Shieldwall Listings – Why Am I Getting ‘421 Too Many Recipients’?

Securence places sensible limits on all outbound mail delivery through its SMTP servers. If your outbound mail volume significantly increases in a short period of time, this may trigger a block by Securence’s Shieldwall engine. This is designed to protect compromised machines and compromised user accounts from sending unsolicited messages using your assigned IP address, tarnishing its reputation and causing further issues. If you are having difficulty sending outgoing mail through Securence because of a 421 Too many recipients error, this indicates your IP has been listed by Shieldwall. Shieldwall listings are temporary and as soon as your mail volume returns to normal levels your IP will be automatically removed from the block list.

What should I do if my IP becomes listed on Shieldwall?

  1. Identify what has caused the large increase in your outbound mail volume. This can be easily accomplished by logging into and checking the Reports and Mail Log sections. The most common issues are:
    • Company newsletter
    • Compromised/infected machine on your network
  2. Depending on the source of the problem, you may need to change the password of a user on your network to stop the flow of spam/viruses. Either way, if there are a large number of messages queued on your server that should not be delivered, these messages must be deleted. Otherwise, it will take a lot longer for the Shieldwall listing to get removed.
  3. Wait. (We know, that’s the hard part. But it won’t take long, we promise!) If you have identified the problem, and removed the messages from your server, the Shieldwall listing will be automatically removed in about an hour.

  Configure Securence for inbound filtering in front of Gmail hosted email

In Gmail

  • Configure Gmail to allow Securence as an Inbound mail gateway in GMail
    • For documentation:
    • Add Securence IP ranges found on the bottom of the Securence admin pages
      • Check the Disable Gmail spam evaluation on mail from this gateway box.
    • We recommend selecting “Automatically detect external IP” and “Reject all mail not from gateway IPs”
    • If you require TLS delivery from Securence to Gmail
      • In Securence create an Encryption Policy:
        • Rule Type: Incoming
        • Original Server to Securence: “All Domains”, “Do Not Require TLS”
        • Securence to Your Server: “All”, “Opportunistic TLS” , after verifying TLS delivery change to “Require TLS”
        • Precedence: “Place at the Beginning”
      • In Gmail:
        • Select “Require TLS for connections from the email gateways listed above”
      • Be sure to test these settings. Incorrect settings can cause email delivery to stop. Messages delivered to Gmail using TLS will have a “x-securence-tls-suite-outgoing” header specifying the TLS Cipher used to deliver the message to GMail. If this is missing, the message was not delivered to GMail using TLS.
    • In Securence, never disable incoming spam, virus or phish filtering. This will cause spam messages to get sent to Gmail and can cause delivery issues for non-spam messages.
  • Configure Securence to deliver incoming mail to GMail
  • Change MX Record to point to Securence, found on the bottom of the Securence admin pages

  Using Securence Continuity and Active Directory Authentication Together

With Active Directory Authentication enabled, Securence queries your AD server every time a user attempts to login. Continuity allows users to access their messages during an outage situation on your network. However, what if the outage includes your AD server? How can Securence authenticate your users to give them access to their Continuity inbox? Due to the inherent conflicts between these two features, extra measures are necessary in order to help them function together:

1. Ensure all users have confirmed at least one alternate e-mail address or mobile number in Securence.
If you have Continuity and AD Authentication enabled, any user that has not yet confirmed an alternate e-mail address or mobile number will be instructed to do so as soon as they login. They simply need to enter an e-mail address on a different domain that they have access to, or their mobile number, and Securence will send a confirmation code. Once confirmed, they may use their alternate e-mail address or mobile phone in the future should they need to reset their Securence password during an outage.

2. Use the Local (Securence) Authentication Override during an outage.
During an outage, when your users need access to their Continuity inbox or Quarantine, you may override all authentication to use Securence, instead of your AD server. This can be accomplished by checking the appropriate box in the Securence Admin interface: Incoming Settings -> Security tab -> Auth Method Override. Once enabled, if a user already has a Securence password, they may use it to login. If they don’t have a Securence password yet, they can follow the reset password procedure from the login page and use an alternate e-mail address or phone in order to set a new password for Securence.

3. When your system is back online, disable the Authentication Override.
When you are ready for your users to resume authenticating using your AD server, simply disable the Auth Method Override. All users configured to authenticate via AD will once again be able to login to Securence using their AD credentials.

  DNSBLs and Securence Part 2: Securence Getting Listed on other DNSBLs

Securence provides outgoing email filtering and delivery. Most Securence customers are provided a dedicated IP address that no other customer will use. This isolates customers from potential IP reputation problems. If another customer sends spam or bulk emails, all other customers are protected from the IP reputation damage that may occur. This is a major advantage over other email services where emails are delivered from a pool of shared IP addresses. Although these services have many IP addresses in their pool, it’s possible to have these IP addresses’s reputations tainted because of the inevitable spam that will be sent through these services.

Most DNSBLs yellowlist the major email senders, but this is an imperfect practice and these IPs sometimes get listed or at least don’t enjoy a positive IP address reputation.

Automated services within Securence monitor all the outgoing IP addresses on major and minor IP reputation lists including Spamcop, Spamhaus, etc. When there are IP address reputation problems, our email team will investigate the cause and resolve it. Often this requires action by the customer’s email administrator. We assist and give helpful information to help resolve the issues quickly.

Once the root cause has been addressed, if the IP reputation is still poor, a new address is assigned and the previous one is retired. Retired IP addresses get set aside for a time to allow listings to expire. Before an IP address is reintroduced as a potential dedicated outgoing address, Securence admins ensure its reputation is neutral or positive.

  DNSBLs and Securence Part 1: Securence’s Use of DNSBLs

DNSBL stands for DNS Block List. Also called RBL for Realtime Block List. These acronyms have had different words at times, but they generally do the same thing: prevent emails based on the IP address of the sending server.

Securence, by default, uses two of our own private DNSBLs and two independent DNSBLs to block messages based on IP address.

  • is a realtime block list, listings are fully automated and extremely short lived. Listings are intended to exist during a spam outbreak and expire as soon as the behavior stops. This uses a yellowlist to prevent blocking the major email senders. Though our support department has a delisting process, blocks have typically expired by the time our support department receives any delisting request.
  • is a non-realtime block list. This is a very small list of addresses and is manually curated by our email staff. Candidates are personally researched before listing to ensure no clean emails are originating from these addresses. Generally, listings do not expire. Though our support department has a very simple delisting process available, we have never received a delisting request.
  • Securence has subscriptions for Spamhaus and Spamcop. These lists are served from our internal servers and updated frequently from the providers. These are enabled by default for new domains and we recommend our customers to use both. They have their own processes and procedures that can be found on their respective web sites.
  • Securence can be configured to use any standard DNSBL in the admin portal. If you have a DNSBL you would like to use, go to Domain Settings->IncomingSettings->Spam->DNS Block Lists->Other DNS Block Lists or ask our support staff for assistance.

Become a Partner

Securence Partners can generate
significant revenues by offering their customers Securence anti-spam,
anti-virus and email solutions.

Join us TODAY