Skip to content

My E-mail appears as spam | Troubleshooting – Mail server | Part 13#17

The current article in the next articles:

Will be deducted to the troubleshooting scenarios, in which the “element” that is blacklisted is not our domain name but instead, our mail server.

Verify if your mail server appear as blacklisted

What is the meaning of: “our mail server”?

When we say: “our mail server,” the term can be translated into two types of identities:

  1. Mail server IP address
  2. Mail Server Hostname – the mail server hostname could map into one or more IP addresses

This distinction is important because, in a scenario in which we want to figure out of our mail server appears on a blacklist, we will need to know the mail server hostname and also, the IP address that is “mapped” to the mail server hostname.

For example, most of the website that enables us to verify of our mail server appear on a blacklist will query the blacklist provider’s database by using the mail server IP address and, not the mail server host name.

Organization is represented by the mail server

Mail server IP, hostname and Exchange Online

Ok, now lets it even more complicated.

Q: In a scenario in which Exchange Online hosts our mail infrastructure, is there a “dedicated Exchange Online mail server” that represent our organization or our domain name?

A: In reality, there is no such “dedicated Exchange Online server” that is allocated only to our Office 365 tenant (our domain name). Instead, there is a “logical Exchange Online server” that is assigned or “attached” to our domain name. The host name of this “logical Exchange Online server” will be published in our MX record.

You can get information about your Exchange Online host name by reading the article My E-mail appears as spam | Troubleshooting – Mail server | Part 15#17.

Q: Does the “logical Exchange Online server” that represents our domain name have a dedicated public IP address that is assigned only to our organization?

A: The “logical Exchange Online hostname” is “mapped” or “represented”, by Public IP address. This IP address, are not “belong” only for our domain name but instead, shared with other Office 365 tenants.

Or in other words: the same Exchange Online servers who send out our E-mails, serves an edition Offices 365 customers.

Logical Exchange Online server

A Scenario in which our mail server is blacklisted.

Q: What are the chances of a scenario, in which “logical Exchange Online server” that represent our domain name, will appear as blacklisted?

A: The chances are very, very small.

Q: Why do you think that the chances for a scenario in which “logical Exchange Online server” that represent our domain name will appear on a blacklist are minuscule?

A: My answer based on my experience and very simple logic: the “logical Exchange Online server” that represents our domain name, represent at the same time hundreds of thousands or even millions of users. The “Exchange Online infrastructure”, doesn’t have the “luxury” to be blacklisted.

Q: So, there is some chance that Exchange Online server IP address will appear as blacklisted?

A: There is a scenario, in which Exchange Online server will look as blacklisted, but this situation will apply only to a particular dedicated Exchange Online server pool named: High Risk Delivery Pool.

In a scenario in which E-mail sent via the Exchange Online High Risk Delivery Pool and one of the Exchange Online High Risk Delivery Pool appears in a blacklist, the “problem” is not related to the particular Exchange server from the “Exchange Online High Risk Delivery Pool.”

The “root cause” is the “problematic E-mail message”, which identified by Exchange Online as spam \ junk mail and for this, the reason was routed via the Exchange Online High Risk Delivery Pool.

Non-Exchange Online base mail infrastructure

Q: In a scenario in which the E-mail organization infrastructure is not based on Office 365 and Exchange Online servers, what are the chances that my mail server host name or IP address will appear on a blacklist?

A: In case that your mail infrastructure is not based on Exchange Online or in case that you use mixed mail infrastructure that includes: on-Premises mail infrastructure + “cloud mail infrastructure” (Exchange Online), there could be a scenario in which your mail server (host name or IP address) will appear as blacklisted.

One of our users got an NDR which informs him, that his mail server is blacklisted!

In a “pure” Exchange Online environment (cloud only client) there could be a scenario in which the Exchange Online server IP address will appear as blacklisted, but it can be said that – there is certainly a chance that the IP address “belong” to the Exchange Online- High Risk Delivery Pool.

In that scenario, my opinion is that there is no point to start to Invest time and energy in – trying the remove the IP address from the blacklist because a very simple reason: the IP address is not yours.

As an Office 365 customers, your domain name is represented by the Exchange Online server and the Exchange Online server IP address but, you don’t own this “IP address”.

This scenario is different from a situation in which your domain name blacklisted because, in this case, you (your organization) are the owner of the domain name.

In a situation in which you informed that “your mail server” is blacklisted, 99% of the time the IP address probably belongs to the Exchange Online- High Risk Delivery Pool.

inform him that his mail server is black listed

In this case, the most efficient troubleshooting step is – to verify with your users, what is the special charters of the E-mail message that was sent by them, that “lead” to the scenario, in which the E-mail identified as spam by the Exchange Online infrastructure and, for this reason, was routed via the Exchange Online- High Risk Delivery Pool.

Q: What happens if I think that the blocked mail server IP address, is the legitimate Exchange Online IP address and not the Exchange Online- High Risk Delivery Pool?

A: The answer is very simple: get the public IP address that represents your Exchange Online server and compares it to the IP address that appears in the NDR message.

Q: In case that the IP address that appears in the NDR message is the “formal IP address” of the Exchange Online server, which represents my domain name, what should I do?

A: The possibility of such a scenario is relatively rare, but if this situation occurs, you should report this incident as soon as possible to the Office 365 technical support team.

Q: In case that the IP address that appears in the NDR message is not the “formal IP address” of the Exchange Online server which represents my domain name, can I know what is the source of this IP address?

A: There is a high chance that the IP address that appears in the NDR message “belong” to the IP range of the Exchange Online High Risk Delivery Pool.

Q: Is there a formal article that describes the IP ranges of the Exchange Online High Risk Delivery Pool?

A: No, there is not. There is an article named: Office 365 URLs and IP address ranges that includes information about all the IP address ranges that are used by Office 365 and Exchange Online worldwide but, the information doesn’t include a particular category for the IP ranges that used by the Exchange Online High Risk Delivery Pool.

Q: Is there a way or a method that will help me to understand if the IP address that appears in the NDR message, “belong to the Exchange Online High Risk Delivery Pool?

A: There is no formal way. The only “method” that we can use to understand what is the “source” of the IP address that appears in the NDR message is – by using elimination.

To logic of the “elimination process” is presented in the following diagram:

Elimination process my mail server appear as blacklisted

In the first step, we compare the IP address that is displayed in the NDR message (or in the message that saved as in the junk folder of the destination recipient) to the “formal IP address” of our Exchange Online server (the Exchange Online that represents our domain name).

In case that the IP addresses that appear in the NDR are not the “formal Exchange Online IP address” of the Exchange Online that represents our domain, we can look if the IP address appears within the range of the IP ranges that used by Office 365 and Exchange Online Office 365 URLs and IP address ranges – Office 365 URLs and IP address ranges

In case that the IP address appears as part of the Exchange Online Office 365 URL’s and IP address ranges, the logical answer is that the IP address “belong” to the Exchange Online High Risk Delivery Pool IP ranges.

Q: In case that the conclusion that the IP address that appears in the NDR message belong to the Exchange Online High Risk Delivery Pool IP ranges what should I do?

A: You should understand that the “outcome,” in which the E-mail sent via the Exchange Online High Risk Delivery Pool is the result of a scenario, in which the E-mail recognized by Exchange Online infrastructure as an E-mail that has the potential to be classified as spam \ junk mail.

In that case, you should start to find out what was “included” in the particular E-mail message content that leads to this problem.

How do we know that my mail server is blacklisted?

As mentioned, the term: my E-mail appears as spam could be translated into two major types of scenarios:

Scenario 1 – your organization domain name appears as blacklisted.

Scenario 2 – your mail server appears as blacklisted.

The following articles and the next two articles deal with “Scenario 2” in which our mail server (Exchange Online or another mail server) appears as blacklisted.

In case, your next question is: how do I know that my mail server is blacklisted?

There could be three possible answers to that question:

1. NDR message

A scenario in which one of your organization users reports that he got an NDR when he sent an E-mail to an external recipient and the NDR “inform him” that his mail server is blacklisted.

2. Blacklist monitor service

In case that you use this type of service, the monitor service could “capture” a scenario in which your mail server appears as blacklisted. This scenario is more common in case that your mail infrastructure is not based on Exchange Online mail infrastructure, but instead, on a “private” or on-Premises mail infrastructure.

3. External recipient reports that our mail saved in his junk mail folder and send you a copy of the original E-mail message.

This scenario is the “less obvious” or “less easy” to troubleshoot because of two main reasons:

Reason 1 – the only way for us to know about the problem, in which our organization E-mail appears as spam \ junk mail is – in case that the destination recipient “bother” to inform us.

If the target recipient didn’t notice that our E-mail was saved in his junk mail folder or, in case that he is not “kind” enough to inform us, we could not know about this problem.

Reason 2 – when an email message is “sent” to the user junk mail folder, there is no detailed description that “explain” the reasons for classifying the E-mail as spam \ junk mail.

In other words: we can never know if the reason for identifying the E-mail as spam \ junk mail was related to the – E-mail message content, our domain name, our mail server, etc.

In this case, the only option that we can use is – reasoning and elimination.

For example, in case that we suspect that the problem is related to our mail server IP address or, to a scenario in which the E-mail message was sent by using the Exchange Online- High Risk Delivery Pool, the option that we have is – asking from the destination recipient to send us a copy of the E-mail message.

When we get the required copy of the E-mail – analyses the E-mail header, find the IP address of the Exchange Online server that sent out the message and verify if the IP address that appears is our “formal Exchange Online IP address” or other IP address.

suspect that the problem is related to our mail server IP address

How do I “fetch” the IP address of the Exchange Online mail server IP address?

The way that we use for getting the IP address of the Exchange Online server who sent the E-mail message to the external recipient depends on the particular scenario.

Case 1 – NDR message

An NDR message, that sent by the destination mail as a “reply” to our Office 365 users.
In this scenario, we get “fetch” the required information from the “NDR response” that created by the mail server that rejects the E-mail message.

Case 2 – destination recipient reports that our mail saved in his junk mail folder.

The external recipient informs us that our mail sent to his junk mail folder.

The way that we need to use for getting the required information about the Exchange Online server IP address is by using the information that appears in the E-mail message header.

The E-mail header includes a “documentation” of the mail flow and by reading the information that displayed in the E-mail header, we can implement a “reverse engineering” process, which will “reveal” the IP address of the Exchange Online server that sent out the E-mail message.

Analyzing the information from the E-mail message that was identified as spam

In the next article, we will look at My E-mail appears as spam | Troubleshooting – Mail server | Part 14#17.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *