This is not an easy question because its a technique I have never seen before.
I recently received an email from a website I am subscribed and the email sender was something like this:
name#company-91e363c0cfc9.mail.intercom.io
I have a Saas software where users can send email marketing.
The problem is that the sender email is no-reply#domain.com for every one of them.
I was thinking about "what if" some of my customers sends junk and my domain gets blacklisted?
Looking at the technique Intercom is using I thought that it is a good way to solve the blacklist issue.
Let assume a customer sends spam, is the hole domain blacklisted (mail.intercom.io) or just #company-91e363c0cfc9.mail.intercom.io ?
I have the following questions:
What is the name of this technique/configuration.
Is it a good technique to solve getting the root domain
blacklisted ?
How can I configure this on my server?
Thanks.
They are create a sub-domain for each of their clients in DNS, as you can see by the MX Record Lookup of the domain you provided. When an email get sent out, they have an outgoing IP address on the email, which you didn't provide. The outgoing IP is going to blacklisted, it doesn't matter if the 50 sub-domains are different, the Outgoing IP (Sending IP) is going to get blacklisted. I don't think you're going to be able to working around an abusive customer, if the IP's are the same.
I spoke to some hosting companies that have similar issues and before they every allow a client to send mail, they need a clean report from this Mail Tester. But, even with a clean configuration and authentication, that doesn't prevent spam content from being sent. When that happens the IP owner has to address it, ultimately barring that customer from sending spam, if they don't correct the behavior.
You can always monitor your IP's for Blacklists and you should, but you're going to get a ton of abuse reports coming in from various providers, if it's a problem.
Related
My team supports a website for a client, and we use SendGrid to send email related to the site on their behalf.
We do not have anything to do with their own email server and I don't at present know anything about it.
So far as I can work out, SendGrid has proper authentication and is an authorised sender for their domain, and almost 98% of email is delivered successfully.
However, we have had a handful of bounces with the reason "550 relaying denied" and all of these were to addresses at our client's domain (the same one as their website and the from address of the emails.)
Most emails to their domain were delivered successfully.
Unfortunately I don't have access to the full headers of the bounce emails, only the reason.
I understand that in general this error can either be caused by
the sender not being authenticated correctly. I am very far from being an expert in this but so far as I can tell, there is nothing wrong there. Or
a DNS or similar misconfiguration on the part of the recipient's email domain. I have even less understanding about this and I have no access or responsibility for the client's email server.
My main question is, is there any way the domain being the same as the from address could be related? Being as the email is claiming to be from the same place it's sent to, is it possible for that to affect how it's handled by relays?
If not, I'd also appreciate any pointers on where to look for the issue (or what to advise the client to look at if the problem is likely to be from their end.) I have been trying to research issues with email configuration and authentication but I am very much a novice in this area.
Thanks in advance.
The domain being the same could very well be related, but normally when that happens, the receiving server refuses all mail purporting to be from itself.
Separate from DKIM & SPF, most mail servers believe they alone are responsible for the mail from their domain.com. As such, a lot of them have anti-phishing filters that reject "outside" mail that claims to be from themselves. It's like "You can't be Carrie, I'm Carrie! Go Away!"
The fact that it's only some mail is interesting. The error being relay denied may also be key, though these anti-phishing filters often use "fake" errors to not give away the game.
Do the recipients of the messages that are being rejected have some kind of internal forwarding applied? That may be the cause, in which case that bounce reason is honest.
Or they may have a more defined anti-phishing feature, only rejecting mail From or For certain addresses. You can try testing certain combinations, and see if anything is repeatable.
Ultimately however, it will come down to working with the receiving mail domain's admin, and either updating those rules, or whitelisting the SendGrid IPs that are sending the mail to them.
I'd like to set up custom domain authentication using DKIM and SPF for our 3rd party email marketing company (like mail chimp or constant contact). We also run MS exchange. Our Exchange guy is convinced that setting up DKIM and SPF for email marketing company will forever tie the reputation of the email marketing company to our exchange server. Is he correct? If not, how do I convince him?
I think I have enough info now to make this an answer...
Yes, if this is a permission-based list that you have sent to recently (if it's old that means likely spam traps) then I think you are correct that there's not much risk at all.
One way to convince this person would be to find out what IP address your MailChimp emails originate from (maybe send to a small list with just yourself on it but a real send). And then check out the reputation of this IP address using the tools available such as MX Toolbox and others, then show him the output. I'd be surprised if your Mailchimp assigned IP address was on any blacklists or had reputation issues
When he says exchange server is he talking about your company domain name taking a reputation hit? Or is he worried about the IP address from which you send non-marketing email? If he's worried about a separate IP that you send day-to-day email from then explain to him that your marketing emails will go out from a Mailchimp assigned IP address. If he's worried about the domain two things: 1. Your list is opt-in and you've sent recently so it's not an issue 2. If it was a bad list that would cause your domain to be blacklisted then whether you have DMARC, SPF, and DKIM doesn't matter, the originating IP that sends spam can get blocked for spamming regardless.
So I think you are right here but it's a matter of making the case.
I am trying to send mails with mailgun. My DNS config (SPF,DKIM) seems to be ok and are being validated in mailgun service. I can send mail to several users with gmail, live and most others mail providers. However, I have a problem when I sent an email for email accounts of my university.
The message is rejected with the following alert:
"554 5.7.1 : Client host rejected: MX-CIDR"
My current DNS settings are:
TXT # "v=spf1 include:mailgun.org ~all"
MX 10 mxa.mailgun.org.
MX 10 mxb.mailgun.org.
DKIM was validated as well. I checked my domain at mxtoolbox and the dns config pass in all tests. I did not find errors related with that alert in others questions. May someone help me to fix it?
Update 1:
Just some more informations:
1) I dont send, and I have absolutely no intention to send spam. I created an educational website, used by students and instructors, and they send messages sometimes between each others. I also send mail to confirm registers, recovery password, as a lot of others websites do. I only send messages to people who was agreed with my terms of service, that includes the information about my mail policy. It is a small service, I never sent more than 2,000 messages in a month (I have 800 registered users so far)
2) I do not believe I was blacklisted, mxtools verify several blacklists databases and my IP have passed in all verifications. Also, the server is not rejecting all messages from my IP, I can send messages with my personal email with the same domain, but I use different services to handle my personal inbox with my domain and the emails send by my website. So, I guess it may be a DNS record mistake.
3) I only use mailgun (or others transactional email services like mandrill or sendgrid) because it is highly recommended (and easy). I use a small VPS and it is hard to configure my own email service (I am a programmer, I am not an expert in that kind of configuration). If exists negative factors about the use of these systems, I really like to know and learn more.
I see no evidence posted that the reason the receiving mail server is rejecting your mail is because of your SPF records.
There isn't even any evidence here that the receiving mail servers are even performing SPF checks on their incoming mail.
Can you explain why exactly you believe that this has anything to do with SPF?
Just because someone's rejecting your mail, and you happen to be messing around with your SPF records, doesn't mean that the reason for your mail being rejected is due to your SPF records.
The only ones who can tell you exactly why your email is being rejected, and what needs to be done to fix it, is the receiving mail servers' administrators, and that's who you should be asking. They are the only ones who know exactly how their mail servers are configured, and how they work. Unless it's evident from the text of the error message, and it's not, anyone else's answer will be nothing but guesswork.
And actually my guess would be that, if anything, the error message seems to suggest that they have simply blacklisted your IP address range, period, for whatever reason. I would interpret "MX-CIDR" as meaning "MX's IP address' (you can Google what "CIDR" means by yourself); i.e.: sending mail server's IP address is explicitly blacklisted from sending them mail.
Now, taking from the referenced domain's web site, I quote:
"Our software automatically manages the delivery process to give your emails the best chance of landing in the inbox."
I would think that the only type of folks who would be concerned about having "the best chance of landing in" someone inbox would be all the typical spamming parasites. I browsed through the referenced website, and I couldn't shake off a slimy feeling I get after typically wandering into a typical spam spewer.
Is this domain being used to send spam?
If so, then you probably know the answer to your question, already.
Certain SPF libraries might reject emails when trying to perform a reverse lookup on the domain that you're sending from.
They usually get this from the MX records attached to the domain and if there's a mismatch it'll fail out with a rejection (more detail here: http://www.zytrax.com/books/dns/ch9/spf.html).
It's usually only a problem if the receiving server is not necessarily configured correctly, or is being super harsh on incoming mail due to an overwhelming amount of spam.
Let say I have a website that allows users to send articles on that website to a friend.
The way it works is that when the "send to a friend" link is clicked a form appears and it allows users to fill in the details and an email is sent to their friend.
The user can put in a "from" email address and a "to" email address into this form and a small amount of content.
When the email is received the from email address appears in the FROM and REPLY TO.
This website also sends a great deal of its own email communications to its users.
My question is:
Is there risk to allowing users (bots, attacks etc) to use this application to send emails from my SMTP, and how great is the risk?
My assumption is yes, this is not ideal.
Is it possibly worse than "not ideal"?
I do not know about bots using your form. Should it be a problem? I don't know.. I do know they program bots to be pretty clever, using your custom forms and all.
I do know that some email servers check if the FROM email address has the same IP address as the IP the mail was sent from. So imagine I put in my hotmail email address, and the mail server sees your server, it might flag the email as spam.
In the past I've an e-card websystem. It was a small joint venture with a girl I knew. She created the (cute) cards and I build her an e-card system. The website was pretty simple. Select card, enter email address, placing senders email address in the FROM and sent the email that you would have received an e-card.
Life was good...
Until I found that my entire web server IP was blacklisted at three major spam filtering mechanisms. And that 15% of all email recipients who used to receive e-cards from my site, would not receive their e-cards, because all my emails were blacklisted as spam from the get go. We have receive many many emails from angry "customers" demanding that their e-cards did not arrive. (I still find it funny how some people demanded the service, especially since it was a free service, go figure). My automatic reminder function was telling them the e-card still were not viewed, and they perhaps mistyped the email address, so that might have ticked them off :P
It was pretty annoying for my other customers as well, since they relied on sending out played newsletters and such and calling me that over 20% of the customers did not receive the newsletters.
Sending e-mails is hard. You should also check out Jeff's blog about this. So, learn from my mistake, and please put an email address associated with your email server in the FROM. This will spare you a lot of headaches ;)
yes this is definitely not ideal if this is a public website that any bot can access. but there are easy ways for you to limit spam use.
have your code limit any email
address to send ~50 emails a day and
only ~10 an hour based on your
needs. a bot would probably try to
send a million at once so limit them
on an hourly and daily basis.
store every email communication in a
database and come up with a good
program to monitor the most active
email senders. if you can verify
that an email is trusted, then let
them send as many emails as they
want
think about this site itself, it has very defined actions and reputation guidelines that limit you until you have proved you are trusted.
It may depend on whether you do any authentication to determine who's allowed to send emails. If the user has to be logged in to send articles, then you're probably fine. Bots will fail because they'll never be logged in.
The risk will increase the greater traffic you get to your site, and yes it's probably less than ideal. Unprotected, a bot will inevitably find your unprotected form, and start sending emails from your server.
There are some pretty easy solutions though, the most common probably being to implement something like Captcha
Fairly safe. I assume you do check the "From" address, if only by sending it one (standard!) mail first and asking the owner of that email address to confirm they are really humans ? This prevents most bots from finding and abusing your form. Of course, a directed attack with a human responding to your verification email will still allow spamming. But you've got a much better trail if you have received at least one reply from the alleged "From" address.
However, I don't think this will work reliably. The introduction of techniques like SPF will mean that mails from "example.com" will only be accepted if they originate from an outgoing SMTP server in the *.example.com domain. If you're faking emails with From: addresses #example.com, the receiving SMTP server will see that you are in fact not part of *.example.com and reject the email - and probably blacklist your IP range for good measure.
I sent 3 emails last week as replies from our website. None received them! One was yahoo, hotmail and an overseas domain. I am wondering if it's not a good idea to open a yahoo account with our domain name as the user just to reply to prospective buyers.
Your mail server's IP may have been black listed. This is common on shared servers.
http://www.mxtoolbox.com/blacklists.aspx
First, check dnsbl.info to see if your mailserver's IP is blocked by any of the blacklists. If they are, contact the blacklist administrator to investigate removing the block.
If your email is business critical, then you need to get a dedicated server with a white-hat hosting company, control over DNS to set up your SPF/SenderID record, and to register with the Hotmail, AOL and Yahoo postmasters for whitelisting and feedback loops. Most of these will only accept requests for dedicated servers, where you have 100% control over the email they send.
If you are using an online contact form, make people double-enter their email address and check the entries match - otherwise you'll have no end of typos, which are naturally undeliverable and frustrating for both you and your customers.
You could also try looking at gmail for domains. It's what I use and so far I haven't had a problem withany spam filters. Also make sure that you are not writing the content of the message to where a spam filter could flag it as spam. There's some guides on the net somewhere. I found out that by removing the word "free" from the message the emails started going though (before I was on gmail).