One of the frequent challenges I have faced as an email administrator is trying to troubleshoot a system from the outside. That is to say, while I am viewing the system from the inside, and have administrative rights to it, the problem I am working on may be related to something outside my control, and I have limited visibility into what is happening from the perspective of other systems. It can be just as important to know how other mail systems interact with your systems and to see this from the outside perspective as it is to review your own logs. Unless I had access to another email system, my Gmail account was my best, albeit limited, resource to use for testing.
Fortunately, I have found several online resources through the years to help with setting up, testing, and troubleshooting email systems. The following fourteen are those that I have found to be the most useful. Some are single purpose, others have lots of great tools. Together, they let me validate/test just about any aspect of my email system, both from a server perspective, and from a client’s. This post will divide them up into categories for their best use, provide links, and share a little about what you can use these for and what to expect.
Open Relay tests
As we all know, open relays are a plague upon us, and spammers’ best friends. Unfortunately it is all too easy to misconfigure many email services and wind up being an open relay. The first thing I do after opening up TCP 25 on the firewall is to make sure that I am not an open relay. Believing that being thorough is a good thing, I use two different sites to test.
1. MailRadar Open relay test
The MailRadar site maintains a free tool that will test your email server for relay using nineteen different tests, and display the results on screen as the tests are conducted. Passing all nineteen should give you a very good feeling.
2. Network Abuse Clearinghouse Mail Relay Testing
However, I do want a second opinion, so I also test with the Network Abuse Clearinghouse site. Six relay methods are tested by this site. Anonymous testing is permitted, but you will get more accurate results if you sign up for a free account, which actually tries to relay email instead of stopping with the RCPT TO command.
One way to reduce the amount of spam hitting your inboxes is to disable the VRFY command on your MTA. Different systems have different ways of doing this, but once you set the bit, how do you know it worked?
3. MailTester.com VRFY Test
This site provides a simple way to test your server to see if it responds to VRFY commands. Enter an email address, and it will validate your MX records, connect to your server, request your server to verify an address, and display the results.
There is a good article over at RetroHack.com on using SPF records. Sender Policy Framework uses TXT records in DNS to list servers allowed to send email on behalf of a domain, and to provide guidance on what a receiving MTA should do if it gets email purporting to be from a domain, but sent from a server not on the list. SPF records can be challenging to set up correctly, but there are three very useful sites to help you create and validate that you have the TXT record set up correctly.
4. Microsoft’s SPF Record wizard
It will walk you through a wizard (it is Microsoft) that at the end will create an SPF text string you can just copy and paste into your DNS record.
They have a page on their site with another wizard based creator for SPF records. It is a little harder to follow the first time you are doing this, but does an excellent job of creating the text for your SPF record, and is easy to understand once you go through it once.
6. Kitterman Technical Services
KTS has a page on their site that can validate your SPF syntax before you create your record in DNS, and can also look it up in DNS to verify it is there and correctly formatted.
While we’re looking at our DNS records, it’s a good idea to make sure your MX records are properly setup. Too many times I have seen folks skip that on the assumption that the DNS team did as requested, only to find a record was typoed or had not propagated yet.
7. WebSitePulse Email Validation
This site prompts you for your email address, and then it performs a DNS lookup for the associated MX records and displays the results. It is a little prettier than using dig at the command line, and offers testing from three global locations so you can make sure any changes have replicated throughout the DNS if necessary.
8. MXToolbox Diagnostics
In addition to testing your MX records, this site will also test for open relay and to verify that your PTR records are in place.
Sending a test email
While your Gmail or Hotmail account can be used to send a test email in to your system, you are only able to see things from the client’s perspective.
9. Zoneedit.com’s Email/SMTP Test Utility
This site lets you fill the name or ip.addr of your MTA, a ‘from’ address, and a ‘to’ address, and then sends a test email message. What is great about this is that it shows the SMTP session at the bottom of the screen, so that you can see your MTA’s banner, the HELO, and SMTP command exchanges. Seeing your server’s response codes can be very useful when troubleshooting inbound mail problems.
Frequently, your email system seems to be fine for 99% of the users, but you will get one guy who reports that he can’t send emails to a customer. Often the problem is on the receiving side, but sometimes you find that they are using a DNSBL service that has flagged your system
10. MailRadar’s RBL test
This page will test twenty-two different DNS based email blacklists (DNSBL) for your server to see if any of them list your MTA.
Client side stuff
We all know that spammers crawl sites looking to harvest email addresses for spamming. Since we can’t talk the web guys out of posting email addressing on webpages, let’s make the spammers work a little more for it.
11. Email address munger/encoder
While the sites above are great for specific purposes, the last three are multitaskers. Like a good Leatherman, they provide you with many tools for comprehensive testing of your system. One site is tailor made for Exchange admins, one is probably an old friend but has some new tricks, and one will make security conscious admins smile.
12. Microsoft’s Exchange Test suite
Exchange admins will want to make this their home page. From this webpage you can test ActiveSync, Outlook Web Access, Outlook Anywhere, and SMTP flow. Most of the tests will require a valid user account on your system, so set that up for a non-privileged user first.
13. DNS Tools
The DNS Stuff site is probably well know to those of you who also maintain DNS, but there are plenty of tools for email admins too. There is a Spam Database Lookup to see if your MTA is on a DNSBL, a DNS Lookup to check for MX records, an Email Test for inbound mail, and an SPF Test to verify your records.
14. GFI Email Security Testing Zone
Using this site is like hitting the jackpot for email testing. Seventeen different vulnerabilities in email systems and clients can be safely tested by using this site, as well as checking your antimalware solution. Tests include MIME header, VBS attachments, Eicar test virus, blank filename attachments, and more.
While the above are my favourites, there are many others on the Internet, and I’m sure you have some that you find useful. Please share in the comments, and let me know the ones you use, like, or dislike.