Email Tracking

ExchangeDefender makes it easy to locate message logs, SMTP logs, and troubleshoot email delivery. This guide will walk you through the process of email delivery tracking, common email delivery issues, and troubleshooting steps you can take to identify problems.

ExchangeDefender can help you troubleshoot email delivery through the Mail Log feature available through the Service Provider and Domain Administrator web apps located at https://admin.exchangedefender.com

ExchangeDefender for Service Providers is meant for large scale ISPs and MSPs that want to centrally manage their entire client base. ExchangeDefender SMTP logs are available from the Mail Log link on the left.

From here you can locate every message that has passed through the ExchangeDefender network, inbound and outbound (sent) mail. If it’s not in here, we haven’t processed it and troubleshooting/debug data would have to be sought from the other end.

Here is a brief description of the search parameters:

Incoming Mail (to) – Selecting this option will restrict the search to incoming / inbound mail only. Please use this feature if you’re having trouble receiving mail from someone.

Sent Mail (from) – Selecting this option will restrict the search to sent / outbound mail only. Please use this feature if you’re having trouble delivering mail to someone external to your organization.

Message ID – Message ID is a reserved ExchangeDefender SMTP message identifier, a unique tracking ID assigned to every email processed by ExchangeDefender. With this ID and name of the node that processed it (example: inbound10.exchangedefender.com, outbound4.exchangedefender.com) we can produce a full report of emails path through ExchangeDefender and any errors associated with it’s delivery.

Domain* – Service Providers have a single panel of glass to manage all of their clients, and selecting a domain from the dropdown will limit the search to a single domain.

Subject, From, To, Date range from, Date range to – These search parameters are related to the specific message you are searching for.

After you provide your search parameters, ExchangeDefender Mail Log will locate all the messages that match your search criteria.

The first field on the left (ID) is the unique ExchangeDefender Message ID that helps us locate unique SMTP transaction logs associated with the message. Clicking on the message ID will show you the email message headers and the SMTP transaction logs.

The Message Details screen contains everything we have on the message in question. Message Headers are individual message headers that are applied at every hop your email makes from your mail software to your mail server, and finally through us. These headers contain valuable information about the message structure, path, attachments, etc.

SMTP logs are transaction logs for the message as it goes through the ExchangeDefender network. Transaction logs get stamped by different security subsystems ExchangeDefender uses (for SPAM, DMARC, DKIM, and DNS validation) and the most important line in the messages is the very last one.

In the example above, the message was determined to contain SPAM and the default policy is applied, in this case store (which means the message has been quarantined in ExchangeDefender and can be accessed by the user or domain admin at https://admin.exchangedefender.com

If the message was not quarantined by ExchangeDefender, the last message would include line saying “stat=sent” along with delivery information provided by the remote server (typically a message tracking ID).

ExchangeDefender can help you solve almost all email problems, and our support team often offers consulting contracts to help. If you’d rather troubleshoot on your own, here are some frequent email delivery issues and how to solve them with ExchangeDefender.

Using bypass.exchangedefender.com

ExchangeDefender provides a bypass mechanism that allows inbound messages to entirely bypass the ExchangeDefender security network. You can get more details about this service at https://bypass.exchangedefender.com

Bypass creates a randomized email address (that is not personally identifiable) and provisions it in real time. Messages delivered to that email address bypass typical SPAM and DNS checking frameworks which is helpful when you need to receive email from someone that doesn’t have their systems configured properly (or because they put items we screen for in their email).

If you are having trouble receiving email from certain senders, create bypass email addresses and use them to receive mail that would otherwise get blocked by ExchangeDefender. You can create as many as you want, and they can be deactivated or deleted on demand.

Using LiveArchive

ExchangeDefender LiveArchive (available in ExchangeDefender Pro) is a fully functional, always on email server infrastructure that archives all inbound and outbound mail. Some messages may make it through ExchangeDefender without an issue, but a client’s mail server may have problems processing and delivering the message due to a local configuration. LiveArchive takes your local mail server out of the picture and can allow you to access the message instantaneously (messages are delivered to your mail server and LiveArchive simultaneously)

You can access LiveArchive at http://livearchive.exchangedefender.com/

Using Mail Authorization Protocols

ExchangeDefender and all other legitimate email services rely heavily on email authenticity frameworks such as SPF and DKIM/DMARC. When misconfigured (either unintentionally by the IT admin, or intentionally for “shadow IT” purposes where unauthorized services are sending mail) mail doesn’t even get into ExchangeDefender. Here are two likely scenarios when it comes to these:

SPF: Sender Policy Framework allows the domain owner to define IP addresses of all the services that are authorized to send the mail on behalf of that domain. ExchangeDefender has no option but to respect these SPF requirements, and if the domain owner is strict about who can send messages those messages will not be delivered if they aren’t coming from an authorized IP range. If you run into a problem where unauthorized range is being used to send mail to your users, you will have to either contact the sender and have them fix their SPF, or you can use the bypass.exchangedefender.com method outlined above.

DKIM / DMARC: DomainKeys and DMARC (Domain-based Message Authentication, Reporting and Conformance) is another message authentication protocol that is under complete management of the domain owner. If the sender does have a DMARC policy in place but there is an issue with their DKIM, your can either contact the sender to have them address the issue or you can use the bypass.exchangedefender.com method outlined above.

Outbound/Sent Workaround: If you are having issues with sent email getting delivered to the recipient mail server, you can bypass ExchangeDefender entirely and create a Direct SMTP connector. Simply run nslookup -q=mx domain.com and point mail going to that domain to the appropriate mail server. Doing so will bypass the ExchangeDefender network and any problems that mail routing could play in part of delivering your outbound mail flow.

Inbound/Received Workaround: If you are having issues getting email delivered to your users (incoming mail) and you are not experiencing any technical issues on your mail server, it’s likely due to DNS/SPF/DKIM. Please use bypass.exchangedefender.com solution described above to get the messages directly to your users Inbox.

Contacting remote postmaster: If you’re having problems with inbound/outbound mail delivery due to problems originating with the remote policy (mail flow controls/security/configuration handled by an external source) you can try contacting their postmaster@<domain>. If you are experiencing issues that have something to do with a remote organization, you should contact them directly and involve ExchangeDefender if you believe we can help (in general, if the error is caused by the remote server / remote policy only the remote side can fix it).

Error codes (SMTP)  are typically presented on the last line of the SMTP logs. If you see something other than stat=Sent or 2.x.x confirmation code, some troubleshooting will be required, please see: https://www.exchangedefender.com/docs/smtp-error-codes

Whitelist & Blacklist policies- ExchangeDefender Whitelist & Blacklist policies can help manage mail flow. Review your domain and user-level whitelists and blacklists carefully. ExchangeDefender is a proxy service, so whitelisting here is significantly different than whitelisting using Outlook or Gmail. For more details on how to whitelist or blacklist sites properly, please see https://www.exchangedefender.com/docs/whitelist

ExchangeDefender is here to help you solve all email problems, safely and securely. Our support team, available at https://support.exchangedefender.com is there to help point you in the right direction so you can solve the problem quickly. We also have decades of technical expertise in email management and often provide consulting and deployment contracts if you’d rather not do any troubleshooting at all.

Due to privacy regulations, ExchangeDefender support team doesn’t have access to just browse your email and mail logs. To open a ticket, please provide at least the following information:

1. Date the message was sent.
2. Message ID
3. Either full headers or a copy of the email in .eml format.

All three are required in order to get assistance from our team. If we do not have the information above, we are not able to locate the message and cannot provide any troubleshooting assistance. We understand that this may not be the solution that can work for everyone so If you can provide us some details (such as email address of the sender, recipient, subject, and any errors) we can possibly handle the ticket as an inquiry and conduct an investigation. Please be aware that these requests can take a significant amount of time and are not covered by the ExchangeDefender subscription (additional fees apply).

What does "Message Returned" or "Message Undeliverable" mean?

An undeliverable message works in a similar manner as "returned mail" from your local mail carrier, notifying you that your message (in this case, email) was not delivered. There are many reasons this could occur, but the most common is a misspelling of the recipient email (similar to sending a letter to an invalid physical address.) Another common reason for undeliverable mail is the content or attachments of the email not being permitted by the recipient's mail server. Often, the return "undeliverable message" body will provide clues to the problem such as "The recipient does not exist" meaning the recipient's email address is invalid.

What IP/Network ranges are used by ExchangeDefender for mail delivery?

• Incoming (to your mail server):
  • 65.99.255.0/24
  • 206.125.40.0/24
• Outgoing (ExchangeDefender Customer)
  • 174.136.31.16/28
  • 198.211.11.80/28
• Outgoing (ExchangeDefender Hosted Exchange Customer)
  • 207.210.228.192/28
  • 104.194.224.16/28

I receive "rejected by DMARC policy" or "Your SPF record does not permit this IP to relay" when I send emails

If you receive a rejection email when **sending** an email that your SPF or DMARC policy rejected the message you will have to inform your administrator to update the SPF and DMARC policies for your domain.

Why are recipients not receiving messages I've sent?

There are many potential reasons why a message doesn't make it to the recipient's inbox. In order to quickly pin point the hangup, ExchangeDefender provides SMTP logs to domain administrators at https://admin.exchangedefender.com. SMTP logs track a message from the time it enters the ExchangeDefender network all the way to the recipients mail server. Often, delivery issues end up being over zealous spam filtration on the recipient side which can be proven by tracking the message using the SMTP logs.

Why do I receive messages with the subject "Delivery Delayed"

Delivery delays occur when the path to the recipients mailbox is known, but unavailable. For example, if you have one road in and out of a destination, but there is an obstruction blocking the road, you have to wait until the obstruction is removed. Similarly, mail delivery will wait for a predefined amount of time before giving up and returning a "Message Undeliverable", however, periodically the mail server will send "Delivery Delay" notifications until the overall "give up" time has expired.

**Why do messages I send come back with an error like "Message too large", "User Unknown", "Relay access denied", "Service unavailable"

These messages are always issues on the recipient's side. As a quick test, **Message too large** and **Service unavailable** can be retried by changing the message before sending it (ex removing an attachment or changing the text of the body). As a general rule of thumb, **Message too large** means the message or attachments exceed the recipient server's policy, where **Service unavailable** is a generic rejection, typically due to spam filters on the recipient side. However, **User Unknown** and **Relay Access Denied** are typically permanent errors and will continue to fail even on resubmissions.

How many emails am I allowed to send out hourly/daily?

ExchangeDefender does not have any hard limits on the number of outgoing emails allowed from a single user or organization. We fully understand that most businesses are unable to quantify how many emails they send and we do our best to provide reliable delivery for all customers. However, there are cases in which we may enable throttling if a single user relays a massive amount of identical messages in order to protect our delivery reputation for all customers. If a throttling policy gets enabled, we will notify your mail administrator so they can investigate on their side. ExchangeDefender will remove the throttle once no malicious intent is confirmed.

When I'm trying to receive an email, the senders are getting "rejected by DMARC policy" or "Your SPF record does not permit this IP to relay" when I send emails

If senders are receiving rejection emails about SPF or DMARC when attempting to send you an email, then the **sender's mail administrator** needs to update their SPF and/or DMARC policy records to allow the sending mail server to relay mail for their domain.

What is xdref and why do links in my emails bring me to it?

xdref.com is the domain used by our Web Phishing Firewall which solely exists to prevent malicious emails from tricking users to visit bad/infected websites. When an email comes in from the outside for your organization, our WPF will inspect the URL and check it against a list of known bad sites. Once a URL is determined to be "potentially safe", our engine rewrites the URL so that the hyperlink in the email will now point to xdref.com instead of the original URL. By replacing the URL in the email with a url to our WPF, we continue to have the ability to protect the end user if the URL was determined to be malicious after it was received by your customer. When visiting a URL that was rewrote to our WPF, users will be prompted to either continue to the original link, whitelist the link, or even report the link as malicious. WPF is enabled by default for all ExchangeDefender customers and **cannot** be disabled through any control panel. While we highly advise that customers leave WPF enabled, organization administrators can request to disable WPF by support request.

Why do whitelisted senders still end up in spam?

Whitelist additions take up to 15 minutes to propagate and are very precise in their checks. For example, if you whitelist the sender user@domain.com, only messages from that specific address will be accepted. Aside from whitelisting specific senders, you are able to whitelist the entire domain (everything after the @ sign). For example, if you whitelist domain.com, all emails from domain.com will be accepted. However, domain names are allowed to have subdomains, for instance user1@orlando.domain.com. In our previous example, whitelisting domain.com **WILL NOT** inherently whitelist orlando.domain.com. Domain whitelists are allowed to use `*` as a wildcard character. To resolve whitelisting orlando.domain.com, you can either whitelist orlando.domain.com directly, or *.domain.com. Keep in mind that *.domain.com does not inherently whitelist domain.com, only subdomains.

Why am I getting responses to emails I never sent?

More often than not, this is because someone in the world is impersonating your email address and sending spam out to tons of recipients. When each recipients mail server gets the email, any failures in delivery will be relayed back to the original sender, which in this case would be the impersonated user (your account.) In order to prevent this, mail administrators must deploy SPF and DMARC records in DNS to protect your domain name.

Why are my emails coming in slow?

There are many potential reasons why a message doesn't make it to your inbox in a timely manner. In order to quickly pin point the hangup, ExchangeDefender provides SMTP logs to domain administrators at https://admin.exchangedefender.com. SMTP logs track a message from the time it enters the ExchangeDefender network all the way to the recipients mail server. As a general rule of thumb, messages traveling through ExchangeDefender take 30-45 seconds to fully process and be delivered to the recipient.

Why haven't I received emails in days

If you have not received mail in a few days, typically this means your domain name expired and needs to be renewed. Try to browse your company website and if you do not see what you expect, contact your administrator to renew your domain.

Which domains are blocked by default?

ExchangeDefender proactively maintains a list of common TLDs used for spamming. The following domain TLD are blocked by default but can be overridden by support request.

• .accountant
• .best
• .bid
• .buzz
• .click
• .club
• .cyou
• .date
• .download
• .faith
• .gdn
• .help
• .icu
• .link
• .loan
• .ninja
• .party
• .press
• .pro
• .pw
• .racing
• .review
• .rocks
• .science
• .services
• .space
• .stream
• .to
• .today
• .top
• .trade
• .travel
• .uno
• .webcam
• .website
• .win
• .work
• .world
• .xyz

How do I block mail from foreign countries?

ExchangeDefender administrators have the ability to enable geo-blocking. When enabled, administrators can choose to specifically allow certain countries **OR** specifically block certain countries.

What does the error "ExchangeDefender does not protect this address" mean?

This error **ALWAYS** means that the email address for the recipient needs to be added to the organizations profile @ https://admin.exchangedefender.com. New additions can take up to 15 minutes to fully propagate.

How do I prevent unauthorized computers from sending emails from my domain?

DMARC and SPF are policies that mail administrators create and publish to inform the rest of the world who can send mail from a particular domain. For example, we own the domain exchangedefender.com and in order to prevent unauthorized users from claiming they are part of "exchangedefender.com", we publish DMARC and SPF policies in DNS that specifically tell the world where emails from exchangedefender.com are allowed to originate. Utilizing SPF and DMARC allows us to prevent outside entities from abusing our domain records. Without a SPF and DMARC policy published for a domain, anyone in the world is allowed to send mail as the domain.