I am trying to send mails with mailgun. My DNS config (SPF,DKIM) seems to be ok and are being validated in mailgun service. I can send mail to several users with gmail, live and most others mail providers. However, I have a problem when I sent an email for email accounts of my university.
The message is rejected with the following alert:
"554 5.7.1 : Client host rejected: MX-CIDR"
My current DNS settings are:
TXT # "v=spf1 include:mailgun.org ~all"
MX 10 mxa.mailgun.org.
MX 10 mxb.mailgun.org.
DKIM was validated as well. I checked my domain at mxtoolbox and the dns config pass in all tests. I did not find errors related with that alert in others questions. May someone help me to fix it?
Update 1:
Just some more informations:
1) I dont send, and I have absolutely no intention to send spam. I created an educational website, used by students and instructors, and they send messages sometimes between each others. I also send mail to confirm registers, recovery password, as a lot of others websites do. I only send messages to people who was agreed with my terms of service, that includes the information about my mail policy. It is a small service, I never sent more than 2,000 messages in a month (I have 800 registered users so far)
2) I do not believe I was blacklisted, mxtools verify several blacklists databases and my IP have passed in all verifications. Also, the server is not rejecting all messages from my IP, I can send messages with my personal email with the same domain, but I use different services to handle my personal inbox with my domain and the emails send by my website. So, I guess it may be a DNS record mistake.
3) I only use mailgun (or others transactional email services like mandrill or sendgrid) because it is highly recommended (and easy). I use a small VPS and it is hard to configure my own email service (I am a programmer, I am not an expert in that kind of configuration). If exists negative factors about the use of these systems, I really like to know and learn more.
I see no evidence posted that the reason the receiving mail server is rejecting your mail is because of your SPF records.
There isn't even any evidence here that the receiving mail servers are even performing SPF checks on their incoming mail.
Can you explain why exactly you believe that this has anything to do with SPF?
Just because someone's rejecting your mail, and you happen to be messing around with your SPF records, doesn't mean that the reason for your mail being rejected is due to your SPF records.
The only ones who can tell you exactly why your email is being rejected, and what needs to be done to fix it, is the receiving mail servers' administrators, and that's who you should be asking. They are the only ones who know exactly how their mail servers are configured, and how they work. Unless it's evident from the text of the error message, and it's not, anyone else's answer will be nothing but guesswork.
And actually my guess would be that, if anything, the error message seems to suggest that they have simply blacklisted your IP address range, period, for whatever reason. I would interpret "MX-CIDR" as meaning "MX's IP address' (you can Google what "CIDR" means by yourself); i.e.: sending mail server's IP address is explicitly blacklisted from sending them mail.
Now, taking from the referenced domain's web site, I quote:
"Our software automatically manages the delivery process to give your emails the best chance of landing in the inbox."
I would think that the only type of folks who would be concerned about having "the best chance of landing in" someone inbox would be all the typical spamming parasites. I browsed through the referenced website, and I couldn't shake off a slimy feeling I get after typically wandering into a typical spam spewer.
Is this domain being used to send spam?
If so, then you probably know the answer to your question, already.
Certain SPF libraries might reject emails when trying to perform a reverse lookup on the domain that you're sending from.
They usually get this from the MX records attached to the domain and if there's a mismatch it'll fail out with a rejection (more detail here: http://www.zytrax.com/books/dns/ch9/spf.html).
It's usually only a problem if the receiving server is not necessarily configured correctly, or is being super harsh on incoming mail due to an overwhelming amount of spam.
Related
My team supports a website for a client, and we use SendGrid to send email related to the site on their behalf.
We do not have anything to do with their own email server and I don't at present know anything about it.
So far as I can work out, SendGrid has proper authentication and is an authorised sender for their domain, and almost 98% of email is delivered successfully.
However, we have had a handful of bounces with the reason "550 relaying denied" and all of these were to addresses at our client's domain (the same one as their website and the from address of the emails.)
Most emails to their domain were delivered successfully.
Unfortunately I don't have access to the full headers of the bounce emails, only the reason.
I understand that in general this error can either be caused by
the sender not being authenticated correctly. I am very far from being an expert in this but so far as I can tell, there is nothing wrong there. Or
a DNS or similar misconfiguration on the part of the recipient's email domain. I have even less understanding about this and I have no access or responsibility for the client's email server.
My main question is, is there any way the domain being the same as the from address could be related? Being as the email is claiming to be from the same place it's sent to, is it possible for that to affect how it's handled by relays?
If not, I'd also appreciate any pointers on where to look for the issue (or what to advise the client to look at if the problem is likely to be from their end.) I have been trying to research issues with email configuration and authentication but I am very much a novice in this area.
Thanks in advance.
The domain being the same could very well be related, but normally when that happens, the receiving server refuses all mail purporting to be from itself.
Separate from DKIM & SPF, most mail servers believe they alone are responsible for the mail from their domain.com. As such, a lot of them have anti-phishing filters that reject "outside" mail that claims to be from themselves. It's like "You can't be Carrie, I'm Carrie! Go Away!"
The fact that it's only some mail is interesting. The error being relay denied may also be key, though these anti-phishing filters often use "fake" errors to not give away the game.
Do the recipients of the messages that are being rejected have some kind of internal forwarding applied? That may be the cause, in which case that bounce reason is honest.
Or they may have a more defined anti-phishing feature, only rejecting mail From or For certain addresses. You can try testing certain combinations, and see if anything is repeatable.
Ultimately however, it will come down to working with the receiving mail domain's admin, and either updating those rules, or whitelisting the SendGrid IPs that are sending the mail to them.
I'd like to set up custom domain authentication using DKIM and SPF for our 3rd party email marketing company (like mail chimp or constant contact). We also run MS exchange. Our Exchange guy is convinced that setting up DKIM and SPF for email marketing company will forever tie the reputation of the email marketing company to our exchange server. Is he correct? If not, how do I convince him?
I think I have enough info now to make this an answer...
Yes, if this is a permission-based list that you have sent to recently (if it's old that means likely spam traps) then I think you are correct that there's not much risk at all.
One way to convince this person would be to find out what IP address your MailChimp emails originate from (maybe send to a small list with just yourself on it but a real send). And then check out the reputation of this IP address using the tools available such as MX Toolbox and others, then show him the output. I'd be surprised if your Mailchimp assigned IP address was on any blacklists or had reputation issues
When he says exchange server is he talking about your company domain name taking a reputation hit? Or is he worried about the IP address from which you send non-marketing email? If he's worried about a separate IP that you send day-to-day email from then explain to him that your marketing emails will go out from a Mailchimp assigned IP address. If he's worried about the domain two things: 1. Your list is opt-in and you've sent recently so it's not an issue 2. If it was a bad list that would cause your domain to be blacklisted then whether you have DMARC, SPF, and DKIM doesn't matter, the originating IP that sends spam can get blocked for spamming regardless.
So I think you are right here but it's a matter of making the case.
I'm using my own email server to send and receive my emails. Therefor I've set up a VPS at Tilaa.com which also acts as my webserver.
On the webserver I have DirectAdmin setup which takes care of my administrative things.
The problem is that I can receive and send emails but Outlook, Live and Hotmail refuse the receive any emails coming from my email server. Gmail does work f.e. ( Not even in junk folders )
When the receiver at Outlook/live or hotmail adds my email address to the safe list, emails do get through.
My domain is virtualfarmingworld.com
What I have done?
- Setup SPF record
- Setup DKIM record
- Setup A record mail.virtualfarmingworld.com to server IP 84.22.113.42
http://mxtoolbox.com/SuperTool.aspx?action=mx%3avirtualfarmingworld.com&run=toolpage#
Does anyone have any ideas?
Regards,
Ciryk Popeye
Ciryk,
Hotmail can be a bit tricky, if it's being blocked completely. Then most likely your IP is on their internal blacklist. If it's showing up in their SPAM folder it can be a number of reason. The headers from the email in Hotmail will tell you why it's in the SPAM folder.
Look for SRV:<value> PCL: <Value> and SCL: <Value>
PCL stands for Phising Confidence Level and SCL stands for Spam Confidence Level.
You should run your email through this Mail Tester, it really does point out a lot of issues. It may or may not solve the hotmail issue, but they have this inbox tester their that really awesome that will show you other places you're having issues mailing to. Keep in mind, the previous owner of the IP might of spammed from it and caused issues.
I also notice by helping a lot of people that after signing up to Microsoft Junk Mail Reporting System, wait a few days and then delivery results are better with hotmail. I did a scan on you IP and I think you did that already signed up?
You're also on this blacklist: http://www.dnsblchile.org/
Which is really easy to get off, normally takes a couple of hours after you filled out the form.
This is not an easy question because its a technique I have never seen before.
I recently received an email from a website I am subscribed and the email sender was something like this:
name#company-91e363c0cfc9.mail.intercom.io
I have a Saas software where users can send email marketing.
The problem is that the sender email is no-reply#domain.com for every one of them.
I was thinking about "what if" some of my customers sends junk and my domain gets blacklisted?
Looking at the technique Intercom is using I thought that it is a good way to solve the blacklist issue.
Let assume a customer sends spam, is the hole domain blacklisted (mail.intercom.io) or just #company-91e363c0cfc9.mail.intercom.io ?
I have the following questions:
What is the name of this technique/configuration.
Is it a good technique to solve getting the root domain
blacklisted ?
How can I configure this on my server?
Thanks.
They are create a sub-domain for each of their clients in DNS, as you can see by the MX Record Lookup of the domain you provided. When an email get sent out, they have an outgoing IP address on the email, which you didn't provide. The outgoing IP is going to blacklisted, it doesn't matter if the 50 sub-domains are different, the Outgoing IP (Sending IP) is going to get blacklisted. I don't think you're going to be able to working around an abusive customer, if the IP's are the same.
I spoke to some hosting companies that have similar issues and before they every allow a client to send mail, they need a clean report from this Mail Tester. But, even with a clean configuration and authentication, that doesn't prevent spam content from being sent. When that happens the IP owner has to address it, ultimately barring that customer from sending spam, if they don't correct the behavior.
You can always monitor your IP's for Blacklists and you should, but you're going to get a ton of abuse reports coming in from various providers, if it's a problem.
We are involved in the project which is designed to gather UK hotels details that our client needs to create a paper guide with most popular and top rated places in the country.
At the begining of each year we automatically send emails out to hotel owners in order to ask them to update their hotel details.
Unfortunately Client reported that some of hotels never received any of the emails nor that email ended up in spam, especially on hotmail mailbox.
Is there any known approach which could help us to overcome that situation?
One of the solutions we tried was to resign from local SMTP server and purchase external SMTP server on turboSMTP, but without effect.
How would you advise us to you deal with that problem or what have you advised to other companies in the past? Surely there must be a way to resolve that problem completely and we would appreciate your prompt help with that.
Sending an email to multiple recipients within the same company may sometimes have that effect. That company’s email firewall often assumes it’s a spam attack.
There's a lot of factors that come into this. Thankfully, by going for an external SMTP relay, you can offload most of the issues to them.
What you can do, is make sure your domain and emails are configured to increase their validity. Two really key things for this:
SPF records
DKIM signing
SPF
SPF is basically a whitelist of IPs that can send email for your domain. SPF records are added to your DNS server. There are plenty of SPF generators online that can help (like this one). Your SMTP provider will also need to be included in your SPF record.
DKIM
DKIM digitally signs your email to verify that it's been sent by an authorised sender. Your SMTP provider will have info on how to set that up (turboSMTP docs).
If you want to explore more, I recommend Jeff Atwood's (co-founder of SO) article on how horrible email is: http://blog.codinghorror.com/so-youd-like-to-send-some-email-through-code/