Overview
While performing the MXtoobox domain check, the tool returns the response about problems with SMTP Banner, Reverse DNS mismatch, SMTP TLS, and transaction time. These settings can be checked manually, as the external tool's results are not always accurate.
You may also receive SOA warnings about Serial Number Format is Invalid and Expire Value out of the recommended range.
Prerequisites
- Telnet tool installed
- SMTP server and SMTP client debug logs enabled
Solution
-
Reverse DNS does not match SMTP banner
- Open the Telnet tool and check the standard SMTP port - 25. Replace domain. com by your domain name.
- The first row will return 220 mail.domain.com ESMTP ready.
- Open the MXtoolbox Reverse lookup and check the output. It should match the mail.domain.com
- Open the Telnet tool and check the standard SMTP port - 25. Replace domain. com by your domain name.
-
Does not support TLS
- Once connected to the server via Telnet (port 25), execute the EHLO domain.com command:
- It returns 250-STARTTLS, which means the server has TLS supported. For more information, please refer to Kerio Connect Services.
- Once connected to the server via Telnet (port 25), execute the EHLO domain.com command:
-
SMTP transaction time - 15 seconds, not good
- Open Debug logs in Kerio Connect administration after enabling SMTP server and SMTP client options
- Go to the Mxtoolbox domain health check and run the test again.
- Review Debug logs. The similar output should appear:
[29/May/2020 09:56:12][2943] {smtps} SMTP server session begin; client connected from keeper-us-east-1b.mxtoolbox.com:49265 [29/May/2020 09:56:28][2943] {smtps} Client keeper-us-east-1b.mxtoolbox.com:49265 closed connection before SMTP greeting, connection rejected
- The highlighted above message means the protection feature Spam Repellent is enabled. MX toolbox even mentions such explanations:
It is also possible your server is "Tar pitting". Tar pitting is a technique used by some email servers to slow down spammers. The idea is that legitimate senders will wait longer to establish a connection than spammers will.
-
SOA Serial Number Format is Invalid
- DNS providers like DigitalOcean, Cloudflare, etc might be a source of this warning. Mx toolbox explains it as the following:
It has become common to set your serial number with a date format to make it easier to manage.
- This error can be ignored because it doesn't report a valid domain or mail server issue.
- DNS providers like DigitalOcean, Cloudflare, etc might be a source of this warning. Mx toolbox explains it as the following:
-
SOA Expire Value out of recommended range
- Mx Toolbox will issue this warning if your value is less than 2 weeks or more than 4 weeks as these are recommended values. DNS providers (CloudFlare, DigitalOcean, GoDaddy) has a different value set up - 1 week.
- The error can be ignored as it doesn't concern the mail domain or server problem.
Confirmation
The highlighted above warnings and errors can be considered as False-positives.