Page 1 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

MY E-MAIL APPEARS AS SPAM |

TROUBLESHOOTING MAIL SERVER |
PART 15#17

In the current article, we will review the rest of the steps, in

our troubleshooting journey that relates to a scenario in
which we think or suspect that:
The cause of the problem, in which our E-mail identified as
spam\Junk mail is caused by the fact that our Exchange
Online IP address paper as blacklisted.

In the former article My E-mail appears as spam |

Troubleshooting Mail server | Part 15#17, we have
reviewed the required steps for fetching the Exchange

Written by Eyal Doron | o365info.com

Page 2 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

Online IP address from the E-mail message.

The current article is dedicated to step B, Step C and
step D.

Step B Get information about Exchange Online

infrastructure
Get the required information about the Exchange Online
server that represent our domain name (the Exchange Online
host name + IP address)
Step C Fetch the information about the Exchange Online
IP address
In this step, we will need to locate the Exchange Online server
IP address. The IP address could appear as part of the NDR Email message or, in case of a scenario in which we get a copy
of the E-mail message that was sent to the junk mail folder of
the destination recipient, fetch the required information from
the E-mail header.
Step D verify if the formal Exchange Online IP address
appear as blacklisted.
This step builds on the information, we have obtained three
previous steps.
Given that we have the IP address of the Exchange Online
server who appears in the NDR E-mail message + that we
know what is the IP address of our Exchange Online server
Written by Eyal Doron | o365info.com

Page 3 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

who represents our domain name in Office 365, we can verify

if the IP address that appear in the NDR is the IP address of
our Exchange Online server.
In case that the IP address is not the IP of our Exchange Online
server (this is the most common scenario), its probably one of
the IP addresses that belong to the Exchange Online High Risk
Delivery Pool.

Step B Get information about your Exchange

Online infrastructure

Written by Eyal Doron | o365info.com

Page 4 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

Step 1 get the host name of the Exchange Online server

who represents our domain in Office 365.
To be able to answer the question: what is the IP address of
the Exchange Online server who represents our domain? We
will first need to know the FQDN (host name) of the
Exchange Online server that represents our tenant in Office
365.
There are a two ways that we can use to get information about
the FQDN of the Exchange Online that send E-mail for our
domain
Option 1: Office 365 administrate portal

Login on to Office 365 administrate portal

On the left sidebar choose the domain menu

Written by Eyal Doron | o365info.com

Page 5 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

Choose Manage DNS

Under the Exchange Online section, look for information about

the MX record host name (POINTS TO ADDRESS). In our
scenario, the Exchange Online server who will represent our
organization is: o365info-com.mail.protection.outlook.com

Option 2: using the nslookup tool

Another option for getting information about the Host name
of the Exchange Online mail server that represent our
organization is: by using the nslookup tool.

Open the command prompt

Type the command: Nslookup
Type the command: set type=mx

Written by Eyal Doron | o365info.com

Page 6 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

Type the name of the domain that you want to display his MX
record. In our scenario: com

In the following screenshot, we can see the result of our MX

query.
In our example, the host name of the Exchange Online server
who represents our domain is:o365infocom.mail.protection.outlook.com

Step 2 Get the IP address of the Exchange Online server

who represent our domain.
A couple of notes regarding the subject of Exchange Online
and his Public IP address:

The Exchange Online (that host name who appears in our

domain MX record) is mapped to more than one IP address.

Written by Eyal Doron | o365info.com

Page 7 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

This IP address represent additional Office 365 tenants besides

our domain.
In case that we suspect that our Exchange Online mail server
appears as blacklisted, we will need to verify information about
each of the public IP addresses that are bind to the Exchange
Online server who represents our domain name.

To be able to get information about the IP address that are

mapped to the host name of the Exchange Online server
who represents our domain, we can use an option such as the
nslookup tool.

Open the command prompt

Type the command: Nslookup
Type the host name of the Exchange Online server who
represents your domain. In our example:o365infocom.mail.protection.outlook.com

In the following screenshot, we can see the results.

In our example, the answer is the IP address of the Exchange
Online servers who represent our domain are: 213.199.154.87

Written by Eyal Doron | o365info.com

Page 8 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

and 213.199.154.23

Step C Fetch the information about the

Exchange Online IP address
In the phase, our mission is to get the IP address of the
Exchange Online server who appear in the E-mail message.
The Exchange Online IP address could appear in the NDR
message or in the E-mail header of the E-mail message that
was saved in the junk mail folder of the destination external
receipt.

Written by Eyal Doron | o365info.com

Page 9 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

The information about the Exchange Online mail server that

sent the E-mail message appears in the content of the E-mail
header.
Technically speaking, we get the required information from
the raw data in the mail header text but this is not an easy
task.
The preferred option is using a mail header analyzer, which
will help us the display the information in a clear way.
In our example, we will use the Microsoft tool
named: Exchange connectivity analyzer
1. Access the Exchange connectivity analyzer web site
2. Copy the information from the mail header.

Written by Eyal Doron | o365info.com

Page 10 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

3. Choose the Message Analyzer tab

4. In the section: Insert the message header you would like to
analyze paste the information from the mail header

In the following screenshot, we can see the results. The

information in the Received headers, displays a clear path
through the mail flow.
We can see the Exchange Online servers that accept the E-mail
from the Office 365 recipients, but this is not the final node
in our mail flow.

Written by Eyal Doron | o365info.com

Page 11 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

The Exchange Online server (10.255.179.24) forward the E-mail

message to the additional Exchange Online server
(10.255.179.23) and the Exchange Online server the deliver
the E-mail message to the external recipient, is an Exchange
Online server who is represented by the IP address:
157.55.234.141
Conclusion from the Message Analyzer
By analyzing the information in the E-mail header, we can see
the flow of the E-mail message inside Exchange Online
infrastructure.
We can see that the E-mail message travel between a couple
or more than one Exchange Online server. The most
important Exchange Online server in our scenario is the last
Exchange Online server, who is responsible for delivering the
E-mail message to her destination (the mail server that
represents the destination recipient).

Written by Eyal Doron | o365info.com

Page 12 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

If you notice, in our example, the IP address of the Exchange

Online server that sent out the E-mail message is:
157.55.234.141.
As mentioned, from my experience, this IP address is belong
to the Exchange Online Higher Risk Delivery Pool.

Step D verify if the formal Exchange Online

IP address appear as blacklisted.
In this phase, we want to verify if the IP address that appear in
the NDR message that we got (or the E-mail message that was
sent to the junk mail folder of the destination recipient) is the
formal IP address of the Exchange Online server who
represents our domain.
Note the scenario in which the Exchange Online IP address
that represent our domain name is blacklisted is quite rare. A
more common scenario, is a scenario in which the IP address
that appear in the E-mail message belong to the Exchange
Online- High Risk Delivery Pool IP address range.

Written by Eyal Doron | o365info.com

Page 13 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

After we got the IP address that are mapped to the Exchange

Online server who represents our domain, the next step is
use online tools, which will help us to check if one of the IP
addresses of our Exchange Online mail server name appears
as blacklisted.
In the following example, we will use a free on-line tool that is
offered by mxtoolbox.
1. Go to the mxtoolbox site and choose the Blacklists menu.
2. In our example, our Exchange Online host name is mapped
to the following IP address: 213.199.154.87 and
213.199.154.23
In the box: Server IP or domain we will enter the IP:
213.199.154.87
Choose: Blacklists check.
Written by Eyal Doron | o365info.com

Page 14 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

In the following screenshot, we can see the result. In our

scenario, it appears that the IP address of our mail server
(o365info-com.mail.protection.outlook.com) is green and clean
meaning; the domain IP Address doesnt appear in well-known
blacklists.

Written by Eyal Doron | o365info.com

Page 15 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

The scenario in which the formal IP address of the Exchange

Online server who represents our domain name could be
considered as rare scenario.

Written by Eyal Doron | o365info.com

Page 16 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

In case that you experienced the above scenario, the only

available option is to report this problem to the Office 365
technical support.
Get more information about the Exchange Online IP
address
Just a short recap about the troubleshooting path that weve
been through so far:
1. We got an NDR message which informs us that our mail server
is blacklisted.
2. We have already verified that our formal Exchange Online IP
address doesnt appear as blacklisted.
3. We have fetch from the NDR message the IP address that is
blacklisted.
4. We want to get more detailed information about this specific IP
address.

In this phase, we can assume that the IP address that appears

in the NDR belong to the Exchange Online- High Risk Delivery
Pool IP range. To be able to validate our hypothesis, we can
use the information about the public IP range of Office 365
and Exchange Online that was published by Microsoft.

How do I know, if the IP address of the mail

server is Office 365 Exchange Online IP
address?

Written by Eyal Doron | o365info.com

Page 17 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

Microsoft publishes a set of articles that include detailed

information about the public IP range and the URL address of
all Office 365 infrastructures.
The main article or the index for all the different Office 365
infrastructure is an article: Office 365 URLs and IP address
ranges
This article includes a detailed information about all the
different parts and infrastructures of Office 365 such as
Exchange Online, EOP (Exchange Online protection),
SharePoint Online, Lync Online etc.
In our scenario, our main Interest is regarding the Exchange
Online public IP range and the EOP (Exchange Online
Protection) public IP range.
The information about the EOP public IP range appears in a
separate article:
Exchange Online Protection IP addresses
In the following screenshot, we can see an example of the
information about the public IP range of EOP (Exchange Online
protection).

Written by Eyal Doron | o365info.com

Page 18 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

In case that the IP address that appear in the NDR is not our
formal Exchange Online IP address and in case that the IP
address appears in the Office 365 and Exchange Online
public IP range, you cannot be sure 100 percent that the IP
address belongs to the Exchange Online High Risk Delivery
Pool, but It is very likely to assume.
In this case, we already know, that the issue is not related to a
problem with the IP address of the Exchange Online server,

Written by Eyal Doron | o365info.com

Page 19 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

but instead, to the E-mail message content that was sent by

our organization user.
The E-mail address in the NDR doesnt appear in the Office
365 public IP range.
This scenario is quite rare, but I think that its important that
you will be aware of all the possible scenario and tools that
you can use in the different scenarios.
The charters of this scenario are as follows:

The NDR message that we got informed us that our mail server
is blacklisted. The IP address in the NDR is not the formal IP
address of the Exchange Online that representative our domain.
We have performed a search for the IP address in the NDR in the
public IP address range of Office 365 and Exchange Online by
using the public articles:
o Office 365 URLs and IP address ranges
o Exchange Online Protection IP addresses
And we didnt find the IP address.

The main question now is: who is the owner of the IP

address that appear in the NDR message?
To be able to get the required answers, we can use public site
that can provide us information about the owner of a specific
public IP address.
Using a public website that can provide is information
about the owner of a specific Public IP address.

Written by Eyal Doron | o365info.com

Page 20 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

As mentioned, an additional option that we can use to get

information about a specific public IP address is by using
different free services.
In the following example, we will use a website
named: https://db-ip.com/
In the following screenshot, we can see the result of the query
for the IP address that appear in our results when using the
mail header analyzer forms the former step:

Additional reading

DB-IP IP Geolocation and Network Intelligence

utrace
myip
reputationauthority

Additional information
Written by Eyal Doron | o365info.com

Page 21 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

dnsbl
Blacklist Check

Internal \ outbound spam in Office 365

environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series

Introduction to the concept of internal \ outbound spam in general

and in Office 365 and Exchange Online environment
My E-mail appears as a spam
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: My E-mail appears as
a spam!, possible factors for causing
our E-mail to appear a spam mail,
the definition of internal \ outbound
spam.
Internal spam in Office 365
Introduction | Part 2#17
Review in general the term: internal \
outbound spam, miss conceptions
that relate to this term, the risks that
Written by Eyal Doron | o365info.com

Page 22 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

are involved in this scenario,

outbound spam E-mail policy and
more.
Internal spam in Office 365
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
elements, that can decide that our
mail is a spam mail?, what are the
possible reactions of the destination
mail infrastructure that identify our Email as spam\junk mail?.
Commercial E-mail Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?

Introduction if the major causes for a scenario in which your

organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which Email that is sent from our
organization identified as spam mail:
Written by Eyal Doron | o365info.com

Page 23 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

1. E-mail content, 2. Violation of the

SMTP standards, 3. Bulk\Mass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which Email that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. Problematic Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The technical side of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.

Written by Eyal Doron | o365info.com

Page 24 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

Introduction if the subject of Exchange Online - High Risk Delivery

Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.

The troubleshooting path of internal \ outbound spam scenario

My E-mail appears as spam
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the other side.

Written by Eyal Doron | o365info.com

Page 25 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

My E-mail appears as spam |

Troubleshooting Domain name and
E-mail content | Part 12#17
Verify if our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting Mail server | Part
13#17
What is the meaning of: our mail
server?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail

Written by Eyal Doron | o365info.com

Page 26 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17

My E-mail appears as spam |

Troubleshooting Mail server | Part
15#17
Step B Get information about your
Exchange Online infrastructure, Step
C fetch the information about the
Exchange Online IP address, Step D
verify if the formal Exchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of internal \ outbound
spam.

Written by Eyal Doron | o365info.com