Emails from POP/IMAP users go to SPAM folder

rszkutak

Verified User
Joined
Dec 22, 2003
Messages
180
Location
Scottsdale, AZ & Clam Gulch, AK
i've got one that i did some searching for here but likely not enough to find the cause. I have a few customers on my server and when they send emails from their outlook or phone the responses go to the spam folder of those who they have responded to.

I did encounter this one time on my server prior to migration but it was an odd duck and never appeared on a routine basis.

Do you have any idea's what it could be that could resolve this issue? Could the root cause of this be because we don't have a DKIM & DMARC on this domain name? If so I will work to get one in there.

Attached is the data from outlook for the headers.

--------------------------------------------------------------------------

Received: from BL3PR01MB6963.prod.exchangelabs.com (2603:10b6:208:35a::10) by
SJ0PR01MB6446.prod.exchangelabs.com with HTTPS; Fri, 28 Jan 2022 23:00:33
+0000
Received: from MWHPR20CA0026.namprd20.prod.outlook.com (2603:10b6:300:ed::12)
by BL3PR01MB6963.prod.exchangelabs.com (2603:10b6:208:35a::10) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4909.8; Fri, 28 Jan 2022 23:00:31 +0000
Received: from MW2NAM10FT025.eop-nam10.prod.protection.outlook.com
(2603:10b6:300:ed:cafe::14) by MWHPR20CA0026.outlook.office365.com
(2603:10b6:300:ed::12) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.19 via Frontend
Transport; Fri, 28 Jan 2022 23:00:31 +0000
Authentication-Results: spf=pass (sender IP is 74.208.181.184)
smtp.mailfrom=eccomachine.net; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none
header.from=eccomachine.net;compauth=pass reason=109

Received-SPF: Pass (protection.outlook.com: domain of eccomachine.net
designates 74.208.181.184 as permitted sender)
receiver=protection.outlook.com; client-ip=74.208.181.184;
helo=ws1.bn-host.com;
Received: from ws1.bn-host.com (74.208.181.184) by
MW2NAM10FT025.mail.protection.outlook.com (10.13.154.132) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4930.15 via Frontend Transport; Fri, 28 Jan 2022 23:00:30 +0000
Received: from [137.83.96.22] (helo=[IPv6:::ffff:192.168.1.107])
by ws1.bn-host.com with esmtpa (Exim 4.95)
(envelope-from <[email protected]>)
id 1nDaEG-000O8t-Cf
for [email protected];
Fri, 28 Jan 2022 16:00:28 -0700
MIME-Version: 1.0
To: Rob Szkutak <[email protected]>
From: Nick Bosco <[email protected]>
Subject: RE: Email test flow
Date: Fri, 28 Jan 2022 16:00:28 -0700
Importance: normal
 
when they send emails from their outlook or phone the responses go to the spam folder of those who they have responded to.
Just to be more clear. Doe mails arrive in the outlook spamfolder? Or do mails go to the spamfolder on the accounts on the server?

It's not because you don't have DKIM and DMARC. You do have SPF and that's a good thing. It's very advisable to have DKIM enabled too. And good but not really required to use DMARC too.
But it doesn't seem to be the cause here.

Are the above headers from the receiving party, so from the mail which arrived in the spamfolder? Because I'm missing any reason as to why it arrives in the spamfolder.

Do you have spamassassin installed and easy spamfighter and blockcracking active?
 
Richard.
I'm sorry for the delayed response, my GF decided to take me out of town for the weekend and i had to avoid my phone.

They go to spam folder in my office 365 account and also on customers yahoo, gmail, hotmail, etc. This email header is from a test they sent to me so i could review the notes on it.

I do not have spam assassin or similar installed on this server, my clients are routed through a mail cleaner spam filter, but soon it will be something else as i have clients who only want filtering and not hosting so it doesn't make sense to use spam assassin and mail cleaner. This client in fact doesn't use the mail cleaner yet as they are new to me and also they are using their domain email for the first time ever.

I created a DMARC entry for them just to be sure.
 
I created a DMARC entry for them just to be sure.
I hope you created DKIM too then, because DMARC is not really any use without SPF and DKIM. Most important is that SPF and DKIM is present.

Seems there are more problems. With eccomachine.net there are nameserver issues with all 4 nameservers. Check intodns.com for it.
Other reaons are that eccomachine.net is in the UCEPROTECTL2 and UCEPROTECTL3 blacklist. Normally that is not that big an issue but it could point that surrounding ip's are also known as spammers.
This can be a cause for big providers like Gmail, Microsoft and Yahoo to put you on their greylist. Which could very well be the case, because I don't see any other reason in your headers which show why mail goes into spam.

And I have some experience with Microsoft. It's not always easy to get of their greylist, especially not when using new servers and an ip which you use only since a short time.

So in fact shortly said, take care all your systems are working in perfect order, so also your nameservers.
Then test at mail-tester.com with the email, you have at least to get 9/10 score.
After that, you can write to the big mail systems to ask to remove your ip from their greylist. Microsoft can be some extra work. You might need to create a free SNDS and JMRP account from Microsoft, which can be helpfull.
Gmail has a kindlike postmaster account or something like that.

P.s. don't worry about delayed responses, I'm just helping people here out of kind of a hobby. It's people's choice if they want to be helped, or are busy with other things or come back later for any other reason or not respond at all (which might also be for good reason). There is not a single obligation to respond to me within a certain time frame, especially since I'm not staff. I don't mind at all.

But I like your effort to write polite to me and as for GF's and wife's, don't tell me about it, LoL, I know how important that can be sometimes. :D
 
that's some great info richard. I was trying to do multi server setup on DA but i'm having some issues there so i had DNS setup backwards. I have redone the name servers and it's now reflecting the correct name server etc.

upon doing the email test i am getting a 9/10 score, it's only crying about a DKIM
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

i see in a DA article i am able to do DKIM's on the server, it's something worth considering possibly. I want my users to have a solid experience and keep emails off the naughty list.

how is it looking to you?
 
Received: from DM8PR01MB7192.prod.exchangelabs.com (2603:10b6:8:7::22) by
SJ0PR01MB6446.prod.exchangelabs.com with HTTPS; Mon, 31 Jan 2022 22:43:06
+0000
Received: from BN9PR03CA0347.namprd03.prod.outlook.com (2603:10b6:408:f6::22)
by DM8PR01MB7192.prod.exchangelabs.com (2603:10b6:8:7::22) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4930.17; Mon, 31 Jan 2022 22:43:04 +0000
Received: from BN7NAM10FT049.eop-nam10.prod.protection.outlook.com
(2603:10b6:408:f6:cafe::96) by BN9PR03CA0347.outlook.office365.com
(2603:10b6:408:f6::22) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.17 via Frontend
Transport; Mon, 31 Jan 2022 22:43:03 +0000
Authentication-Results: spf=pass (sender IP is 74.208.181.184)
smtp.mailfrom=eccomachine.net; dkim=none (message not signed)
header.d=none;dmarc=pass action=none
header.from=eccomachine.net;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of eccomachine.net
designates 74.208.181.184 as permitted sender)
receiver=protection.outlook.com; client-ip=74.208.181.184;
helo=ws1.bn-host.com;
Received: from ws1.bn-host.com (74.208.181.184) by
BN7NAM10FT049.mail.protection.outlook.com (10.13.157.3) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4930.15 via Frontend Transport; Mon, 31 Jan 2022 22:43:03 +0000
Received: from ws1.bn-host.com ([127.0.0.1])
by ws1.bn-host.com with esmtpa (Exim 4.95)
(envelope-from <[email protected]>)
id 1nEfO2-001WTe-SQ
for [email protected];
Mon, 31 Jan 2022 15:43:02 -0700
MIME-Version: 1.0
Date: Mon, 31 Jan 2022 15:43:02 -0700
From: [email protected]
To: [email protected]
Subject: post dns adjustment testing
Message-ID: <[email protected]>
X-Sender: [email protected]
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Id: [email protected]
Return-Path: [email protected]
X-MS-Exchange-Organization-ExpirationStartTime: 31 Jan 2022 22:43:03.6554
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
fb8e63d5-bff6-4c5c-3962-08d9e50b0ab3
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 50d7e119-4258-438a-87c3-f9c73beed919:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource:
BN7NAM10FT049.eop-nam10.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: fb8e63d5-bff6-4c5c-3962-08d9e50b0ab3
X-MS-TrafficTypeDiagnostic: DM8PR01MB7192:EE_
X-MS-Oob-TLC-OOBClassifiers: OLM:2201;
X-MS-Exchange-Organization-SCL: 5
X-Forefront-Antispam-Report:
CIP:74.208.181.184;CTRY:US;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:ws1.bn-host.com;PTR:ns1.bn-host.com;CAT:SPM;SFS:(13230001)(19618925003)(86362001)(7126003)(22186003)(108616005)(1096003)(8676002)(2616005)(5660300002)(9686003)(558084003)(26005)(24736004)(4270600006)(7636003)(36756003)(6966003)(356005)(336012)(3480700007)(58800400005)(6916009)(9786002)(43540500002)(20210929001);DIR:INB;
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Jan 2022 22:43:03.5304
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: fb8e63d5-bff6-4c5c-3962-08d9e50b0ab3
X-MS-Exchange-CrossTenant-Id: 50d7e119-4258-438a-87c3-f9c73beed919
X-MS-Exchange-CrossTenant-AuthSource:
BN7NAM10FT049.eop-nam10.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB7192
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.6923885
X-MS-Exchange-Processed-By-BccFoldering: 15.20.4930.022
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(910001)(944506458)(944626604)(920097)(930097)(3100021);RF:JunkEmail;
X-Microsoft-Antispam-Message-Info:
 
sadly it still goes to spam filter. Level 3 UCE is still there, but we know that's more or less a garbage black list but people do pull off it. I think you more or less have to wait for the IP to do it's own thing and be removed.
 
As said, DMARC is not really effective without DKIM. The most important things are SPF and DKIM. Often Google checks for the DKIM record, so yes I would add this for all domains if I were you.
Here is a guide on how to enable that, and also a command to enable it for all existing domains automatically:

You really need that one. DMARC is nice, but is extra, less important then SPF and DKIM.

A score of 9/10 is very nice. I would add the DKIM and then you will have the 10/10.
You might try to send to Gmail after that.

However, to get of the Microsoft greylist, you need a good reputation and a request to do so. For this to happen, all things must be in good order, so it's best that the DKIM record is functioning.

Also extremely important is that your rDNS record is correct with your MX records. For that eccomachine.net that looks good.

But for your main hoster domain bn-host.com name it's not.

Check this:

As you can see still issues with DNS, the SOA serials don't match, and also MX issues,.

Then I see an odd thing from intodns:
Code:
Your reverse (PTR) record:
                                   184.181.208.74.in-addr.arpa ->  ns1.bn-host.com
This is the wrong ip, but it can be that this is not synced yet in intodns, because if I see it correctly, then at the moment this is pointing to the correct name.

However, your mailserver is pointing to your hostname, which is ns1.bn-host.com but your mailserver is telling me he is called ws1.bn-host.com which is possible. But by default, the mailserver has the same name als the hostname. Why did you change the mailserver to ws1?
Just out of curiosity?

The UCE blacklist is indeed not a real important one, often has false positives, but I don't know who still uses them.
 
That was fine when I posted, now it's off again, so he's probably fixing other issues with DNS at the moment.
 
I was fixing those DNS issues yesterday and got a lot of them resolved and the intodns was coming back really clean. I adjusted RDNS and such.

Now this is beyond ODD. I went there this morning and it showed one of my DNS servers wasn't responding, now it's showing both aren't responding, yet both respond to "telnet ns1.bn-host.com 53". Also it's showing a boat load of error's there, i wonder if there is some kind of issue with the site today?

RDNS was also fixed and matched to the respective NS1.... names on the server not the host name of the server.

i think what's bothering me now is that intodns and mxtoolbox are both reporting that my DNS servers aren't responding but the services are online, i also checked using iptables -nL and netstat -lnp | grep named and both commands result in showing DNS online without issues, they all also respond to telnet... My upstream firewall is also set to wide open both ways so i know that's not the issue there.

I'm legit a bit perplexed....
 
Nog good both nameservers for eccomachine.net on only 1 same ip !
ns2.bn-host.com.Geen74.208.22.36
ns1.bn-host.com.Geen74.208.22.36
 
i swear i'm gonna lose it today... it seems correct on godaddy and on the server itself.

i just moved my TTL's down to 450 for a few hours... let's see if something settles in shortly.

from DA on WS1.bn-host.com
ns1.bn-host.com.3600
A​
74.208.181.184
ns2.bn-host.com.3600
A​
198.71.52.33
ns3.bn-host.com.3600
A​
74.208.22.36
ns4.bn-host.com.3600
A​
74.208.165.234


from DA on WS2.bn-host.com
ns1.bn-host.com.3600
A​
74.208.181.184
ns2.bn-host.com.3600
A​
198.71.52.33
ns3.bn-host.com.3600
A​
74.208.22.36
ns4.bn-host.com.3600
A​
74.208.165.234


From Godaddy
NS2198.71.52.33
NS174.208.181.184
ns374.208.22.36
ns474.208.165.234
 
i wonder if there is some kind of issue with the site today?
Don't worry too much. Sometimes when doing a lot of lookups on intodns, then they seem to cache or provide some odd results. If your nameservers are responding to telnet from outside, then you're fine, probably intodns will show you a day later too.

As far as I can see (with nslookup) all the nameservers are fine at the moment, at least all ip addresses are correct.
Seems only the SOA serials do not match. It's not that big a problem, but it will keep throwing that notice.

Jus to be sure, check the MX ip's at your server and at GoDaddy if they match too.
 
thank you. it seems everything has settled down and DNS is now showing good.

now i signed up for the junk mail program for outlook.com and input my IP's there and they are flagged... smfh

the latter 2 have never sent a single email out and the first one has been active with me now 5 days and i know all the users personally, email outbound count is low.

First IPLast IPBlockedDetails
198.71.52.33198.71.52.33YesBlocked due to user complaints or other evidence of spamming
74.208.22.3674.208.22.36NoJunked due to user complaints or other evidence of spamming
74.208.181.18474.208.181.184NoJunked due to user complaints or other evidence of spamming

only black list i am showing on is
UCEPROTECTL3
UCEPROTECTL2

I don't know why anyone uses and or trusts this extortion campaign they run there...
 
and input my IP's there and they are flagged... smfh
I was already afraid of that, because Microsoft has it's own grey- and blacklist policies which are not always visible. Joining both the programs SNDS and JMPR helps with that and with preventing.

the latter 2 have never sent a single email out and the first one has been active with me now 5 days
I'm almost sure that the flags arised before you had the ip, so from previous owners. They might even be flagged for your host or datacenter, so an ip range, if lots of ip's in the range are sending spam.

So again, don't worry too much about the UCEprotect, because I don't think many use those due to often false flags.

So you got 1 really blocked ip and 2 greylisted (goes to spamboxes). Little you can do about that. You can ask Microsoft to release them and remove the others from the greylist, since you're a new user and don't send spam and everything on your server is in good order.

However, if 3 ip's from that datacenter or the host you got the server from, already have these flags, l'm wondering if it's a good idea to stay there if you don't use an external mail service. I hope you can get the bans lifted by Microsoft.
 
Back
Top