I have server A (mail.domain.com) with a legitimate email IP address that is not blacklisted. I have server B (sub.domain.com) with a dynamic IP and whose IP has been manually blacklisted by request of the ISP. Both have postfix installed.

I can send mail from server A to hotmail with no problem. I send mail as domain.com which is configured in the /etc/postfix/main.cf as mydomain=domain.com.

On server B I have the smtp server use server A as a relayhost so that email would be sent from server A, the legitimate IP address.

Here's my problem. When I send mail from server A, I receive it in hotmail as coming from domain.com. When I send mail from server B, which relays through A, to hotmail it goes to my spam folder if I have it coming from domain.com. However, if I tweak the origin in the /etc/postfix/main.cf and the email sends as coming from sub.domain.com then the email ends up fine in the inbox of hotmail.

What should I be changing? It's like hotmail does a check that if server B is who he says he is, it accepts it into the inbox, else it sends it to spam.

SPF records for sub.domain.com
A: Exist?
B: Authorise relay to send for it?

Oh wow, why didn't I think of that. Not sure if hotmail checks that, but will definitely test that out. Thanks hehe.

Wait no, I do have it listed as a valid sender of mail.

Yes, Hotmail *do* check SPF. It forms a notable part of their spam filtering.

Without looking at the headers it is hard to say exactly what the issue is - but as you probably don't want to post full headers here with IP addresses, it's a bit of a guess. Personally I would check the top 'received from' header line and make sure PTR works and maps both ways. I'd check that the envelope from domain was listed in the SPF record for the final connecting IP. I'd also be interested to study other headers to see if there is anything that jumps out. Hotmail sometimes key on public IP's in other received from headers - so if the subdomain IP is appearing, I'd look to see if the address was dynamic/static and had good PTR + SPF.

But like I say, without having a full example in front of me, it's hard to be sure.

1 members found this post helpful.

Here are the mail headers an email sent from my server to my relay host (my real smtp server and mx record) and then off to hotmail. I replaced my IP addresses with tags, yet I feel this is pointless cause you can simply ping the domains.

IP1 is my mail server. IP2 is my server I'm sending from that uses IP1 as a mail relay. This ends up in spam. I have IP2 in a SPF record. However, IP2 is a Time Warner dynamic IP, so PTR checks will fail. Where can I see a PTR check in this header? However, the weird thing is that I have sent email before this way and it ended up in the INBOX.

PTR are probably the culprit, just trying to figure out why it has worked before. Is there anything on my mail relay (smtp server) that I should be looking at? Like domain masquerading or anything?

Also another thing, when I send mail directly from IP1 it sends as darkterminal.net yet when I send from IP2 it sends as darkstar.darkterminal.net. The only way I've found to fix this is to edit the myhostname in /etc/postfix/main.cf in IP2 from darkstar.darkterminal.net, however I was thinking it would affect it, but I'm coming to think that it doesn't.

Also darkterminal.net actually resolved to IP2, yet I have IP1 mail.darkterminal.net be my MX and my smtp server.

So PTR are reverse map checks. Are any forward regular dns checks made as well? Like to see if darkterminal.net resolves to a non internal IP?

I'd love to know more about this area because I'm very weak in it.

Picking over the various bits and pieces of this, and just to be clear.
When you send from the main relay with the IP address ending in 102, that drops into a hotmail account inbox without going to spam, yes? But if you relay through it from Roadrunner address ending in 202 it junks it?

First question I would ask, before even looking at the SMTP stuff is this; during your testing (and we all do this in error) did you inadvertently click on the 'not junk' option in Hotmail for tests from the relay itself? What I would do is use fresh hotmail, gmail, yahoo and gmx accounts and test again - just to be absolutely sure no manual/auto whitelisting has taken place. This will only work reliably for the first test mail you send - so make it realistically like anything you will normally be sending. I'm going to PM you a couple of email addresses to send tests too as well, that way I can see the headers as I want them in private.

Moving to your posted headers - and I've removed them from the quoted chunk so you retain the power to edit your earlier post and delete them:


From a DNS perspective, PTR is fine for both machines. They both resolve back and forth as they should. The only slight reservation on this is that clearly the second host has generic and dynamic type PTR. Really that should not matter as it is natural for remote smtp clients on dynamic addresses to connect to SMTP servers to send mail. I do note that the RR address concerned is listed in the SORBS blocklist. I'm not aware of Hotmail using SORBS in their decision making process, but it's not entirely impossible that it plays a part - or. Don't even waste your time trying to get delisted if that address is dynamic. I won't go into the politics because I rather like Michelle Sullivan and SORBS on ethos alone, but getting de-listed is notoriously difficult.

Potentially it very much could but it depends on the whole line of the first 'received from' header. As Postifx goes you get three bits of info: Let me expand a little with an example:

Received: from foo.com (mail.bar.com [1.2.3.4])
This says that 'the remote server HELO'd/EHLO'd with 'foo.com', it connected from 1.2.3.4 and the reverse (ptr) for 1.2.3.4 was 'mail.bar.com'). What is important is the 'helo' hostname - which can be quite different - *can* be keyed on when checking for potential spam. Some systems can use simple header checks for this, others make use of SPF on this (and the 'from' domain too) - so don't rule this out. Personally if your relay machine had reverse DNS that said it was called 'mail.foo.com' I'd make sure it helo'd with a hostname of 'mail.foo.com'. Consistency is the key and while this may not be playing a big part in the Hotmail issue, it may be combining with other issues to just trip the score. Also, it may play problems with other freemail providers. It's not unusual to see the HELO hostname different from reverse PTR, but in the golden game of email deliverability I personally would want that correct.

It depends on the receiving system but in many cases, yes. Some systems check for valid A records in non dynamic address space, MANY systems check the address of the AUTH name servers. I note one of yours is on a RR residential IP and I'd be really surprised if a couple of well known anti-spam devices did not bang the score up if you mentioned your domain name in the body of a mail, given that it appears in one or more blocklist(s). That said, it should not be *the* issue causing your problem as you can successfully deliver mail direct from the relay on its own. I mention it as it may cause you trouble later on - or be combining with other small issues to tip over the scales.

I'd also mention your SPF record. Yes, it permits both IP's to send. Personally, until I had this issue sorted I'd change the end of it from '-all' to '~all'.

I'll PM you some test email addresses - if you can fire off a full test to all of them I may just spot something in concrete if that's any use to you.

EDIT
Can't PM you by the look of it, so I'll send email to the domain if that's OK.

There is also the option to 'hide' headers in postfix with something like this (I'll use internal examples)

Then link that into main.cf with a line like this at the bottom:

header_checks = regexp:/etc/postfix/maps/header_checks

Naturally you could tell this to ignore the RR dynamic address if you get my drift.

1 members found this post helpful.

Got your email. I'm going to fire off those emails right after this post as well.

1. Now what if I use a soft fail '~' in the SPF record. What happens when neither of the two ip4 entries match the sending server? What that just rack up less points than a hard fail?

Going to send out those emails right now.

Got your test mails - the hotmail example went directly to 'junk' (all others OK). I think I can see why:

Your 'from' is using a subdomain of your .net (probably meant to be the hostname, but that is not how it is being interpreted). There are no SPF records for the subdomain, just the main.net - so the SPF neither fails or succeeds.

As for changing the dash to the tilde (- ro ~) it will just make errors in your SPF a bit more forgiving. Your interest in SPF is (and I'm guessing) probably to help deliverability, rather than to stop forgery.