Share via

Forefront Online Protection for Exchange: Outbound E-mailing Tips For Senders

  • Article

The following guidelines are intended to help companies and end users who use the Forefront Online Protection for Exchange (FOPE) service ensure that their outbound mail is safely delivered. They are appropriate both for FOPE customers sending e-mail from their own servers and those sending e-mail through FOPE servers.

1. Ensure that the sending domain of the e-mail has forward-confirmed DNS.

If the sender’s e-mail address is user@aselasdf.com and the domain aselasdf.com does not actually exist or resolve in DNS, mail sent from user@aselasdf.com may not be delivered to many destinations since Spam filters often evaluate whether the sending address domain exists or resolves in DNS. It is a common spamming tactic to fill in the sending e-mail address with non-existent domains.

Example:

If the sending domain has no A-record or MX record in DNS, some large ISPs will reject, or at least throttle, mail from that IP. 

With the FOPE service, if a sending domain has no A-record or MX record in DNS, FOPE will route the mail through its higher risk delivery pool regardless of whether or not the content of the e-mail is spam.

2. Use a reverse DNS entry for the sending IP of the outbound mail server.

Example:

12.129.199.61 is mail-haw.global.frontbridge.com. Many senders do not have a reverse DNS entry for the IP. Adding this in DNS makes it easier for spam filters to know who the mail is coming from. It is common for spammers to send from IPs with no reverse DNS entries (i.e. PTR records).

3. Use a consistent HELO/EHLO and MAIL FROM and ensure that it is in the form of a domain name rather than an IP address.

The HELO/EHLO should be configured to match the reverse DNS of the mailing IP so that the domain remains the same across the various parts of the message headers.

4. Set up proper SPF records in DNS.

SPF records are a mechanism for making certain that mail coming from a domain actually is from that domain. In other words, SPF records are a critical anti-spoofing mechanism and help in the delivery of mail because they allow the receiver to verify the sender and build up a reputation for it.

For more information about how to set up proper SPF records, see:

5. Use the relaxed canonicalization algorithm to sign DKIM mail.

The relaxed header canonicalization algorithm allows line wraps. If an e-mail message has an x-header that is spread over multiple lines (such as a Content-Type header), the relaxed header algorithm wraps those multiple lines into one line and then signs it. The strict canonicalization algorithm does not wrap lines.

This is important because Exchange often folds line wraps in the x-headers by default. If you sign with the strict canonicalization algorithm, then a hash on a message with a line wrap is different than a hash on message without a line wrap. If you sign with strict canonicalization algorithm, Exchange will fold the x-headers and the receiver will not be able to verify. If you sign using the relaxed canonicalization algorithm, Exchange will still fold the x-headers, but this will not matter because the receiver will still be able to verify. If a sender wishes to sign their messages using DKIM (DomainKeys Identified Mail) and also send outbound mail through FOPE, the relaxed header canonicalization algorithm should be used to sign the messages. /span>

6. Keep domain owner contact information up-to-date in the WHOIS database.

 

This identifies the owners of the domain and how to contact them by entering the stable parent company, point of contact and name servers.

For best practices regarding bulk e-mail campaigns, see Bulk E-mailing Best Practices for Senders Using Forefront Online Protection for Exchange..  

See also

Mass Mailing Delivery Issues

See Hotmail/Oultlook.com Solving Mass Mailing Delivery Issues

SPF tooling