Anyone had their email domain rejected for "Your access to this mail system has been rejected due to poor reputation"?

Forums › IT Pro and developers › Anyone had their email domain rejected for "Your access to this mail system has been rejected due to poor reputation"?

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#303624 23-Feb-2023 16:23

Hi guys,

We have a business that needs to email an email within NZ Police (police.govt.nz).

The email is hosted on Outlook and I have DKIM, SPF and DMARC all set up properly via Cloudflare.

Mostly, all ours get through okay but the Police's mail servers are bouncing back with the following message:

Your access to this mail system has been rejected due to poor reputation of a domain used in message transfer

Sounds like that our domain name is getting rejected? I've ran some tests and it doesn't appear that our domain is in any sort of list.

Any help would be appreciated!

----

Creator of whatsthesalary.com and whatstheincometax.com

1 | 2

1269 posts

Uber Geek
+1 received by user: 855

#3040968 23-Feb-2023 16:26

How old is your domain name?

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3040970 23-Feb-2023 16:27

Registered on: 2022-07-18

However, the exchange server was only attached last week.

----

Creator of whatsthesalary.com and whatstheincometax.com

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1860

#3040977 23-Feb-2023 16:53

turtleattacks:

We have a business that needs to email an email within NZ Police (police.govt.nz).

This is ridiculous. If it's a case of having to e-mail them, you've done that and it's their problem if they don't get it IMO. If you actually want them to receive it, e-mail postmaster@police.govt.nz and tell them to fix it.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3040981 23-Feb-2023 16:59

Does Postmaster emails actually get read? :D

----

Creator of whatsthesalary.com and whatstheincometax.com

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1860

#3040983 23-Feb-2023 17:05

turtleattacks:

Does Postmaster emails actually get read? :D

Rarely, although I do read mine. Since you've queried it, it's probably too late for your to plausibly deny that you weren't aware it would probably never be read.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3040984 23-Feb-2023 17:05

Is there anything else we can do from our end?

----

Creator of whatsthesalary.com and whatstheincometax.com

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1860

#3040988 23-Feb-2023 17:17

turtleattacks:

Is there anything else we can do from our end?

What's the TTL on your MX records? I've seen some e-mail reports indicating this should be at least 48 hours. Bit of a pain when you're planning migration, but people who run spam filters think they know best. Damn things should be illegal, especially for government operations.

Also, make sure you have a PTR on the sending IP address.

decibel

335 posts

Ultimate Geek
+1 received by user: 224

#3041078 23-Feb-2023 20:07

SirHumphreyAppleby:

Also, make sure you have a PTR on the sending IP address.

This -

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#3041079 23-Feb-2023 20:09

SirHumphreyAppleby:

turtleattacks:

Is there anything else we can do from our end?

What's the TTL on your MX records? I've seen some e-mail reports indicating this should be at least 48 hours. Bit of a pain when you're planning migration, but people who run spam filters think they know best. Damn things should be illegal, especially for government operations.

Also, make sure you have a PTR on the sending IP address.

We have many many clients all on 60 minutes or less, and never an issue. I would never set it to more than 4 hours by choice.

boosacnoodle

1269 posts

Uber Geek
+1 received by user: 855

#3041091 23-Feb-2023 20:53

Reason I asked about age of the domain was that a friend had the same issue and this was more-or-less the explanation from Police. Welcome to OIA it, of course.

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1860

#3041154 24-Feb-2023 06:44

networkn:

We have many many clients all on 60 minutes or less, and never an issue. I would never set it to more than 4 hours by choice.

I can't say I've ever seen an issue either. I don't recall which e-mail testing site had this as one of their warning points, but I can only assume it exists because someone, somewhere, used to apply this criteria in their filters.

Fortunately, with SPF and DKIM more widely used now, we see a lot less 'bad' stuff such as rejecting e-mail on HELO not matching the IP PTR, use of an address literal (both are an RFC violation), or To/Cc fields having only e-mail addresses.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3041155 24-Feb-2023 06:46

So one thing weird about this is that it’s rejected by an Exchange server.

Whereas another Exchange server was happy to receive it.

Must have different security settings I guess.

----

Creator of whatsthesalary.com and whatstheincometax.com

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3041156 24-Feb-2023 06:47

decibel:
SirHumphreyAppleby:

Also, make sure you have a PTR on the sending IP address.

This -

Can someone please ELI5 this for me or link me a good source?

We have Exchange via Cloudflare DNS.

----

Creator of whatsthesalary.com and whatstheincometax.com

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1860

#3041157 24-Feb-2023 06:53

turtleattacks:

Can someone please ELI5 this for me or link me a good source?

We have Exchange via Cloudflare DNS.

PTR records associate a host name with your IP address.

On Windows, just type...

nslookup 1.1.1.1 (IP is the outbound IP of your e-mail server)

You should see a domain name. If you don't, it means you don't have a PTR, and lots of e-mail servers will reject mail if you don't have one.

In the past it was relatively common practice, albeit an RFC violation, to reject the e-mail if the PTR didn't match the A record, but that practice, fortunately, seems to have largely stopped. Just having a PTR is sufficient.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3041158 24-Feb-2023 06:57

SirHumphreyAppleby:

turtleattacks:

Can someone please ELI5 this for me or link me a good source?

We have Exchange via Cloudflare DNS.

PTR records associate a host name with your IP address.

On Windows, just type...

nslookup 1.1.1.1 (IP is the outbound IP of your e-mail server)

You should see a domain name. If you don't, it means you don't have a PTR, and lots of e-mail servers will reject mail if you don't have one.

In the past it was relatively common practice, albeit an RFC violation, to reject the e-mail if the PTR didn't match the A record, but that practice, fortunately, seems to have largely stopped. Just having a PTR is sufficient.

Thanks! Another beginner question - but I assume we won't have a static IP since we host our emails on Office365 and it'll probably be a pool of IP addresses?

----

Creator of whatsthesalary.com and whatstheincometax.com

1 | 2