Mail server altering reply-to address? - email

We have an application sending mail with reply-to addresses in the form of NNN#email.example.com. The mail is sent via Sendgrid and replies are parsed using Sendgrid's Parse API. The problem is some email doesn't get back to us because the reply-to address has been changed to NNN#sendgrid.net. Sendgrid support says they never touch the reply-to and we've confirmed by a Gmail logging account that our application sends mail out correctly. So that leaves me suspecting certain mail servers are switching the domain name with that of the MX host. Our MX records for email.example.com are:
mx3.sendgrid.net 20
mx4.sendgrid.net 20
mx5.sendgrid.net 20
mx.sendgrid.net 10
mx2.sendgrid.net 20
Are there any mail servers or clients that are known to modify reply-to addresses? Or is there any other possible explanation?
Edit Headers from an email send by our app and logged with a Gmail account (sanitized to remove client information):
Delivered-To: logger#company.com
Received: by 10.112.62.41 with SMTP id v9csp143404lbr;
Tue, 31 Jul 2012 04:25:29 -0700 (PDT)
Received: by 10.182.51.37 with SMTP id h5mr22717342obo.35.1343733928944;
Tue, 31 Jul 2012 04:25:28 -0700 (PDT)
Return-Path: <Editors#domain.com>
Received: from o1.email.domain.com (o1.email.domain.com. [208.117.48.105])
by mx.google.com with SMTP id m6si10752851oec.6.2012.07.31.04.25.27;
Tue, 31 Jul 2012 04:25:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of Editors#domain.com designates 208.117.48.105 as permitted sender) client-ip=208.117.48.105;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of Editors#domain.com designates 208.117.48.105 as permitted sender) smtp.mail=Editors#domain.com; dkim=pass header.i=#Domain.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=Domain.com; h=date
:from:reply-to:to:message-id:subject:mime-version:content-type
:content-transfer-encoding; s=smtpapi; bh=+VZlU9LWGUpMR4neAk/JMo
1DD2E=; b=T3Be3k1Gp+shIGgQZPJ1vtx1kUCRMCRAqRgf8LxVUdvQ1/7YWRKnls
+zrXi6dhJXaLrEyVmt7MyYgxvkVvnJqWYy4tAQABtANQHdLSle4AK1+BY+/m2h4E
fj91rMgQySNbrVV+mhaiE5Q7NxvIa35azUUO0/zRYpluDUt6UBEcQ=
Received: by 10.16.69.117 with SMTP id mf20.27729.5017C0A66
Tue, 31 Jul 2012 06:25:26 -0500 (CDT)
Received: from email.domain.com (unknown [10.60.208.17])
by mi15 (SG) with ESMTP id 5017c0a6.202a.a5e396
Tue, 31 Jul 2012 06:25:26 -0500 (CST)
Date: Tue, 31 Jul 2012 07:25:25 -0400
From: Editors <Editors#domain.com>
Reply-To: 5005#email.domain.com,
Editors <Editors#domain.com>
To: user#example.com
Message-ID: <5017c0a5d4365_e294729d8c86360#app02.manuscripts.domain.com.mail>
Subject: Invitation
Mime-Version: 1.0
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Sendgrid-EID: lcSu+eeYyj7byVT4rUR8IwFlWv7xwmQ9mjigbpHftFWQeg+HlxpNd7F1nbL2uoqLRAg4sHwj57Rrx78FZhDo2L2DCVfamQm0+wEFzkMnensGOv19JFRIAeDMZY53SVpKMwm4Klqcm6L6s9+UaFtqnRUE3/jexZ6uJAFc5x57JG4=
So you see the reply-to is set properly in these headers, but when the recipient replied we saw the reply-to address change to 5005#sendgrid.net.

We have the exact same issue. I'm no Exhange guru so I can't validate this - but I'm willing to bet the company you are sending mail to has a configuration flag that states to NOT use a 'reply to' command. Our application sends out as ourcompany#appmail.com with the reply to address set to user#mycompany.com. I can test with gmail and yahoo and it works great!
But certain companies we email always come back t the 'ourcompany#appmail.com' address as if there was no reply to set. Think about all the junk mail you get where the reply address is your own email address. I can only imagine MS and Novell have flags to force replies to the actual sender.
Now if we could just get clarification from a real expert as to whether or not this flag is out there.

Related

DMARC behaviour on Gmail

We've configured SPF, DKIM and DMARC records for our domain and they're working fine. Our DMARC reports from Gmail, Hotmail, Yahoo also confirm the same.
However, just last week, one of our (Gmail) users brought to our attention a fraudulent email sent from a spoofed email address on our domain.
After looking at the email headers, we realised Gmail didn't initiate a DMARC check at all and the email landed in user's inbox. Gmail had only performed an SPF check which had passed because the check was performed on the envelop FROM header domain.
The email header (with identifying details redacted) looked like the following:
Delivered-To: redacted#gmail.com
Received: by 10.28.167.23 with SMTP id q23csp326872wme;
Mon, 20 Feb 2017 23:53:04 -0800 (PST)
X-Received: by 10.36.147.1 with SMTP id y1mr22192213itd.34.1487663583976;
Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Return-Path: <redacted#fraudulentdomain.net>
Received: from server2.fraudulentdomain.net (server2.fraudulentdomain.net. [144.X.Y.Z])
by mx.google.com with ESMTP id i196si19658513ioi.78.2017.02.20.23.53.03
for <redacted#gmail.com>;
Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Received-SPF: pass (google.com: domain of redacted#fraudulentdomain.net designates 144.X.Y.Z as permitted sender) client-ip=144.X.Y.Z;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of redacted#fraudulentdomain.net designates 144.X.Y.Z as permitted sender) smtp.mailfrom=redacted#fraudulentdomain.net
Received: by server2.fraudulentdomain.net (Postfix, from userid 330)
id 385716C165; Tue, 21 Feb 2017 08:53:03 +0100 (CET)
To: redacted#gmail.com
Subject: Some Subject
From: My Service <spoofed#mydomain.com>,
"MIME-Version:1.0"#server2.fraudulentdomain.net
Content-type: text/html; charset=iso-8859-1
Message-Id: <20170221075303.385716C165#server2.fraudulentdomain.net>
Date: Tue, 21 Feb 2017 08:53:03 +0100 (CET)
Why did Gmail not initiate a DMARC check and just performed an SPF check? Is it got to do something with the Display FROM header having 2 values?
That's a bug, I reported it to Google, they have fixed it now.

Why are emails sent by my server marked as SPAM?

My website, all written in PHP, has an automatic system to notify users via email. Everything worked perfectly until i moved everything on a new less expensive dedicated server (new IP, also). Now, from the new server, all the emails are sent to the spam folder. Why? What happened? Gmail says it's marked as spam because it violates these guidelines about the sender. Here is the message header of one of the emails
Delivered-To: fontanavideostudios#gmail.com
Received: by 10.64.224.200 with SMTP id re8csp1701580iec;
Sun, 1 Feb 2015 07:30:19 -0800 (PST)
X-Received: by 10.140.22.5 with SMTP id 5mr1380826qgm.72.1422804619177;
Sun, 01 Feb 2015 07:30:19 -0800 (PST)
Return-Path: <noreply#racebooking.net>
Received: from ns362512.ip-91-121-174.eu ([2001:41d0:1:ef28::1])
by mx.google.com with ESMTP id e3si21772874qaf.113.2015.02.01.07.30.18
for <fontanavideostudios#gmail.com>;
Sun, 01 Feb 2015 07:30:19 -0800 (PST)
Received-SPF: none (google.com: noreply#racebooking.net does not designate permitted sender hosts) client-ip=2001:41d0:1:ef28::1;
Authentication-Results: mx.google.com;
spf=none (google.com: noreply#racebooking.net does not designate permitted sender hosts) smtp.mail=noreply#racebooking.net
Received: by ns362512.ip-91-121-174.eu (Postfix, from userid 504)
id DFE0916074; Sun, 1 Feb 2015 16:28:52 +0100 (CET)
To: fontanavideostudios#gmail.com
Subject: Qualcuno ha commentato il tuo post
X-PHP-Originating-Script: 504:new_notification.php
From: Racebooking <noreply#racebooking.net>
Reply-To: no-reply
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Message-Id: <20150201152852.DFE0916074#ns362512.ip-91-121-174.eu>
Date: Sun, 1 Feb 2015 16:28:52 +0100 (CET)
The domain, racebooking.net, has a good reputation and MX, mail, smtp point to the same ip: 91.121.174.40 which is the same IP of racebooking.net (here is a test)
Any idea?
Check this line in the header:
Received-SPF: none (google.com: noreply#racebooking.net does not designate permitted sender hosts) client-ip=2001:41d0:1:ef28::1;
Authentication-Results: mx.google.com;
spf=none (google.com: noreply#racebooking.net does not designate permitted sender hosts) smtp.mail=noreply#racebooking.net
I think you have not correctly configured the SPF entries in your DNS.
See this Google Products thread about this: https://productforums.google.com/forum/#!topic/apps/nvGcYDjONfc
I can see that you have no SPF entries defined for "racebooking.net":
$ dig +short racebooking.net txt
"1|www.racebooking.net"
You need to define an SPF entry like:
"v=spf1 mx a:mail0.racebooking.net -all"
You also need to include any other host from which you might be sending email (ie web applications sending email from #racebooking.net).
More info about what SPF is: http://en.wikipedia.org/wiki/Sender_Policy_Framework

Outgoing mail is ending up in spam

I have a problem with all the mails sent from my company, often ending up in the recipients spam folder. It's from approximately 5-6 different mail adresses sending from the same mail server. We have a dedicated server that is both hosting out website aswell as managing all mails and so forth.
We usually don't get any error messages when the mails either never arrives, or ends up in the recipients spam folder.
But we received this 1 error message, so i hope you have an idea of what to do to keep our mails out of the spam folders. We might have to hire external developers to take care of the problem, i just want to get an idea of what the problem is, so i know if i can fix it, or tell the developers what to do.
"ANON" is put in, to keep mails involved anonymous. Should i delete anything else?
Error message:
-----Oprindelig meddelelse-----
Fra: Mail Delivery Subsystem [mailto:mailer-daemon#googlemail.com]
Sendt: 27. september 2013 08:26
Til: support#example.com
Emne: Delivery Status Notification (Failure)
Delivery to the following recipient failed permanently:
ANON#ANON.dk
Technical details of permanent failure:
Message rejected by Google Groups. Please visit
http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to review our Bulk Email Senders Guidelines.
----- Original message -----
X-Received: by 10.14.109.66 with SMTP id r42mr7804640eeg.43.1380263171652;
Thu, 26 Sep 2013 23:26:11 -0700 (PDT)
Return-Path: <support#example.com>
Received: from server.example.com ([2a01:4f8:121:267::2])
by mx.google.com with ESMTPS id
o7si4443732eep.48.1969.12.31.16.00.00
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Thu, 26 Sep 2013 23:26:11 -0700 (PDT)
Received-SPF: neutral (google.com: 2a01:4f8:121:267::2 is neither permitted nor denied by best guess record for domain of support#example.com) client-ip=2a01:4f8:121:267::2;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 2a01:4f8:121:267::2 is neither permitted nor denied by best guess record for domain of support#example.com) smtp.mail=support#example.com;
dkim=neutral (bad format) header.i=#example.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=example.com; s=default;
h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:T
o:From; bh=E5v2ubiy1T/bYA8pEndEZlZwb928MRpgJuoPSy8WsQE=;
b=AbAc/65Y88xmhdGHxUUs3kK/1rOvTH0uEpPAVEN1sv8KNdJvzvRqiO72gqXan0M7wXRVeev6IJ
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+qmI
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+vdF
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+f
64lUpYIyyaqlNUYnaPt28=;
Received: from post.ABCDEFGHIJK.com ([xxx.xxx.xxx.xxx]:49696
helo=WIN7UVQT1EBIRO)
by server.example.com with esmtpa (Exim 4.80.1)
(envelope-from <support#example.com>)
id 1VPRUi-0008Dh-Os
for ANON#ANON.dk; Fri, 27 Sep 2013 06:25:41 +0000
From: "ANON - example.com" <support#example.com>
To: "'XYZ ABC'" <a.bcd#efg.hi>
References: <E1VORD0-0007hu-Jn#server.example.com>
<CACyHzxudCSh+4NOEu-_QR1yQYA=uR0DOrTTcgDsg9KcRLTWDFQ#mail.gmail.com>
In-Reply-To:
<CACyHzxudCSh+4NOEu-_QR1yQYA=uR0DOrTTcgDsg9KcRLTWDFQ#mail.gmail.com>
Subject: SV: example.com: Ordre # 700003820 opdatering
Date: Fri, 27 Sep 2013 08:25:38 +0200
Message-ID: <00d501cebb4a$637159b0$2a540d10$#example.com>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_00D6_01CEBB5B.26FF0BB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGYr839QgwXgZ5pAdux+XF0Yh5W4AHfGYRhmjY70GA=
Content-Language: da
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.example.com
X-AntiAbuse: Original Domain - ANON.dk
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - example.com
X-Get-Message-Sender-Via: server.example.com: authenticated_id:
support#example.com
X-Source:
X-Source-Args:
X-Source-Dir:
I needed to edit the MX records for the domains sending the mails, as the domains and websites were on the same server the mail server couldn't comprehend it.

Email sent from VPS going into spam folder or being blocked

I've recently purchased a VPS and have setup my websites including SPF and DKIM (both passed). I've ran the mail server (and website) IP through several blacklist checkers and nothing.
I've set the hostname correctly (I think I have anyway) but emails still seem to find their way into peoples spam folder (even testing emails) the emails do not contain spammy words I've actually tested emails to my mum and still the same.
Here is an email header - what do you think could be causing this:
Delivered-To: toricksshoes#gmail.com
Received: by 10.58.12.194 with SMTP id a2csp326429vec;
Thu, 1 Aug 2013 05:36:40 -0700 (PDT)
X-Received: by 10.60.97.1 with SMTP id dw1mr1074072oeb.1.1375360600533;
Thu, 01 Aug 2013 05:36:40 -0700 (PDT)
Return-Path: <ricky#builderstoolkit.co.uk>
Received: from se1.atroxxhosting.co.uk ([174.136.14.186])
by mx.google.com with ESMTPS id c1si1447632oeq.153.2013.08.01.05.36.40
for <toricksshoes#gmail.com>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Thu, 01 Aug 2013 05:36:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of ricky#builderstoolkit.co.uk designates 174.136.14.186 as permitted sender) client-ip=174.136.14.186;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of ricky#builderstoolkit.co.uk designates 174.136.14.186 as permitted sender) smtp.mail=ricky#builderstoolkit.co.uk;
dkim=pass header.i=#builderstoolkit.co.uk
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=builderstoolkit.co.uk; s=default;
h=Message-ID:Subject:To:From:Date:Content-Transfer-Encoding:Content-Type:MIME- Version; bh=WfUANWyObKlgHt0YFO0000p9rrW3lvnjXubb7xXJfGg=;
b=Csn9FoqU6zX2YHB95CaH6dqtLinradRgaPjJm8OXwvbECFco/zCJLCddZK4SBMcM3vpDd8Wp9Nwn+YE0w J+cEmI1bJNvu97Tp32wvvBK4mOeYqddJoLtsjfjtQqryMbvzLLvHlZk9nqwTz/IjrwgyWsfW5s3YdmLJq3LvKS7S3M= ;
Received: from localhost ([127.0.0.1]:53993 helo=webmail.builderstoolkit.co.uk)
by se1.atroxxhosting.co.uk with esmtpa (Exim 4.80.1)
(envelope-from <ricky#builderstoolkit.co.uk>)
id 1V4s7U-0004R5-Uz
for toricksshoes#gmail.com; Thu, 01 Aug 2013 12:36:41 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
format=flowed
Content-Transfer-Encoding: 7bit
One reason why your messages may be going to the SPAM folder is the lack of a positive reputation. Look at it from Gmail's perspective... about 80% of new sources of email are spewing malicious messages. Often times Gmail and other mailbox providers look upon new sources of email as guilty until proven innocent. ReturnPath, a email reputation company shows your IP as not having sent very much mail. https://senderscore.org/lookup.php?lookup=174.136.14.186
By sending good mail to people who want to receive your messages your mail will begin to more often land in the inbox. Your only other options are to play around with your content. Try using different local address portions, domains, subjects, and content. If you include URLs like bit.ly which is a domain commonly abused you could find this as the cause of your SPAM folder placement.
If all else fails just let one of the cloud email services deliver your messages on your behalf. I've personally used SocketLabs with success on some past projects. http://socketlabs.com
Good luck resolving your issue!

how to trace gmail sender from header?

Everyone knows changing mail address in address bar and pretending to send mail from someone else's accout is easy..
so i looked up on google "find out where email came from"
some of the links suggest-- 1. Log into your account and open the email in question.
Click on the down arrow that’s to the right of the Reply link. Choose Show Original from the list.
Now here’s the technical part that I was telling you about earlier! You need to look for the lines of text that start with “Received: from“.
I did all above steps but found out that gmail uses mail client ip as sender ip and not the ip of that particular PC(For security purpose they say...) It has sender's IP as mr. google.com and some private netwk IP(10.43.103.195)
so now my problem is -- is there any damn way in the world to trace where the hell did this mail come from??!!(at least IP of sender)?
This is the header i got when i followed above 3 steps which is of no use...--
Delivered-To: xxxxxxxx#gmail.com
Received: by 10.204.40.79 with SMTP id j15csp110512bke;
Fri, 22 Mar 2013 01:55:20 -0700 (PDT)
Return-Path: <xxxxxxxxxxx#gmail.com>
Received-SPF: pass (google.com: domain of xxxxxxxxxxx#gmail.com designates 10.43.103.195 as permitted sender) client-ip=10.43.103.195
Authentication-Results: mr.google.com;
spf=pass (google.com: domain of xxxxxxxxxxxx#gmail.com designates 10.43.103.195 as permitted sender) smtp.mail=xxxxxxxxxxxx#gmail.com;
dkim=pass header.i=#gmail.com
X-Received: from mr.google.com ([10.43.103.195])
by 10.43.103.195 with SMTP id dj3mr548753icc.3.1363942518977 (num_hops = 1);
Fri, 22 Mar 2013 01:55:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=x-received:mime-version:from:date:message-id:subject:to
:content-type;
bh=Vi/MI39WKoec07maKoVjz5/ZzUxhO1k+BoeRUkBbWOc=;
b=kZ/EniFvV15mZ9iBeKNiKsJsQvWHL5N8zqrazVxeKmAARQLotyAAIDU7Or9Xc1OBwY
cwuPqSKmVX1RV7tX5wwcdYyzEA/gmskzgGteimv0BInTzVO7dwgi4gU5cZYdm6Qj/GMo
rJfGs5ty6VjidYMFwyn0K5Z0frh2NX2e7RXP0R6da6U5WMU2bQ9epOD4ZhKF+bSdUvb9
WGu3/HWJNTgwrFivspsA6q0M6JkQWYFM6J83h62kIgU897gsXkRlwPacn63tHySC6CNm
DJZGzRJryQZEJTI4owOImP6XDrK+uxPDFAiTnIG5xFR8PBXsQp+FP+XcsqIHqXSjCtl1
xXdQ==
X-Received: by 10.43.103.195 with SMTP id dj3mr548753icc.3.1363942518971; Fri,
22 Mar 2013 01:55:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.134.164 with HTTP; Fri, 22 Mar 2013 01:54:58 -0700 (PDT)
From: xxxxxxxxxxxx#gmail.com
Date: Fri, 22 Mar 2013 14:24:58 +0530
Message-ID: <CACD4ahHmkbNCj9G5taUkXYC=K=n4qVvxY75SSSv3hUG00r6dkQ#mail.gmail.com>
Subject:
To: xxxxxxxx#gmail.com
Content-Type: multipart/alternative; boundary=bcaec5171a235666e504d87f9dd8
--bcaec5171a235666e504d87f9dd8
Content-Type: text/plain; charset=ISO-8859-1
If the sender uses gmail/yahoo/hotmail etc. to send an email (ie. if they don't use a third-party software like Outlook or Thunderbird), there is no way to find out the "PC IP address" because it's hidden for 'privacy reasons.' Probably the only legitimate way (other than through legal means) is to ask the sender to reveal their IP address (using such tools like https://verifyyourip.com).