outgoing email working normally, now ?
CERTIFIED EXPERT

Commented:
btw, i assumed spf.efwd.registrar-servers.com was zerospam's spf includable record.
can you confirm this is actually the case ?

you need to include the spf record of whatever provider you use as a "smart host" ( in weird exchange terminology ) and remove anything else. even adding your own ip is not required if ALL your outgoing email flows through zerospam and your ip is trusted on their side. i would keep it anyway though.
philjansDirector IT

Author

Commented:
All is working now. Proofpoint did something yesterday pm and the emais are flowing now!

They have an email to send issues for non-client and an ip tester. It was always negative for my ip, we never were on any blacklist and we never mass-mail so it must have been a glitch or seomthing.
When I sent them an email for the issue: they must have did some research and found the root cause.and fixed it.

@skullnobrains: I have no clue what spf.efwd.registrar-servers.com  is. It was there before my time. I guess I will remove it and see if all is fine.

Thank you all for your great help!!!
CERTIFIED EXPERT

Commented:
@skullnobrains: I have no clue what spf.efwd.registrar-servers.com  is. It was there before my time. I guess I will remove it and see if all is fine.

then you also need to ask zerospam how to add their ips to your spf record. most such providers publish an includable field such as "spf.include.zerospam.tld" that you would include the same way you did efwd whatever. apparently zerospam does not publish that information so you are expected to ask them directly.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Wrt. SPF lookups: When doing includes ensure you keep below 10 lookups in total... mx also is a lookup.

David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Debugging mail configs is a complex process.

Rock solid testing approach - IPRev + HELO Banner (which is broken in your case) + SPF + DKIM + DMARC setup...

Inject/Enqueue the following email message into your MTA...

From: $sender
To: check-auth2@verifier.port25.com
Subject: SPF/DKIM/DMARC Test Email Message

Delivery tech verification test message...

Open in new window


Where $sender is an address handled by the sending MTA.

The report you get back is worth it's weight in gold.

You'll find out instantly, any basic problems with your config.

Port25 reports are fairly self explanatory, so likely this report will tell you all you require knowing.

If you have problems decoding the Port25 report, attach a copy (as text attachment) to this question for assistance.
CERTIFIED EXPERT
Top Expert 2014
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
philjansDirector IT

Author

Commented:
The issue was with Proofpoint and they never got back to me but they did fix their end....