Exim and Junk mail with Microsoft

LawsHosting

Verified User
Joined
Sep 13, 2008
Messages
2,367
Location
London UK
So, today a client said that all of their sent emails are going to Live/Outlook spam folders......

1. Told them to do this http://www.allaboutspam.com/email-server-test-report/index.php?key=C026FC9583B19C41DEBFA53A12B91743 (PASSED);

2. They are also seeing "xxxx suspects your message is spam and rejected it" from a Office365 domain they have not contacted before;

3. I've setup my own email address on the domain, and setup an outlook email address, and done these:

3.1. When I send email to an outlook/etc email address via SMTP within GMail, it goes straight to junk, but SPF/DKIM PASS;

3.2. When I use the basic mail2web online mail client to send, straight to inbox, SPF/DKIM FAIL - due to no server interaction;

3.3. If I use Squirrel Mail, exim tries another hostname for the destination (mail . h-email . net), not a Microsoft one (I guess I should bin squirrel Mail);

3.4. When I use Roundcube, straight to junk with TEMPERROR for SPF;

3.5. If I send to a google email, no junk and SPF/DKIM PASS...

4. I'm a member of their Junk Mail Reporting Program, none of the IP's have issues.


I'm sooo confused...... Has anyone else encountered this scenario?
 
See also http://forum.directadmin.com/showthread.php?t=56002


With roundcube not tested but mostly rouncube webmail is ok, though if you changed the spf gmail and for all microsoft gives while depending on wich mailserver handles a tmp spf error, if all servers are synchronized no more, but the mS servers takes some time... :(

Mailserver local with smtp over DA mailhost( the dynamic Ip could be problem.


BUT as i did see some changes maybe in cyphers that are not save anymore dovecot that coudl also be a problem, take care there qwhile some older MS clienst and mailserevr ( yup the ones with security bugs) doesn't work with only newer cypher and only tls 1.2 .. sh...t

So mailclient dynamic ISP IP are a ... in the ... at this moment to much spam of blocked by that spamhaus and some other RBL lists.


AND IPV6 should be set everywhere 100% also the reverse PTR record and so on

( no time to go and check more. ;)

set dmarc and receive reports could help

While see Peter

https://internet.nl/mail/hirekaraoke.co.uk/

We have in MX the mailserver DA hostname mail.hostdomainserver.com for all mail and domains on it this is going better than set exim / dovecot all own sni / ssl mail and so on... for every domain itself
 
Last edited:
We did have suddenly 4 servers of ours at the same moment, where all mail to Microsoft were deferred to their spamboxes without any reason. We comply to all rules and regulations of RFC's and Microsoft and are member of SDSN and the JMRP of Micrsoft where we did get 0 notice of issues.
They are busy implementing the new outlook.com which might cause some issues, I'm not sure. In our case all 4 servers at the same moment again, are able to send to MS inboxes again.
In our case also even mails with SPF, DKIM and DMARC passing went into the spamfolders.
I'm also member of SDNS and JMRP and none of the ip's had issues and no reports or abuse mails filed to us.

However, in your case it might be somethings else because:
2.) That's odd, could point to some spam delivered.
3.3.) Should be the same as with Roundcube, so strange but could be some Squirrel mail thing

3.4.) Why the Temperror for SPF? I presume your spf records are correct?

When it's 1 client, you might investigate further.

But try several domains on a couple of your servers.
If it's really a server you could file an investigation request with Microsoft.
 
Is that all? Hmmz... I've got 10/10 on mail-tester.com. But mail-tester also gives the causes. You're on 3 blacklists, no wonder Microsoft puts mail into junk folders.
However, I don't know about the seperate helo things you point out to, I don't use that, maybe somebody else can provide some help with that.

When using ipv6, you have to create an rDNS for the ipv6 mx record, being the helo name the server will provide.

But to be honest, I use ipv6 on only 1 server. To prevent issues like this I just completely disabled it on the other servers. This one server is a live production server and you could say I'm testing if it works fine with ipv6 and csf/lfd configured for ipv6.
If it becomes really necessary I can always enable ipv6 for the others. But I don't think it will be necessary for several years yet.
 
This is getting annoying now, more and more clients are seeing their mails going to the junk in outlook (only).

1. Contacted Outlook via that form including all my (8) RIPE net blocks, they can't see anything odd or blocking - so how can I tell what is going on when they can't see anything wrong;
2. One IP does show some nn days red (spam) in SNDS - that ip belongs to a client running a mailing list for years;
3. Why do all my IP's act the same way: I tested 5 domains with 3 IPs from different net blocks, all email went to junk folder;

If I enable IPv6, how would that coincide with https://www.directadmin.com/features.php?id=1692 ?
 
1.) What -exactly- was their answer? Because they are blocking or moving to spam, so it must be on their side.
If you receive an answer like "Our investigation has determined that the above IP(s) do not qualify for mitigation." then this does not mean they can see anything odd. This means they are filtered for some reason.

2.) If one ip shows in red, this can be a cause. Depending on how long ago it is and if your other ip's are in the same range. Because often blocks are done against ip range.

3.) This could be caused by the same issue I had. But then again, depending on the answer from Microsoft.

Enabling ipv6 won't make any improvements on mail delivery at outlook.com (and hotmail and live.com), you do have to create another rDNS for ipv6 though other wise you will get into more spam lists.

I would suggest to firstly see if you can reach a higher score then 6.6 / 10 with mail-tester.

If you can state exactly the sentence used by MS in their answer, we can have a look futher.
I'm almost sure you have to answer them to get further investigation.
 
We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.
Not qualified for mitigation
<IP>, <IP>, etc
Our investigation has determined that the above IP(s) do not qualify for mitigation.
Found this, seems they're a git to reason with.

How do we deal with clients running legit mailing-lists, when their clients fail to unsubscribe properly and just hit "this is spam", or the like!? These lists are run correctly with an unsubscribe link in the email by the way.
 
Update: Been at this nearly all day..... Did another test from my cousin's site to my outlook test address....
Authentication-Results: spf=temperror (sender IP is 178.33.68.71) smtp.mailfrom=bikeboxhireuk.co.uk; outlook.com; dkim=pass (signature was verified) header.d=bikeboxhireuk.co.uk;outlook.com; dmarc=temperror action=none header.from=bikeboxhireuk.co.uk;Received-SPF: TempError (protection.outlook.com: error in processing during lookup of bikeboxhireuk.co.uk: DNS Timeout)

DNS Timeout?
 
Our investigation has determined that the above IP(s) do not qualify for mitigation.
Which is exactly what I thought (and stated). This is a complete different ballgame then that you are not listed. They are only stating you will not be delisted. :)
Looks like you have the same problem I had.

As for the DNS timeout. I don't know.

However I found an issue which could also cause problems with mails send to Microsoft, fix this first:
mail.bikeboxhireuk.co.uk Reverse DNS does not match SMTP Banner
The ip 178.33.xx.xx is resolving to another hostname, not to your mailserver. This is not obligated, but Microsoft does not like this and already this can cause issues delivering mail to Microsoft accounts.

After you fixed this, reply to the email you got from them, like it says in there:
To have Deliverability Support investigate further, please reply to this email with a detailed description of the problem you are having, including specific error messages, and an agent will contact you.
So reply to the e-mail. First good thing is that you will be in contact with a real person. Only tell the truth and be polite.
State that you are working in compliance to their mail policies and best practices. Also state that you are a member of SDNS and JMRP (since you are) and you did not have any complaints via those systems and that the ip's are fine except maybe 1.
Don't forget to state that you check newsletters and all of them have unsubscribe links in the which will work.
Also state that you are not on any blacklists (if you're ideed not) and ask them to investigate why all your ip's do not qualify for mitigation.

Do not write anything which I wrote here, if it's not true, only state things that are correct.

You probably get some answer about them being send to the spamboxes because of the Smart screen filters.
If you get this message, reply again and state that this could be the case for maybe 1 ip or 2, but not all at the same time and also that if this would be the case it's odd that you did not get any notification via SDNS or JMRP and ask if there is a possibility that they can investigate further because it's all at once (various ip's and addresses) which is odd by itself.

I did it the same way. And I even have DKIM and DMARC (which you don't) e-mail addresses which got blocked. I did not get an answer after that last reply, but 2 days later all our ip's were able to send e-mail directly to the inboxes of outlook accounts.

So it did help. It's the only thing you can try. If it won't work and you keep blocked... well... let's hope not.
 
Last edited:
However I found an issue which could also cause problems with mails send to Microsoft, fix this first:
mail.bikeboxhireuk.co.uk
Reverse DNS does not match SMTP Banner
The ip 178.33.xx.xx is resolving to another hostname, not to your mailserver. This is not obligated, but Microsoft does not like this and already this can cause issues delivering mail to Microsoft accounts.
So, how do we solve this issue if IPs are shared among domains?

I did contact them again and gave all my IP blocks this time, got this as a response

Most have
More information needed<IP List>
We were unable to identify anything on our side that would prevent your mail from reaching Outlook.com customers.
and then, one whole net block has (mainly used for the main interface IPs for servers)
Not qualified for mitigation
<IP List>
Our investigation has determined that the above IP(s) do not qualify for mitigation.
 
Last edited:
So, how do we solve this issue if IPs are shared among domains?
In that case set the rDNS to the mailserver from the server's domain, mostly this is the admin domain. Your mailserver always sends a greeting when connecting to other mailservers. This is always the same even if you have multiple domains or send from another domain on that server using that domains mail.domain.com setting as smtp server in your outlook client or whatever.
In your case your mailserver identifies with the smtp banner: mail.bikeboxhireuk.co.uk
So the rDNS for ip 178.33.xx.xx should point to this.

I did contact them again and gave all my IP blocks this time, got this as a response
Did you contact them again, or did you reply to that email, because that is a difference.
If you contact them again, then reply to that mail and state that you investigated and from all ip's from various domains mail is going directly to spamboxes of outlook.com/hotmail users.

You have to use reply instead of sending a new form otherwise you won't be in contact with a real MS employee which can do something for you.

I would start to reply to the one with the netblock, you should not use a form per ip, but use 1 form and mention all ip's having issues, at least all ip's having issues and are present in SDNS.
So that's why the best option is to reply to the netblock stuff. Don't forget to state all the problems, the investigation you have done, provide them with part of the log so they can identify that the mail really has left your server and is in queue at their mailsystems, etc. As much info as possible.

But again.... first take care that on all your systems, that SMTP banner is set with a correct rDNS otherwise it's easy to have new issues or have them again if they fix them.
 
In that case set the rDNS to the mailserver from the server's domain, mostly this is the admin domain. Your mailserver always sends a greeting when connecting to other mailservers. This is always the same even if you have multiple domains or send from another domain on that server using that domains mail.domain.com setting as smtp server in your outlook client or whatever.
In your case your mailserver identifies with the smtp banner: mail.bikeboxhireuk.co.uk
So the rDNS for ip 178.33.xx.xx should point to this.
Don't forget I'm using 1692
interface = <; ${if exists{/etc/virtual/domainips}{${lookup{$sender_address_domain}lsearch*{/etc/virtual/domainips}}}}
So the banner and IP reflects to that of the domain.

Shouldn't I be using this feature then?

I thought this would be better if an IP becomes an issue, individual IP get blocked instead of the MAIN servers IP, thus, not effecting every domain..... Thing is, I guess it has not gone the way I thought it would.
 
Also, I am not sure why SPF is tempfail'ing... Domain's TXT spf entries are that of the server's IP.....

Sending to check-auth[@]verifier.port25.com results in a pass for spf and dkim.
 
Back
Top