Jools, as David Burgin pointed out, your SPF record in DNS is (still) broken (as well as your DMARC record) and this may well be the cause of your problems.
v=spf1 mx a:81.145.130.2 -all should be (because the 'a:...' syntax is wrong and superfluous): v=spf1 mx -all - I missed this on my original reading oops For the DMARC record, remove the escaped quotes: \"v=DMARC1; p=none; rua=mailto:sysad...@bordengrammar.kent.sch.uk\"; should be: v=DMARC1; p=none; rua=mailto:sysad...@bordengrammar.kent.sch.uk On Sat, 12 Sep 2020 at 19:17, Julian Pilfold-Bagwell <j...@bordengrammar.kent.sch.uk> wrote: > > Hi, > > I've fixed DKIM and have fired a message off to several DKIM validation > sites which have come back with SPF, DMARC and DKIM as all having > passed. I changed the TLS setting you suggested as well > > We then sent a test batch and the first 11 went through, the following 8 > were rejected, and the next 7 went through. > > It really is weird. If it was all of the messages being bounced I could > understand it, but google and yahoo both seem to let a load through yet > block a handful. I guess it's possible that the end-users have an > option to set the aggressiveness of the spam filtering but it seems like > a setting that wouldn't be commonly used as Google's defaults are > usually pretty good and we don't tend to get rejected in daily use. > > > On 12/09/2020 14:53, Dominic Raferd wrote: > > Just after I sent my reply to your later email I saw this reply of > > yours (below) - which Google had accepted but put into my spam folder! > > > > On Sat, 12 Sep 2020 at 13:14, Julian Pilfold-Bagwell > > <j...@bordengrammar.kent.sch.uk> wrote: > >> I'll make the change to TLS and see what happens as well as fix the > >> DMARC. The server's been running 24/7 since 2015 and is due for > >> replacement in the summer of 2021 at which point I'll be upgrading the > >> postfix version. > >> > >> I'll check the headers again and will get back. > >> > >> On 12/09/2020 12:15, Dominic Raferd wrote: > >>> On Fri, 11 Sep 2020 at 22:49, Julian Pilfold-Bagwell > >>> <j...@bordengrammar.kent.sch.uk> wrote: > >>>> I have a problem that's sprung to light after we bought in a 3rd party > >>>> cloud provider. I have postfix 2.10 running on Centos 7 (main.cf below) > >>>> and our 3rd party provider is relaying mail out via our server, using > >>>> authentication on a legit account. However, the recipient ISPs reject > >>>> mail with the error 554 5.7.1 recipient access denied, although this > >>>> doesn't seem to happen on all the messages that are being sent. If > >>>> we're sending say 60 messages, the first block of 20 will go through, > >>>> the next 20 will be blocked and the final 20 will go through. I'm > >>>> guessing that the receiving end is objecting to something in the headers > >>>> from the relayed mail, but can't quite get to grips as to why it occurs > >>>> in batches. > >>>> > >>>> The 3rd party provider is sending reports to all of our end users which > >>>> is over a thousand emails+ so I've limited the delivery rate to 1 > >>>> message per domain every twenty seconds to try to appear less spammy > >>>> but it still happens as described. The error message is as below: > >>>> > >>>> NOQUEUE: reject: RCPT from smtp.overnetdata.com[5.153.65.228]: 554 5.7.1 > >>>> <usern...@hotmail.com>: Recipient address rejected: Access denied; > >>>> from=<edul...@bordengrammar.kent.sch.uk> to=<usern...@hotmail.com> > >>>> proto=ESMTP helo=<www7> > >>>> > >>>> and we're receiving this from talktalk.co.uk, sky.com, yahoo.co.uk, > >>>> hotmail.com, outlook.com and gmail.com sometimes talks to us, and > >>>> sometimes doesn't. > >>>> > >>>> and main.cf is shown here:... > >>> The setup seems imperfect, and the version of postfix rather old, but > >>> which if any of the imperfections is causing this new problem is hard > >>> to say without fuller examples of what is being blocked, which I can > >>> well understand you might not want to post on an open forum. My > >>> observations are: > >>> > >>> Instead of 'smtp_use_tls = yes' it is advisable to use > >>> 'smtp_tls_security_level = may' (Postfix 2.3+) > >>> > >>> Your SPF entry in DNS looks ok, provided as you say that the 3rd party > >>> is sending your emails via your mail server and not independently. > >>> Also your mail server's ip is not blacklisted at any of the 129 rbls I > >>> regularly check, nor at https://ipremoval.sms.symantec.com/. You can > >>> check its status with Microsoft by registering it at their Smart > >>> Network Data Service. > >>> > >>> Your DMARC entry in DNS is broken, also you do not appear to be > >>> signing outgoing emails with DKIM. But I doubt either of these is the > >>> explanation for your problem. > >>> > >>> Is the third party sender using your domain in the 'From:' header as > >>> well as in the envelope? > >> -- > >> J. Pilfold-Bagwell,
