Page 1 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

MY E-MAIL APPEARS AS SPAM |

TROUBLESHOOTING – MAIL SERVER |

PART 13#17

The current article in the next articles:

My E-mail appears as spam | Troubleshooting – Mail

server | Part 14#17

My E-mail appears as spam | Troubleshooting – Mail

server | Part 15#17

Will be deducted to the troubleshooting scenarios, in

which the “element” that is blacklisted is not our domain

Page 2 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

name but instead, our mail server.

What is the meaning of: “our mail server”?

When we say: “our mail server”, the term can be translated

into two types of identities:

1. Mail server IP address

2. Mail server Host name – the mail server host name could be

mapped into one or more IP address.

This distinction is important because, in a scenario in which we

want to figure out of our mail server appear on a blacklist, we

will need to know the mail server host name and in addition,

the IP address\s that are “mapped” to the mail server host

name.

Page 3 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

For example: most of the website that enables us to verify of

our mail server appear on a blacklist will query the blacklist

provider’s database by using the mail server IP address and,

not the mail server host name.

Mail server IP, host name and Exchange

Online

Ok, now lets it even more complicated.

Q: In a scenario in which our mail infrastructure is hosted by

Exchange Online, is there a “dedicated Exchange Online mail

server” that represent our organization or our domain name?

A: In reality, there is no such “dedicated Exchange Online

server” that is allocated only to our Office 365 tenant (our

domain name). Instead, there is a “logical Exchange Online

Page 4 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

server” that is allocated or “attached” to our domain name.

The host name of this “logical Exchange Online server” will be

published in our MX record.

Note – you can get information about your Exchange Online

host name by reading the article: My E-mail appears as spam

| Troubleshooting – Mail server | Part 15#17

Q: Does the “logical Exchange Online server” that represents

our domain name have a dedicated public IP address that is

assigned only to our organization?

A: The “logical Exchange Online host name” is “mapped” or

“represented”, by Public IP address. This IP address, are not

“belong” only for our domain name but instead, shared with

other Offices 365 tenants.

Or in other words: the same Exchange Online servers who

send out our E-mails, serves an edition Offices 365 customers.

Page 5 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

A Scenario in which our mail server will be blacklisted.

Q: What are the chances for a scenario, in which “logical

Exchange Online server” that represent our domain name, will

appear as blacklisted?

A: The chances are very, very low.

Q: Why do you think that the chances for a scenario in which

“logical Exchange Online server” that represent our domain

name will appear on a blacklist are very low?

A: My answer is based on my experience and very simple logic:

the “logical Exchange Online server” that represents our

domain name, represent at the same time hundreds of

thousands or even millions of users. The “Exchange Online

infrastructure”, doesn’t have the “luxury” to be blacklisted.

Page 6 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

Q: So, there is some chance that Exchange Online server IP

address will appear as blacklisted?

A: There is a scenario, in which Exchange Online server will

appear as blacklisted, but this scenario will apply only to a

special dedicated Exchange Online server pool named: High

Risk Delivery Pool.

In a scenario in which E-mail message is sent via the Exchange

Online High Risk Delivery Pool and one of the Exchange Online

High Risk Delivery Pool appears in a blacklist, the “problem” is

not related to the specific Exchange server from the “Exchange

Online High Risk Delivery Pool”.

The “root cause” is the “problematic E-mail message”, which

was identified by Exchange Online as spam\Junk mail and for

this, the reason was routed via the Exchange Online High Risk

Delivery Pool.

Non-Exchange Online base mail infrastructure

Q: In a scenario in which the organization E-mail infrastructure

is not based on Office 365 and Exchange Online servers, what

are the chances that my mail server host name or IP address

will appear on a blacklist?

A: In case that your mail infrastructure is not based on

Exchange Online or in case that you use mixed mail

infrastructure that includes: on-Premises mail infrastructure +

“cloud mail infrastructure” (Exchange Online), there could be a

scenario in which your mail server (host name or IP address)

Page 7 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

will appear as blacklisted.

One of our users got an NDR which informs

him, that his mail server is blacklisted!

In a “pure” Exchange Online environment (cloud only client)

there could be a scenario in which the Exchange Online server

IP address will appear as blacklisted, but it can be said that –

there is certainly a chance that the IP address “belong” to the

Exchange Online- High Risk Delivery Pool.

In that scenario, my opinion is that there is no point to start to

Invest time and energy in – trying the remove the IP address

from the blacklist because a very simple reason: the IP address

is not yours.

As an Office 365 customers, your domain name is represented

by the Exchange Online server and the Exchange Online server

IP address but, you don’t own this “IP address”.

This scenario is different from a scenario in which your

domain name is blacklisted because in this case, you (your

organization) are the owner of the domain name.

In a scenario in which you are informed that “your mail server”

is blacklisted, 99% of the time the IP address is probably

belong to the Exchange Online- High Risk Delivery Pool.

Page 8 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

In this case, the most effective troubleshooting step is – to

verify with your users, what is the special charters of the E-

mail message that was sent by them, that “lead” to the

scenario, in which the E-mail message was identified as spam

by the Exchange Online infrastructure and, for this reason,

was routed via the Exchange Online- High Risk Delivery Pool.

Q: What happens if I think that the blocked mail server IP

address, is the legitimate Exchange Online IP address and not

the Exchange Online- High Risk Delivery Pool?

A: The answer is very simple: get the public IP address that

represents your Exchange Online server and compare it to the

IP address that appear in the NDR message.

Q: In case that the IP address that appear in the NDR message

is the “formal IP address” of the Exchange Online server, which

represents my domain name, what should I do?

Page 9 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

A: The possibility of such a scenario is quite rare, but if this

scenario occurs, you should report this incident as soon as

possible to the Office 365 technical support team.

Q: In case that the IP address that appear in the NDR message

is not the “formal IP address” of the Exchange Online server

which represents my domain name, can I know what is the

source of this IP address?

A: There is a high chance that the IP address that appears in

the NDR message “belong” to the IP range of the Exchange

Online High Risk Delivery Pool.

Q: Is there a formal article that describes the IP ranges of the

Exchange Online High Risk Delivery Pool?

A: No, there is not. There is an article named: Office 365 URLs

and IP address ranges that includes information about all the

IP address ranges that are used by Office 365 and Exchange

Online worldwide but, the information doesn’t include a

specific category for the IP ranges that are used by the

Exchange Online High Risk Delivery Pool.

Q: Is there a way or a method that will help me to understand

if the IP address that appear in the NDR message, “belong to

the Exchange Online High Risk Delivery Pool?

A: There is no formal way. The only “method” that we can use

to understand what is the “source” of the IP address that

appear in the NDR message is – by using elimination.

Page 10 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

To logic of the “elimination process” is presented in the

following diagram:

In the first step, we compare the IP address that appears in

the NDR message (or in the message that was saved as in the

junk folder of the destination recipient) to the “formal IP

address” of our Exchange Online server (the Exchange Online

that represent our domain name).

In case that the IP addresses that appear in the NDR is not the

“formal Exchange Online IP address” of the Exchange Online

that represent our domain, we can look if the IP address

appears within the range of the IP ranges that are used by

Office 365 and Exchange Online Office 365 URLs and IP

address ranges – Office 365 URLs and IP address ranges

In case that the IP address appear as part of the Exchange

Online Office 365 URLs and IP address ranges, the logical

answer is that the IP address “belong” to the Exchange Online

High Risk Delivery Pool IP ranges.

Page 11 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

Q: In case that the conclusion that the IP address that appear

in the NDR message belong to the Exchange Online High Risk

Delivery Pool IP ranges what should I do?

A: You should understand that the “outcome”, in which the E-

mail message was sent via the Exchange Online High Risk

Delivery Pool is the result of a scenario, in which the E-mail

message was recognized by Exchange Online infrastructure as

a mail that has the potential to be classified as spam\Junk

mail.

In that case, you should start to find out what was “included”

in the specific E-mail message content that leads to this

problem.

How do we know that my mail server is

blacklisted?

As mentioned, the term: my E-mail appears as spam could be

translated into two major types of scenarios:

Scenario 1 – your organization domain name appears as

blacklisted.

Scenario 2 – your mail server appears as blacklisted.

The following articles and the next two articles deal with

“Scenario 2” in which our mail server (Exchange Online or

another mail server) appears as blacklisted.

Page 12 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

In case your next question is: how do I know that my mail

server is blacklisted?

There could be three possible answers to that question:

1. NDR message

A scenario in which one of your organization users reports

that he got an NDR when he sent an E-mail message to an

external recipient and the NDR “inform him” that his mail

server is blacklisted.

2. Blacklist monitor service

In case that you use this type of service, the monitor service

could “capture” a scenario in which your mail server appears

as blacklisted. This scenario is more common in case that your

mail infrastructure is not based on Exchange Online mail

infrastructure, but instead, on a “private” or on-Premises mail

infrastructure.

3. External recipient reports that our mail saved in his junk

mail folder and send you a copy of the original E-mail

message.

This scenario is the “less obvious” or “less easy” to

troubleshoot because of two main reasons:

Reason 1 – the only way for us to know about the problem, in

which our organization E-mail appears as spam\junk mail is –

in case that the destination recipient “bother” to inform us.

Page 13 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

In case that the destination recipient didn’t notice that our E-

mail was saved in his junk mail folder or, in case that he didn’t

was “kind” enough to inform us, we could not know about this

problem.

Reason 2 – when an email message is “sent” to the user junk

mail folder, there is no detailed description that “explain” the

reasons for classifying the E-mail message as spam\junk mail.

In other words: we can never know if the reason for identifying

the E-mail message as spam\junk mail was related to the – E-

mail message content, our domain name, our mail server, etc.

In this case, the only option that we can use is – reasoning and

elimination.

For example: in case that we suspect that the problem is

related to our mail server IP address or to a scenario in which

the E-mail message was sent by using the Exchange Online-

High Risk Delivery Pool, the option that we have is – asking

from the destination recipient to send us a copy of the E-mail

message.

When we get the required copy of the E-mail – analyses the E-

mail message header, find the IP address of the Exchange

Online server that sent out the message and verify if the IP

address that appears is our “formal Exchange Online IP

address” or other IP address.

Page 14 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

How do I “fetch” the IP address of the

Exchange Online mail server IP address?

The way that we use for getting the IP address of the Exchange

Online server who sent the E-mail message to the external

recipient, depends on the specific scenario.

Case 1 – NDR message

An NDR message, that sent by the destination mail as a “reply”

to our Office 365 users.

In this scenario, we get “fetch” the required information from

the “NDR reply” that was created by the mail server that

rejects the E-mail message.

Case 2 – destination recipient reports that our mail was saved

in his junk mail folder.

The external recipient informs us, that our mail is sent to his

junk mail folder.

Page 15 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

The way that we need to use for getting the required

information about the Exchange Online server IP address is by

using the information that appears in the E-mail message

header.

The E-mail message header includes a “documentation” of the

mail flow and by reading the information that appears in the

E-mail message header, we can implement a “reverse

engineering” process, which will “reveal” the IP address of the

Exchange Online server that sent out the E-mail message.

In the next article – My E-mail appears as spam |

Troubleshooting – Mail server | Part 14#17, we will learn how

to get the required information about our Exchange Online

mail server.

Page 16 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

Internal \ outbound spam in Office 365

environment | Article series index

A quick reference for the article series

My E-mail appears as a spam | Article

series index | Part 0#17

The article index of the complete

article series

Introduction to the concept of internal \ outbound spam in general

and in Office 365 and Exchange Online environment

My E-mail appears as a spam –

Introduction | Office 365 | Part 1#17

The psychological profile of the

phenomenon: “My E-mail appears as

a spam!”, possible factors for causing

our E-mail to appear a “spam mail”,

the definition of internal \ outbound

spam.

Internal spam in Office 365 –

Introduction | Part 2#17

Review in general the term: “internal \

outbound spam”, miss conceptions

that relate to this term, the risks that

are involved in this scenario,

Page 17 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

outbound spam E-mail policy and

more.

Internal spam in Office 365 –

Introduction | Part 3#17

What are the possible reasons that

could cause to our mail to appear as

spam\junk mail, who or what are this

“elements”, that can decide that our

mail is a spam mail?, what are the

possible “reactions” of the destination

mail infrastructure that identify our E-

mail as spam\junk mail?.

Commercial E-mail – Using the right

tools | Office 365 | Part 4#17

What is commercial E-mail?

Commercial E-mail as part of the

business process. Why do I think that

Office 365\ Exchange Online is

unsuitable for the purpose of

commercial E-mail?

Introduction if the major causes for a scenario in which your

organization E-mail appears as spam

My E-mail appears as spam | The 7

major reasons | Part 5#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

Page 18 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

1. E-mail content, 2. Violation of the

SMTP standards, 3. Bulk\Mass mail

My E-mail appears as spam | The 7

major reasons | Part 6#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

4. False positive, 5. User Desktop

malware, 6. “Problematic” Website

Introduction if the subject of SPF record in general and in Office

365 environment

What is SPF record good for? | Part

7#17

The purpose of the SPF record and the

relation to for our mail infrastructure.

How does the SPF record enable us to

prevent a scenario in which hostile

elements could send E-mail on our

behalf.

Implementing SPF record | Part 8#17

The “technical side” of the SPF record:

the structure of SPF record, the way

that we create SPF record, what is the

required syntax for the SPF record in

an Office 365 environment + mix mail

environment, how to verify the

existence of SPF record and so on.

Page 19 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

Introduction if the subject of Exchange Online - High Risk Delivery

Pool

High Risk Delivery Pool and Exchange

Online | Part 9#17

How Office 365 (Exchange Online) is

handling a scenario of internal \

outbound spam by using the help of

the Exchange Online- High Risk

Delivery Pool.

High Risk Delivery Pool and Exchange

Online | Part 10#17

The second article about the subject

of Exchange Online- High Risk

Delivery Pool.

The troubleshooting path of internal \ outbound spam scenario

My E-mail appears as spam –

Troubleshooting path | Part 11#17

Troubleshooting scenario of internal \

outbound spam in Office 365 and

Exchange Online environment.

Verifying if our domain name is

blacklisted, verifying if the problem is

related to E-mail content, verifying if

the problem is related to specific

organization user E-mail address,

Page 20 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

moving the troubleshooting process

to the “other side.

My E-mail appears as spam |

Troubleshooting – Domain name and

E-mail content | Part 12#17

Verify if our domain name appears as

blacklisted, verify if the problem

relates to a specific E-mail message

content, registering blacklist

monitoring services, activating the

option of Exchange Online outbound

spam.

My E-mail appears as spam |

Troubleshooting – Mail server | Part

13#17

What is the meaning of: “our mail

server”?, Mail server IP, host name

and Exchange Online. One of our

users got an NDR which informs him,

that his mail server is blacklisted!,

How do we know that my mail server

is blacklisted?

My E-mail appears as spam |

Troubleshooting – Mail server | Part

14#17

The troubleshooting path logic. Get

the information from the E-mail

message that was identified as

spam\NDR. Forwarding a copy of the

NDR message or the message that

saved to the junk mail

Page 21 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com

My E-mail appears as spam |

Troubleshooting – Mail server | Part

15#17

Step B – Get information about your

Exchange Online infrastructure, Step

C – fetch the information about the

Exchange Online IP address, Step D –

verify if the “formal “Exchange Online

IP address a

De-list your organization from a

blacklist | My E-mail appears as spam

| Part 16#17

Review the charters of a scenario in

which your organization appears as

blacklisted. The steps and the

operations that need to be

implemented for de-list your

organization from a blacklist.

Summery and recap of the troubleshooting and best practices in a

scenario of internal \ outbound spam

Dealing and avoiding internal spam |

Best practices | Part 17#17

Provide a short checklist for all the

steps and the operation that relates

to a scenario of – internal \ outbound

spam.

Page 22 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part

13#17

Written by Eyal Doron | o365info.com