Category Archives: Uncategorized

New Servers to Whitelist

MxToolbox uses a set of servers as part of our monitoring products.  These perform the heavy lifting like making SMTP calls to your servers or checking your DNS records.  If you are using MxToolbox monitoring for any system behind a firewall, you will probably need to whitelist our servers to get accurate monitoring service.

The current list of keeper IP addresses to whitelist is:

  • 64.20.227.128/28
  • 54.84.234.24
  • 54.164.124.219
  • 54.88.4.135

Please contact Support@MxToolbox.com if you have any issues.

My small business is on a Blacklist. What did I do wrong?

If you have been referred to us by your Internet Service Provider (ISP) because of a blacklist, then this article will most likely help you with your problem.

If you are running a small business, it is unfortunately a fairly common occurrence that your mail could be blocked by a blacklist even if you do not send bulk email, spam, malware or run your own email servers.  The problem is one that can be easily corrected.

But, this may seem complicated…

When you send email, the computer you send the email from is listed as the point of origin and the IP address is recorded in the email header, which is routing instructions and history passed around with your content.  Many people still use Outlook or another email client local to their computer.  When you use a local email client, your computer’s IP address and the IP address of your router are recorded in these email headers (to learn more about email headers check out our Analyze Headers tool).  These are the IP addresses of the email’s origin.

Unless you pay extra for a dedicated IP address, the IP address of your router is dynamically assigned to you from a pool of IP addresses owned by your ISP.   Typically, these dynamically assigned IP addresses (also known as DHCP IPs) are automatically blacklisted because they can be assigned to anyone at anytime for anything.  To summarize, you have been assigned a dynamic IP address which is likely blacklisted.  This is point of origin of all your email making your email likely to be refused by servers using blacklists to filter email.

What’s the solution?

There are several solutions to this problem each with different trade-offs or costs.

Use your ISP’s webmail – Most Internet Service Providers have a webmail client you can use as part of your subscription.  These webmail clients send the email from the IP address of the ISP’s mail servers, not your IP.  Sending from their servers gives you their blacklist reputation so you should not be blocked by blacklists.  Many of these will work with your existing domain, if you have your own domain name.   However, usability and functionality may not meet your needs.  It is a good idea to look into this option as it’s free and part of your internet access.

Acquire a static IP address from your ISP – This is a good option for small businesses that want to host their own servers for websites, email or other tasks.  A static IP address is from a different pool than dynamic IPs so it is less likely to be on a blacklist.  This option will allow you to continue to use your local email client (Outlook or another), but adds the monthly expense of the static IP.

Use 3rd party webmail – There are many 3rd party web-based email tools you can use, most with a small monthly cost.  Microsoft Office 365 and Google Apps offer complete collaboration suites, with email, spreadsheets, word processing and presentation applications.  Most of these will allow you to use your local email clients and all of them should allow you to use your domain name for correspondence.  The larger app providers have their own email security options that protect your reputation.  The only downside is cost.

At MxToolbox, we understand the causes of blacklisting and can help you by:

  • Alerting you when your IP or domain is on a blacklist
  • Protecting your email from the common causes of blacklisting
  • Protecting you from malicious websites and botnet attacks
  • Providing collaboration services like Google Apps services to businesses like yours

Contact us to learn more.

What’s going on with Barracuda blacklist results?

You may be seeing something odd with listings on Barracuda right now.  MxToolbox is reporting your IP address as listed on Barracuda’s Blacklist but when you go to Barracuda’s website, you’re not listed.  You’re probably thinking “These guys at MxToolbox have lost it”, but that’s not quite the case.  

MxToolbox subscribes in various ways to the DNSRBLs at different providers like Barracuda.  Barracuda being a large organization with a large subscriber base has multiple DNS servers providing blacklist information.  One of these servers seems to be out of sync with the others and the website database.  The questionable IP addresses appear to be coming from this one server.

Why does MxToolbox report it as blacklisted?

The MxToolbox philosophy on blacklisting is to provide blacklist results that most closely resemble real-world blacklist usage.  To do that, MxToolbox caches positive blacklist results until the TTL (time-to-live) of the record expires.  When we get a positive response, we list it regardless of how many of the DNS servers list it at the blacklisting organization, because this is how spam filters work. A spam filter will get a positive result and lock out any email from that IP address.

Am I really blacklisted even if I’m not on Barracuda’s website?

If you are listed on the out-of-sync DNS server, you are technically blacklisted.  Spam filters that subscribe to Barracuda may connect to this DNS server,  receive your IP address on the blacklist and then begin to refuse your email.

What can I do?

To get off the blacklist, you must contact Barracuda and let them know that you are listed on one of their servers.  When we investigated, we found the results were coming from a server in their geons01.barracudacentral.org DNS server pool (see the image below).  We have opened our own case with Barracuda.

Three direct lookups of a particular IP address on Barracuda's DNS servers.  Note that the same server pool provides different results.

Three direct lookups of a particular IP address on Barracuda’s DNS servers. Note that the same server pool, geons01, provides different results. 

 

Is Go Daddy DNS Up or Down?

The short and confusing answer is both.  Let me try to explain.

The Down

As of this morning, the authoritative DNS nameservers at Go Daddy were unavailable.  These servers provide the IP addresses of local DNS servers containing domains hosted on Go Daddy.  So, if you’re hosted on Go Daddy, you’re DNS is in one of these local DNS servers.  External queries would not be able to find your IP address because the authoritative servers at Go Daddy could not resolve the local DNS server containing your information.  You are essentially down to authoritative DNS lookups and anyone without a cache containing the local DNS server with your IP address.

The Up

For most people, this is not an issue. Go Daddy is large enough with enough regular traffic to generate a large cache of DNS entries.  If you are hosted on Go Daddy, returning customers will have cached DNS information and be able to navigate to your site without the need to hit the authoritative DNS servers.  Even many new customers can navigate to your site based on cached resolutions to the DNS servers with your domain information.  However, new customers will be unable to resolve if they or their ISP has not cached DNS for your site.

The Upshot

MxToolbox DNS lookups show Go Daddy DNS and DNS for domains hosted on Go Daddy as down.  We do this because the authoritative DNS servers cannot resolve the local DNS servers, so the lookup chain is broken.   Our lookups and monitors always start from the root and do not use cached information, so you get a complete look at the DNS configuration.

Further, this issue may eventually cause a situation where your site becomes completely inaccessible.  DNS entries have a limited TTL (Time to Live).  When TTL expires, the entry is erased from the cache.  Should Go Daddy’s outage last longer than your domain’s TTL, customers will be unable to resolve your IP address and unable to connect to your site.   MxToolbox recommends DNS Monitoring or Domain Health Monitoring for your mission critical domains so you are warned of these issues before it becomes an outage.

 

Announcing MxToolbox Professional

Our team is happy to announce the release of MxToolbox Professional, our new power user interface.  A lot of hard work and a lot of feedback from our great users went into the creation of this new integrated interface.  We know you made the product even better!

MxToolbox Professional UI

What is MxToolbox Professional?  It is a new user interface integrating all the tools you rely upon with monitoring services.  This new UI will enable you to seamlessly transition between lookup tools and monitors without changing pages.  Power users get a highly customizable user interface featuring:

  • Favorites
  • Type Ahead
  • Lookup History
  • User-defined Tags
  • Custom Filters

You can get more information about MxToolbox Professional here.

How do you get MxToolbox Professional?  If you are an existing paid customer, you have access already.  You can switch between Professional and Classic interfaces in the Dashboard.  If you are not a paid customer, now may be the best time to look at upgrading.

Visit the MxWatch Matrix for more information.

Improved SPF Tool RFC changes

Over the past few weeks we’ve been working hard to improve our SPF Record Testing Tool to help people check and monitor SPF records. We’ve added some improved diagnostic testing capabilities to give you more specified details if we discover an issue with your SPF Record.

One of the big SPF events that occurred this year and spurred these updates was a significant change in SPF best practices, namely RFC 7208.  This new document advises the administrators to discontinue using the alternative SPF RR type that was formerly supported during the experimental phase of SPF. SPF records must only be published as a DNS TXT Resource Record. Due to this change we have updated our SPF Lookup tool and now report the status of the following problems you might encounter with SPF:
SPF problems

SPF Record Deprecated - If you still have an SPF type record, we will warn you. Simply remove these records to clear the warning.

SPF No Records – If you have no Sender Policy Framework records, we issue this warning. SPF participation is voluntary, but if you want to remove this warning you will need to create an SPF record and publish it as a TXT type record. There are several good tools for creating SPF records such as http://www.spfwizard.net/.

SPF Invalid Syntax – This is the only problem that will cause a domain to show as error. We have detected some type of syntax problem in your SPF record. This could cause real problems when recipients attempt to decode it.

SPF Multiple Records – The RFC only allows a single SPF record per domain. If you have more than one, we will display a warning. Ideally, you should ensure that only a DNS TXT Resource Record is published and all others SPF records are removed to clear this warning.

You might be listed and not listed on Barracuda right now

Recently, several of our users contacted us, asking us what is going on with the Barracuda blacklist. Our monitoring tools have alerted many administrators that their IP is blacklisted by Barracuda.

The problem that is currently happening is that one of the two DNS servers run by Barracuda is stale (shown in the image below). This is causing email servers that are doing lookups to show some people as being listed even though Barracuda considers them as not listed. This is why their web lookup tool will show them as clean, but the listing is still being published via DNS.

Barracuda DNS Screenshot

For a refresher course on How Blacklists Work you can check out one of our past blog posts.

We’ll update this post as we get new information

Have You Checked Out Domain Health Yet?

You might have noticed several months ago we began to roll out the Domain Health Report as our newest tool on the site. After listening to a lot of feedback from users like you, we started building this new tool that performs a full diagnostic check on your domain and all your servers associated with your Mx Record.

With Domain Health you can quickly get a complete picture of your domain’s health. For each domain you enter we run over 140 tests including mail server, web server, DNS, and blacklist tests and identify any critical errors or warnings that could be affecting the performance of your domain.


Domain Health for google.com

If you haven’t run a Domain Health Report on your domain yet give it a try here – Run Domain Health Report

In addition to providing this powerful new report tool for your domain – we also recently added Domain Health Monitoring. You can give us a domain name and we will run tests on all of your Web, DNS, and Email Servers every 15 minutes and alert you if we detect a critical problem or warning that you need to know about. We also alert you to any Mx or SPF Record changes that we detect.

Learn more about Domain Health Monitoring.

How blacklists work behind the scenes

Every now and then we get an email from a user who wants to know why our Blacklist tool shows them as being on a blacklist but when they use the check tool on the blacklist’s web page, it shows them as being clear or vice versa. A little bit of background on how DNSRBLs work will explain why this happens and I hope you find it helpful when trying to troubleshoot blacklist problems.

Blacklist Results

Blacklist operators generate lists of IP addresses or domain names that they would like to share with the world. DNS is a great way to publish IP addresses and hostnames in a very lightweight, fast, distributed way. The operator creates a domain zone and publishes records on their DNS server. So let’s say we create a blacklist called Example. We announce it to the world and let everybody know we are going to publish it at rbl.example.com. For every IP Address that we want to add to our list, we publish an A record in our zone. Mail servers would attempt to resolve the IP at our domain and if an A record is returned they would know that the IP in question is “on the blacklist”. Domain based lists work similarly.

Just like with all other DNS records, you do not need to always ask the DNS server that actually host the zone for an answer. In fact most DNS queries are made against nearby DNS servers. Most people first query their ISPs DNS servers. Many business networks are setup with a local DNS server for security as well as performance reasons. This way once one person gets an answer for the IP address google.com additional queries are returned very quickly without having to traverse the internet. How long these cached results are stored is determined by the time to live (TTL) settings that are configured by the owner of the zone. This means that in addition to determining who they want to put on their list, blacklist operators determine how long you should remain listed even after they remove you from the zone. They could do this for policy reasons or for performance of their DNS servers. But what it means is that every person who finds out that you are on the list will consider you “listed” until that TTL expires.

So I think you can see now how you could get a different answer from our tool than from the blacklists own check tool. Either we got a negative answer recently and are caching that and showing you as not listed when you in fact are, or we have a legitimate listing record on our server that hasn’t expired yet and we will show you listed even after you have been taken off at the source. It is important to realize that we report these cached results for the reason that this is what other email servers in the wild will see. If you get a positive result on our tool, once you request delisting you should check with the provider’s own check tool to see if you have been removed. Then you can see from our tool how long your TTL is before you will appear clean again to the email server’s of the world.

IPv6 Addresses added to MX record results

We continue to add support for IPv6 to our tools and this week we are going to start showing IPv6 addresses for Mail Exchange records that have AAAA records for their hostnames.

IPv6 in MX records

Our last blog post went over a lot of the basics of IPv6 for folks who would like some background. We are going to continue adding support for IPv6 in more of our tools over time as we strive to keep our tools as awesome as possible in the ever changing world of technology.