Question

Mail from single-droplet getting unauthorized failures from reipient mail servers

Posted October 6, 2021 136 views
DNSUbuntu 18.04

I have a single droplet running my application, and hosting a postfix mail server for sending notifications, etc. However, mail is not working.

When I run a cmd-line test mail to a gmail account, I get a rejected response:
“The IP you’re using to send mail is not authorized 550-5.7.1 to send email directly to our servers. Please use the SMTP relay at 550-5.7.1 your service provider instead.”

In terms of DNS record set-up:
A records are fine for site and mail subdomain, as verified by whatsmydns.net.
MX record also verifies (now using main domain)
I have three TXT records as follows:
main site: v=spf1 ip4:xxx.xxx.xxx.xxx -all
mail._domainkey subdomain: “v=DKIM1;h=sha256;k=rsa;p=…”
_dmarc subdomain: v=DMARC1;p=quarantine

The DKIM above matches my public/private setup, as per the DO “How To Install and Configure DKIM” tutorial.

I do receive email, I just cannot send any. Help appreciated!
Fergus

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello,

It sounds like that your PTR record might be the problem

I could suggest following the steps from this answer here by @alexdo on how to setup a PTR record:

https://www.digitalocean.com/community/questions/how-to-setup-a-ptr-record?answer=65918

Once this is done, you might have to wait for the DNS cache to clear over the Globe, and then you could give it another try.

Let me know how it goes.
Best,
Bobby

  • Hi Bobby,

    Many thanks for your response (again)!
    My droplet and domain (I have just one of each) are already named for my FQDN, let’s call it example.com.
    My understanding (having also previously read the advice you forwarded) is that a PTR record is automatically created based on this name == FQDN. I definitely do not want to mess with that name, because I have active users on my web app all the time.

    Am I at the stage where I need to contact DO support to look into this failure situation more deeply (and specifically)?

    Kind regards,
    Fergus

    • Hi there Fergus,

      Thank you for providing those additional details. What I could suggest is to use the host command to verify that the PTR record is actually correct:

      host your_ip_address
      

      If the output is correct it should look like this:

      your_ip_in_reverse.in-addr.arpa domain name pointer example.com.
      

      Let me know how it goes.
      Regards,
      Bobby