Why am I unable to deliver mail consistently to AOL/Hotmail/Yahoo/etc (and other SMTP, PTR, EDNS woes)

February 7th, 2006
by Christopher Kusek (PKGuild)

This inability is due to some email domains adoption of the RDNS (Reverse DNS) checking. The belief is, if you have a valid reverse DNs (Read: Valid = Any reverse DNS entry usually), then you are a “Valid Domain” to handle email from. Until the actual adoption of validated authentication which may come in the future, for the time being you can work around this inability to mail by having a valid PTR!

How this works is, the machine which will actually connect to the Internet and send email needs to have a valid PTR assigned to its IP address.
Below are steps detailed how to check that.

First, let’s discover the MX record for your domain, and the PTR record for your sending email server.

(Using Nslookup, we’ll check the details for hotmail.com)

We’re launching nslookup and looking at the details of the domain hotmail.com
C:\> nslookup
Default Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

>set type=mxSetting the type to MX will show us the Mail Exchanger records for the domain
>hotmail.comEnter a domain here, and it will display our Mail Exchangers
Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2
Non-authoritative answer:
hotmail.com MX preference = 5, mail exchanger = mx4.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx1.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx2.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx3.hotmail.com
>

Now that we know the MX entries for inbound, we’ll check if they have a valid PTR

> set type=aThis will allow us to see the IP address assigned to the MX entries
> mx1.hotmail.com

Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

Non-authoritative answer:
Name: mx1.hotmail.com
Addresses: 64.4.50.50, 65.54.244.8, 65.54.244.136, 65.54.245.8

> set type=ptrNow we’ll check if they have a valid PTR
> 64.4.50.50The IP Address of the Mail Exchanger is specified here

Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

Non-authoritative answer:
50.50.4.64.in-addr.arpa name = mail.hotmail.com
50.50.4.64.in-addr.arpa name = mc1-reserved.bay6.hotmail.com

So, according to this, they have a valid record
If you received something similar to
*** vnsc-bak.sys.gtei.net can’t find 1.1.1.1.in-addr.arpa.: Non-existent domain
Then you do not have a valid PTR setup

If you’ve followed these steps and checked the PTR for the inbound mail receiver, now you should check the outbound.
Sometimes Inbound does not match the Outbound, so visit the following site from your mail server and you can check your IP address.

From your outbound mail server (The Mail server itself or an SMTP scanning/relayer) visit the following website:
www.pkguild.com/ip (There is also a link off the main site here – “Click here for your IP Address”)

And your results should look like this:

C:\>nslookup
Default Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

> set type=mx
> pkguild.com
Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

Non-authoritative answer:
pkguild.com MX preference = 0, mail exchanger = pkguild.com

pkguild.com internet address = 70.103.189.81
> set type=ptr
> 70.103.189.81
Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

Non-authoritative answer:
81.189.103.70.in-addr.arpa name = box81.bluehost.com
>

At this point, with a valid PTR – You can check to see if you can send mail by hand to these domains.

C:\> telnet mx1.hotmail.com

220 bay0-mc5-f9.bay0.hotmail.com. Mon, 6 Feb 2006 09:35:02 -0800
helo peters.com
Enter helo domain.com where domain.com is the site you claim to be from
250 bay0-mc5-f9.bay0.hotmail.com (3.1.0.18) Hello [216.130.119.48]
mail from: <Christopher.Kusek@Pkguild.com>
Enter mail from: <user@domain.com> this will dictate who it comes from.
250 Christopher.Kusek@Pkguild.com.Sender OK
rcpt to: <christopher.kusek@hotmail.com>
Enter rcpt to: <user@hotmail.com> this will be the recipient of the message.
250 christopher.kusek@hotmail.com
data
Enter data – this allows you to start putting input of content in the message.
Test test mc test
Enter some kind of data.
.
Put a . and it commits the email and sends it.
354 Start mail input; end with .
250 <BAY0-MC5-F9gDznmG3d00498dc8@bay0-mc5-f9.bay0.hotmail.com> Queued mail for delivery
A simplified test of it which can be pasted into a telnet window are like this.
(After you have initiated your telnet)
helo domain.com
mail from:
user@domain.com
rcpt to: user@domainIamConnectedto.com
data
test
.

Often times, you may also encounter an issue where Exchange is unable to deliver mail to some domains or reports errors on your server. This can happen when you have EDNS enabled on Windows 2003 DNS servers (Enabled by default)
To disable EDNS, you must first install the dnscmd.exe command-line tool from the Windows 2003 CD-ROM’s Support Tools. (\Support\i386\Suptools.msi)
From a command prompt type

dnscmd /config /enableednsprobes 0

This will then disable EDNS (You may need to restart the DNS Services on the 2003 DNS Server for it to take effect)


An external DNS query may cause an error message in Windows Server 2003
http://support.microsoft.com/kb/828731/en-us

DNS query responses do not travel through a firewall in Windows Server 2003
http://support.microsoft.com/kb/828263/en-us

Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS Server to Windows Server 2003
http://support.microsoft.com/kb/832223/en-us

Posted in Exchange, Informational, Microsoft | Comments (1)

  • Lovely blog! I am loving it!! Will come back again. I am bookmarking your feeds also.

  • Archives