Troubleshoot the Email Security.cloud Anti-Spam service

book

Article ID: 178916

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

 

Resolution

Email incorrectly identified as spam (false positive)

Bounceback shows "553 - Sorry, your IP/ Email address has been blacklisted"

The email has been blocked based on an entry in your global Blocked Senders in the Symantec.cloud Management portal, or in an individual user's list.

To resolve this issue

  • Modify the Blocked Senders list as needed.

Bounceback shows "553 - mail rejected because your IP is in the PBL"

This has been blocked because the sender's IP is in the SpamHaus PBL (Policy Block List).  This is not a spam list, the IP in question has been deisgnated by the ISP as non-mail sending (these are usually Dynamic IPs).

To resolve this issue

  • Add the the sender's email address in the Approved Sender list.
  • Advise the sender that their IP is listed on the Spamhaus Blocklist, in order to have the IP de-listed.

Bounceback shows "553 - Message filtered" or "No bounceback", but Track & Trace indicates "Detected by Heuristics."

This has been blocked because it matched on spam signatures or heuristics

To resolve this issue

Spam email not intercepted (false negative)

  • Ensure that the email was scanned by the Symantec.Cloud Infrastructure by checking Track & Trace or the email headers
  • You can enter the address in their Blocked Sender list if you wish to never receive email from that sender again.
  • If you believe the sender has already been added, confirm that you added the Envelope Sender address to the list.  This can be confirmed by looking at the sender as reported in Track & Trace.
  • For full submission details, see Submit false negative spam emails missed by Symantec.cloud email services.

SPF troubleshooting

Use an online SPF lookup tool such as SPF Surveyor to review sender’s SPF Record. For a full validation test comparing the sending IP against the record, you can use a tool such as SPF Policy Tester.

If the sender is a customer provisioned on Symantec's services, they should have our SPF entry, even if they normally do not route outbound through us. When an email is sent between customers, we look for that reference.

Note: SPF only applies to the envelope from (SMTP Mail FROM).

See also Implement SPF records in Email Security.cloud.

DMARC troubleshooting

Use an online DMARC lookup tool or DNS Lookup to review sender’s SPF Record. Use a tool such as DMARC Inspector to obtain the DMARC policy of a domain. For raw lookup, you need to perform a TXT record DNS lookup on the _dmarc subdomain (ie: _dmarc.yahoo.com).

There are two steps for a DMARC check to pass:

  • First, the email must pass on an SPF or a DKIM check.
  • Two, it must pass an alignment check.
    • For SPF: This means that the Body From domain must match the Mail From domain. This means an email may pass the SPF check, but if the Body From doesn’t match the Envelope From, the email fails DMARC, unless DKIM passes.
    • For DKIM: This means the domain in the d=example.com tag in the DKIM Signature header must match the Body From domain. This means an email may pass the DKIM check, but if the Body From doesn’t match the d=example.com domain, the email fails DMARC, unless SPF passes.

For more details about DMARC with Email Security.cloud, see https://support.symantec.com/en_US/article.HOWTO124382.html


See also Anti-Spam best practice settings.