No SPF text record --> bounced outgoing emails?

Discussion in 'Windows Small Business Server' started by Alan Q, Dec 14, 2004.

  1. Alan Q

    Alan Q Guest

    SBS2003 all patched up.

    Recently we have experienced very high number (maybe 20%) of our own emails
    are bouncing back to us.

    We don't currently have an SPF text record at the ISP's DNS and are trying
    to figure out if the ISP even supports it.

    I've heard that Hotmail has started rejecting email from domains that don't
    support SPF.

    Anyone else have similar experiences?

    If SPF is a new term to you (like it was to me until a couple of days ago),
    see
    http://spf.pobox.com/ for technical details, or

    http://www.dnsstuff.com/pages/spf.htm to test your own domain.
     
    Alan Q, Dec 14, 2004
    #1
    1. Advertisements

  2. Alan Q

    Ed Horley Guest

    Alan,
    First check that you have reverse DNS set up properly for your server IP
    address. Currently this will cause more bounce backs / rejections then SPF.
    Also, check and make sure your public IP address is not listed on any of the
    blackhole lists.

    If you want to look up in the SPAM database use the expert page:
    http://www.dnsstuff.com/pages/expert.htm

    If you are all clear on both those fronts then I would contact Hotmail
    directly to determine if they are blocking you via complaints or for a
    different reason.

    Oh, and no, they are not rejecting if you do not publish SPF records, but
    they will if you don't have rDNS. If you are interested in what AOL is
    doing regarding rDNS and SPF check out:
    http://postmaster.info.aol.com/

    Regards,
    Ed Horley
    Microsoft MVP Server-Networking
     
    Ed Horley, Dec 14, 2004
    #2
    1. Advertisements

  3. Hi Alan,

    Thanks for posting here.

    Since you have a high volume of bouncing-back email, I agree with Ed's
    advice and suggest trying his method first. If the problem persist, it
    would be best if you contact hotmail support to discuss the problem.

    Also, please check if your Exchange server has met all the following
    requirements. If not, the messages from your domain are much possibly
    suspected as spam messages and blocked.

    1. Reverse DNS Lookup.

    Many mail servers require reverse DNS lookup before it accepts e-mail.
    Therefore, please contact your ISP to make sure they have configured a
    Reverse DNS Lookup Zone for your Internet domain and create a PTR record of
    your Exchange server in the Reserve Lookup DNS Zone.

    2. Static IP address.

    Many mail servers require static public IP address of the Exchange server.
    So please make sure that your Exchange Server is not using dynamic IP
    addresses.

    3. Open relay.

    Verify that your Exchange server is not an open mail relay. For more
    information about how to do that, please refer to the following articles in
    the Microsoft Knowledge Base:

    300580.KB.EN-US XCON: Cannot Send E-Mail Messages to a Growing List of
    Domains
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;300580

    319356.KB.EN-US HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange
    2000 Server
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;319356

    SPF is a new efficient method to anti spam emails. However, it has not been
    widely used yet and as far as I know, hotmail has not applied. AOL
    announced that beginning this summer it will utilize SPF to scale and
    maintain its proprietary and valued whitelist - a statement wrongly
    translated that AOL will boot those without SPF records from its whitelist.
    Many new organizations have an opportunity to be added to the previously
    mysterious. Whitelist - a compelling reason alone to get on board. AOL
    explains how SPF will affect existing whitelists:

    Publish your SPF record and be immediately eligible for the AOL free
    whitelist whether or not you've ever been on it.
    Don't publish your record and remain unidentified or non-compliant. Your
    whitelist status will probably remain the same as whatever it is now. Just
    don't complain about your delivery performance into AOL. For more
    information about SPF, please refer to:

    http://www.optinnews.com/SPF_update.html
    http://spf.pobox.com/wizard.html

    Hope the information helps.

    Regards,

    Pat Cai
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Pat Cai [MSFT], Dec 14, 2004
    #3
  4. Alan Q

    Alan Q Guest

    Thanks for the thorough resonse. See embedded for replies.

    I have a static IP, but it's a DSL address.

    The reverse DNS looks like "adsl-208.190.46.145.dsl.rcsntx.swbell.net",
    even though our domain is fumcallen.org, and listed by someone other than
    the ISP. Is that okay??????????????

    In other words, the ISP gives us the static IP and they own the reverse DNS
    for the entire block of DSL addresses. We then use a third party to
    register the domain and MX records, but they can't do anything about the
    reverse DNS because it's owned by the ISP.

    Does this cause bounce backs for some domains?
    Been there -- still clean.
    Will do, but was hoping this was a general problem that, when solved, would
    clear up several other domains as well.
     
    Alan Q, Dec 15, 2004
    #4
  5. Alan Q

    Alan Q Guest

    Thanks for the additional feedback. See responses.

    Is it important what the reverse DNS shows, or just that it maps to
    something?

    Our domain is registered with a third party, not with the ISP. The last
    time I contacted the ISP (SBC.Com) about this, they had never heard of doing
    this for any customer and did not know how to proceed. They are a huge DSL
    internet provider, and so I figured my request must have been way off the
    mark.
    Got it. Actually own a small block of IPs, but have been using the same one
    in that block for more than six years.
    OK here too.
    Right. spf.pobox.com started me down this trail, but I was wondering how
    many other small business users had already done this, because it is not in
    any of the Whitepapers on setting up SBS, probably because it is relatively
    new.
    Thanks for your contributions! Hopefully I'll get to the bottom of this
    soon.
     
    Alan Q, Dec 15, 2004
    #5
  6. Alan Q

    Ed Horley Guest

    Alan -
    Biggest issue is having a reverse entry that matches for forward and
    reverse. Since adsl-208.190.46.145.dsl.rcsntx.swbell.net is the reverse
    entry but your machine is declaring itself as mail.fumcallen.org you will
    have issues with certain MTA's that check to make sure they match.

    You will have to request from swbell to get rDNS delegated to a name server
    you maintain or simply request that they put in for the PTR record for that
    IP Address mail.fumcallen.org. That way, if someone does a rDNS of the IP
    Address they will get the FQDN that your MTA is declaring itself as.

    Another option, your ISP should allow you to forward all your traffic to one
    of their smtp servers to relay outbound. That way your mail would ALWAYS go
    to an MTA owned and operated by the ISP who is doing all the work to keep
    their stuff SPF/SenderID/DomainKeys compliant. Just a thought and
    relatively easy to set up. Your box could still be the inbound MX record in
    DNS as it is now but you would simply be sending everything through your
    ISP. Also, you could then publish SPF records that state that your ISP is
    allowed to send mail out on your domain's behalf.

    Regards,
    Ed Horley
    Microsoft MVP Server-Networking
     
    Ed Horley, Dec 15, 2004
    #6
  7. Alan Q

    Alan Q Guest

    Thanks. I'm definitely going to resurrect the rDNS issue resolution with
    the ISP and let you know.

    On the other option, they definitely support relaying all my outgoing
    through one of their mail servers. When you do that, does the "from"
    address need to change? I tried forwarding all my mail some time ago, but
    AOL started bouncing it all back because my domain was still
    "fumcallen.org", but the IP was pointing to the ISP.
     
    Alan Q, Dec 16, 2004
    #7
  8. Hi Alan,

    Thanks for your reply.

    I would like briefly explain the reserve DNS here. For example, if you are
    using @abc.com and your server IP is 10.10.10.10. However, the destination
    server queries DNS PTR record for abc.com and gets 20.20.20.20, the IP
    addresses are not match. Your message would be blocked as spam e-mail.

    Many mail servers over the Internet require a reverse DNS lookup for the
    sender's e-mail address to avoid spam e-mails. If your Internet domain
    doesn't have a reverse DNS lookup zone, your e-mails may be rejected by
    other mail servers in the Internet. So it is very important for your email
    server.

    According to your current situation, your ISP hosts the DNS server but has
    not added your server to the reverse zone. So please ask your ISP to help
    you add reverse DNS lookup zone for your domain and then test to see if
    this issue disappears. Also, please note after your ISP help you add
    reverse DNS lookup zone, it may not take effect immediately, usually, it
    may take several days for replication.

    If you are hosting a DNS yourself, you may take a look at the KB article
    below for how to add a reserve zone entry

    How to Install and Configure Microsoft DNS Server
    http://support.microsoft.com/default.aspx?scid=kb;en-us;172953

    hope the information helps.

    Regards,

    Pat Cai
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Pat Cai [MSFT], Dec 16, 2004
    #8
  9. Alan Q

    Alan Q Guest

    Well it took 7 phone calls and an on-line help session, but I finally found
    someone at the ISP that really understood what I needed and has started the
    change process.

    Silly me -- I mistook the initial ignorance of one of their help desk folks
    to mean that they could not help.

    Now that reverse DNS is almost a gotta-have, I was lucky enough to find
    seven folks that knew someone else that could help.

    Sure enough, #8 is fixing it right up.

    Thanks for your help!
     
    Alan Q, Dec 30, 2004
    #9
  10. Hi Alan,

    Thank you for your reply and the detailed additional feedback on how you
    were successful in resolving this issue.

    The reverse DNS is very important to a email server. On most scenairos, it
    is the first factor we should check if we get blocked by other email
    servers. Now I am happy to hear that you have figured the problem out
    eventually.

    If you have any other questions or concerns in future, please do not
    hesitate to contact us. It is always our pleasure to be of assistance.

    Have a nice day!

    Regards,

    Pat Cai
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Pat Cai [MSFT], Dec 30, 2004
    #10
  11. Alan Q

    Alan Q Guest

    So now that I see the beauty of RDNS, is there a (free) way for SBS2003 to
    block other domains that do not pass RDNS?
     
    Alan Q, Jan 11, 2005
    #11
  12. Hi Alan,

    Based on my knowledge, I am afraid that there isn't any built-in feature in
    either SBS 2003 or standalone Exchange 2003 Server can help you reject the
    incoming e-mails, which don't meet the Reverse DNS Lookup criteria, and at
    this point, you may want to consider using some third-party anti-spam
    applications integrated with your SBS server to block e-mails, which don't
    pass RDNS check.

    Also, there is a new anti-spam feature in Exchange 2003 Server, called
    Realtime Block List (RBL) and you can use it to block e-mails, which are
    sent from spam senders based on Internet well-known blacklist. Since the
    e-mail servers don't pass RDNS check will be added in most blacklist, by
    this approach, you may also achieve your goal. For more info about this RBL
    feature in Exchange 2003, please refer to the KB article below:

    823866 How to configure connection filtering to use Realtime Block Lists
    (RBLs)
    http://support.microsoft.com/?id=823866

    Hope this helps.

    Best Regards,

    Reade Chen, MCSE, MCSD
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    | From: "Alan Q" <>
    | References: <#>
    <>
    <>
    <>
    <>
    <>
    | Subject: Re: No SPF text record --> bounced outgoing emails?
    | Date: Mon, 10 Jan 2005 21:20:15 -0600
    | Lines: 36
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: c-24-1-13-208.client.comcast.net 24.1.13.208
    | Path:
    cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
    ..phx.gbl
    | Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:136023
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | So now that I see the beauty of RDNS, is there a (free) way for SBS2003
    to
    | block other domains that do not pass RDNS?
    |
    |
    | | > Hi Alan,
    | >
    | > Thank you for your reply and the detailed additional feedback on how you
    | > were successful in resolving this issue.
    | >
    | > The reverse DNS is very important to a email server. On most scenairos,
    it
    | > is the first factor we should check if we get blocked by other email
    | > servers. Now I am happy to hear that you have figured the problem out
    | > eventually.
    | >
    | > If you have any other questions or concerns in future, please do not
    | > hesitate to contact us. It is always our pleasure to be of assistance.
    | >
    | > Have a nice day!
    | >
    | > Regards,
    | >
    | > Pat Cai
    | > Microsoft Online Partner Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | > =====================================================
    | > When responding to posts, please "Reply to Group" via your newsreader so
    | > that others may learn and benefit from your issue.
    | > =====================================================
    | > This posting is provided "AS IS" with no warranties, and confers no
    | > rights.
    | >
    |
    |
    |
     
    Reade Chen [MSFT], Jan 12, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.