SBS2003 all patched up. Recently we have experienced very high number (maybe 20%) of our own emails are bouncing back to us. We don't currently have an SPF text record at the ISP's DNS and are trying to figure out if the ISP even supports it. I've heard that Hotmail has started rejecting email from domains that don't support SPF. Anyone else have similar experiences? If SPF is a new term to you (like it was to me until a couple of days ago), see http://spf.pobox.com/ for technical details, or http://www.dnsstuff.com/pages/spf.htm to test your own domain.
Alan, First check that you have reverse DNS set up properly for your server IP address. Currently this will cause more bounce backs / rejections then SPF. Also, check and make sure your public IP address is not listed on any of the blackhole lists. If you want to look up in the SPAM database use the expert page: http://www.dnsstuff.com/pages/expert.htm If you are all clear on both those fronts then I would contact Hotmail directly to determine if they are blocking you via complaints or for a different reason. Oh, and no, they are not rejecting if you do not publish SPF records, but they will if you don't have rDNS. If you are interested in what AOL is doing regarding rDNS and SPF check out: http://postmaster.info.aol.com/ Regards, Ed Horley Microsoft MVP Server-Networking
Hi Alan, Thanks for posting here. Since you have a high volume of bouncing-back email, I agree with Ed's advice and suggest trying his method first. If the problem persist, it would be best if you contact hotmail support to discuss the problem. Also, please check if your Exchange server has met all the following requirements. If not, the messages from your domain are much possibly suspected as spam messages and blocked. 1. Reverse DNS Lookup. Many mail servers require reverse DNS lookup before it accepts e-mail. Therefore, please contact your ISP to make sure they have configured a Reverse DNS Lookup Zone for your Internet domain and create a PTR record of your Exchange server in the Reserve Lookup DNS Zone. 2. Static IP address. Many mail servers require static public IP address of the Exchange server. So please make sure that your Exchange Server is not using dynamic IP addresses. 3. Open relay. Verify that your Exchange server is not an open mail relay. For more information about how to do that, please refer to the following articles in the Microsoft Knowledge Base: 300580.KB.EN-US XCON: Cannot Send E-Mail Messages to a Growing List of Domains http://support.microsoft.com/default.aspx?scid=KB;EN-US;300580 319356.KB.EN-US HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server http://support.microsoft.com/default.aspx?scid=KB;EN-US;319356 SPF is a new efficient method to anti spam emails. However, it has not been widely used yet and as far as I know, hotmail has not applied. AOL announced that beginning this summer it will utilize SPF to scale and maintain its proprietary and valued whitelist - a statement wrongly translated that AOL will boot those without SPF records from its whitelist. Many new organizations have an opportunity to be added to the previously mysterious. Whitelist - a compelling reason alone to get on board. AOL explains how SPF will affect existing whitelists: Publish your SPF record and be immediately eligible for the AOL free whitelist whether or not you've ever been on it. Don't publish your record and remain unidentified or non-compliant. Your whitelist status will probably remain the same as whatever it is now. Just don't complain about your delivery performance into AOL. For more information about SPF, please refer to: http://www.optinnews.com/SPF_update.html http://spf.pobox.com/wizard.html Hope the information helps. Regards, Pat Cai Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks for the thorough resonse. See embedded for replies. I have a static IP, but it's a DSL address. The reverse DNS looks like "adsl-208.190.46.145.dsl.rcsntx.swbell.net", even though our domain is fumcallen.org, and listed by someone other than the ISP. Is that okay?????????????? In other words, the ISP gives us the static IP and they own the reverse DNS for the entire block of DSL addresses. We then use a third party to register the domain and MX records, but they can't do anything about the reverse DNS because it's owned by the ISP. Does this cause bounce backs for some domains? Been there -- still clean. Will do, but was hoping this was a general problem that, when solved, would clear up several other domains as well.
Thanks for the additional feedback. See responses. Is it important what the reverse DNS shows, or just that it maps to something? Our domain is registered with a third party, not with the ISP. The last time I contacted the ISP (SBC.Com) about this, they had never heard of doing this for any customer and did not know how to proceed. They are a huge DSL internet provider, and so I figured my request must have been way off the mark. Got it. Actually own a small block of IPs, but have been using the same one in that block for more than six years. OK here too. Right. spf.pobox.com started me down this trail, but I was wondering how many other small business users had already done this, because it is not in any of the Whitepapers on setting up SBS, probably because it is relatively new. Thanks for your contributions! Hopefully I'll get to the bottom of this soon.
Alan - Biggest issue is having a reverse entry that matches for forward and reverse. Since adsl-208.190.46.145.dsl.rcsntx.swbell.net is the reverse entry but your machine is declaring itself as mail.fumcallen.org you will have issues with certain MTA's that check to make sure they match. You will have to request from swbell to get rDNS delegated to a name server you maintain or simply request that they put in for the PTR record for that IP Address mail.fumcallen.org. That way, if someone does a rDNS of the IP Address they will get the FQDN that your MTA is declaring itself as. Another option, your ISP should allow you to forward all your traffic to one of their smtp servers to relay outbound. That way your mail would ALWAYS go to an MTA owned and operated by the ISP who is doing all the work to keep their stuff SPF/SenderID/DomainKeys compliant. Just a thought and relatively easy to set up. Your box could still be the inbound MX record in DNS as it is now but you would simply be sending everything through your ISP. Also, you could then publish SPF records that state that your ISP is allowed to send mail out on your domain's behalf. Regards, Ed Horley Microsoft MVP Server-Networking
Thanks. I'm definitely going to resurrect the rDNS issue resolution with the ISP and let you know. On the other option, they definitely support relaying all my outgoing through one of their mail servers. When you do that, does the "from" address need to change? I tried forwarding all my mail some time ago, but AOL started bouncing it all back because my domain was still "fumcallen.org", but the IP was pointing to the ISP.
Hi Alan, Thanks for your reply. I would like briefly explain the reserve DNS here. For example, if you are using @abc.com and your server IP is 10.10.10.10. However, the destination server queries DNS PTR record for abc.com and gets 20.20.20.20, the IP addresses are not match. Your message would be blocked as spam e-mail. Many mail servers over the Internet require a reverse DNS lookup for the sender's e-mail address to avoid spam e-mails. If your Internet domain doesn't have a reverse DNS lookup zone, your e-mails may be rejected by other mail servers in the Internet. So it is very important for your email server. According to your current situation, your ISP hosts the DNS server but has not added your server to the reverse zone. So please ask your ISP to help you add reverse DNS lookup zone for your domain and then test to see if this issue disappears. Also, please note after your ISP help you add reverse DNS lookup zone, it may not take effect immediately, usually, it may take several days for replication. If you are hosting a DNS yourself, you may take a look at the KB article below for how to add a reserve zone entry How to Install and Configure Microsoft DNS Server http://support.microsoft.com/default.aspx?scid=kb;en-us;172953 hope the information helps. Regards, Pat Cai Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Well it took 7 phone calls and an on-line help session, but I finally found someone at the ISP that really understood what I needed and has started the change process. Silly me -- I mistook the initial ignorance of one of their help desk folks to mean that they could not help. Now that reverse DNS is almost a gotta-have, I was lucky enough to find seven folks that knew someone else that could help. Sure enough, #8 is fixing it right up. Thanks for your help!
Hi Alan, Thank you for your reply and the detailed additional feedback on how you were successful in resolving this issue. The reverse DNS is very important to a email server. On most scenairos, it is the first factor we should check if we get blocked by other email servers. Now I am happy to hear that you have figured the problem out eventually. If you have any other questions or concerns in future, please do not hesitate to contact us. It is always our pleasure to be of assistance. Have a nice day! Regards, Pat Cai Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
So now that I see the beauty of RDNS, is there a (free) way for SBS2003 to block other domains that do not pass RDNS?
Hi Alan, Based on my knowledge, I am afraid that there isn't any built-in feature in either SBS 2003 or standalone Exchange 2003 Server can help you reject the incoming e-mails, which don't meet the Reverse DNS Lookup criteria, and at this point, you may want to consider using some third-party anti-spam applications integrated with your SBS server to block e-mails, which don't pass RDNS check. Also, there is a new anti-spam feature in Exchange 2003 Server, called Realtime Block List (RBL) and you can use it to block e-mails, which are sent from spam senders based on Internet well-known blacklist. Since the e-mail servers don't pass RDNS check will be added in most blacklist, by this approach, you may also achieve your goal. For more info about this RBL feature in Exchange 2003, please refer to the KB article below: 823866 How to configure connection filtering to use Realtime Block Lists (RBLs) http://support.microsoft.com/?id=823866 Hope this helps. Best Regards, Reade Chen, MCSE, MCSD Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: "Alan Q" <> | References: <#> <> <> <> <> <> | Subject: Re: No SPF text record --> bounced outgoing emails? | Date: Mon, 10 Jan 2005 21:20:15 -0600 | Lines: 36 | X-Priority: 3 | X-MSMail-Priority: Normal | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527 | X-RFC2646: Format=Flowed; Original | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 | Message-ID: <> | Newsgroups: microsoft.public.windows.server.sbs | NNTP-Posting-Host: c-24-1-13-208.client.comcast.net 24.1.13.208 | Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14 ..phx.gbl | Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:136023 | X-Tomcat-NG: microsoft.public.windows.server.sbs | | So now that I see the beauty of RDNS, is there a (free) way for SBS2003 to | block other domains that do not pass RDNS? | | | | > Hi Alan, | > | > Thank you for your reply and the detailed additional feedback on how you | > were successful in resolving this issue. | > | > The reverse DNS is very important to a email server. On most scenairos, it | > is the first factor we should check if we get blocked by other email | > servers. Now I am happy to hear that you have figured the problem out | > eventually. | > | > If you have any other questions or concerns in future, please do not | > hesitate to contact us. It is always our pleasure to be of assistance. | > | > Have a nice day! | > | > Regards, | > | > Pat Cai | > Microsoft Online Partner Support | > | > Get Secure! - www.microsoft.com/security | > ===================================================== | > When responding to posts, please "Reply to Group" via your newsreader so | > that others may learn and benefit from your issue. | > ===================================================== | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | | |