Blocked by Proofpoint?

I use Mail in a Box with a completely standard implementation.

There are no signs that I am or can be used by spammers. Anyone else get this? Last time it was another Spam Check/Shakedown operation but they had blocked a range of Linode IPs.

Transcript follows:

This is the mail system at host




Your message could not be delivered for more than 3 hour(s).
It will be retried until it is 2 day(s) old.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[REDACTED]>: host[] refused to
talk to me: 550 5.7.0 Blocked - see

Reporting-MTA: dns;
X-Postfix-Queue-ID: 273263E863
X-Postfix-Sender: rfc822; [REDACTED]
Arrival-Date: Wed, 8 Apr 2020 23:01:31 -0700 (PDT)

Final-Recipient: rfc822; [REDACTED]
Original-Recipient: rfc822;[REDACTED]
Action: delayed
Status: 4.7.0
Remote-MTA: dns;
Diagnostic-Code: smtp; 550 5.7.0 Blocked - see
Will-Retry-Until: Fri, 10 Apr 2020 23:01:31 -0700 (PDT)

Return-Path: <[REDACTED]>
Received: from authenticated-user ( [])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
(No client certificate requested)
by (Postfix) with ESMTPSA id 273263E863;
Wed, 8 Apr 2020 23:01:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail;
t=1586412091; bh=rvXeUffz4do/sVZqU/xk7FlvlSSn21e3zXxPL3j0FsI=;
From: [REDACTED] <[REDACTED][email protected]>
Subject: Hey man.
Date: Wed, 8 Apr 2020 23:01:27 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
Content-Language: en-US

11 Replies

Did you look at the URL that was part of the headers. Proofpoint says your IP is not blocked.

That being said, I didn't see any references to an SPF or a DMARC record in the message headers. iCloud will definitely block messages from transfer agents without SPF & DMARC records. iCloud uses these to authenticate your transfer agent.

Without SPF & DMARC, your transfer agent is not "standard".


-- sw

Hi @dilapidus! Just to add on to what @stevewi said, generally these blocks are automatic and will be removed after both SPF and rDNS records are added.

We have a guide on rDNS here:

Configure Your Linode for rDNS

An intro to SPF records here:

DNS Records: An Introduction: SPF

And an intro to DKIM records here:

DNS Records: An Introduction: DKIM

If you're using Postfix, we have a guide on setting up both SPF and DKIM records with it here:

Configure SPF and DKIM With Postfix on Debian 9

Hi all .. I appreciate the comments. I had gone immediately to the url provided and complained. This has happened before. Apparently they got the message because the original recipient now reports receipt (some 8 hours after I sent)

I do think that SPF, rDNS and DKIM are setup properly. Did you see something that concerned you or was that just general thoughts?

Again, thanks!


My transfer agent adds the following as a result of SPF and DMARC checks:

Received-Spf: Softfail (mailfrom) identity=mailfrom; client-ip=<redacted>; helo=<redacted>; envelope-from=<redacted>; receiver=<UNKNOWN>
Authentication-Results: <redacted>; dmarc=fail (p=none dis=none) header.from=<redacted>

rDNS results in no headers…rDNS is a check to make sure the IP address a DNS name resolves to and the rDNS are the same. Your DKIM headers look ok (IMHO…not knowing much about your system or postfix(1) configuration).

You might check out your domain here: offers a number of email diagnostic tools as well.

-- sw

@mjones rDNS was new to me, so this might partially solve this issue of Proofpoint. But I have a small mailserver, serving multiple domains (on one IP address). How do I solve this? Can add multiple domains to this rDNS record?


You need to have an rDNS for each mail domain. These are easy to set up in the Cloud Manager. As with most things DNS, your changes will take awhile to propagate around the world.

-- sw

You need to have an rDNS for each mail domain

The reverse DNS record is needed for the Linode IP address, not the mail domain.

When a mail server (your Linode) connects to another (iCloud) it announces who it is - typically the system's hostname.

This tells iCloud "I am".

iCloud then looks up the A record for to find its IP address, and the reverse DNS record for the IP address the connection has come from, and checks that they match.

If they don't match, it is suspicious - i.e. your Linode telling iCloud "I am", when in fact you aren't because the IP address resolves back (via reverse DNS) to, not - and's IP address is not your Linode's IP address.

Note that if you have IPv6 enabled, you will need a reverse and forward DNS record for both your IPv4 and IPv6 addresses.

I typically have:

  • A -> my Linode's IPv4 address
  • AAAA -> my Linode's IPv6 address
  • my Linode's IPv4 address PTR (rDNS) ->
  • my Linode's IPv6 address PTR (rDNS) ->

And then set my Linode's hostname to (hostnamectl set-hostname

Note that some MTAs, like Postfix, allow you to explicitly set the hostname that it reports in the EHLO/HELO command:

smtp_helo_name (default: $myhostname)
The hostname to send in the SMTP HELO or EHLO command.

The default value is the machine hostname. Specify a hostname or [].

This information can be specified in the file for all SMTP clients, or it can be specified in the file for a specific client, for example:

mysmtp … smtp -o
This feature is available in Postfix 2.0 and later.

@andysh --

You write:

You need to have an rDNS for each mail domain
The reverse DNS record is needed for the Linode IP address, not the mail domain.

Geez… what a senior moment! Thanks for the setting the poster straight, Andy!

-- sw

@andysh Thanks for this extensive reply. But that would mean that one can only have one mail domain served by one ip address without being "suspicious", as you call it. Correct? I have multiple domains on one Linode served by one Postfix MTA.

My Postfix mailserver has an explicitly set host name (as you mentioned). This all worked perfectly fine and still does for most of the time. Now I have issues with and addresses because proofpoint is blocking them and not responding to any questions.

But that would mean that one can only have one mail domain served by one ip address without being "suspicious", as you call it. Correct? I have multiple domains on one Linode served by one Postfix MTA.

Not at all - the rDNS is based on the hostname of the machine (that is announced in the HELO/EHLO command when it connects), not the mail domains it sends (which is specified in the MAIL FROM command.)

The server "" can send mail for,, … as many as it wants.

The key thing is that "" has a forward DNS (A record) that resolves to the outbound IPv4/6 addresses - and the reverse DNS for those IP addresses resolves back to (PTR/rDNS record) "".

The mail domains are totally unrelated - although they should specify the IPs in their SPF record to designate that those IPs are allowed to send mail - but that's separate to the rDNS record.

Thanks! I think I understand and set it up according to your explanation. I never understood the need for adding the host name to the domain name. So I set the rDNS record to instead of I only had one host so why adding it. Now all is synchronised.

Wonderful. Let's see if this is helping me with the Proofpoint / issues I have. That was the purpose.



Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct