rDNS and PTR Record

[bhwong]

I have a customer who transfer their email hosting to us but retain their web hosting. This mean their domain, www and mx record will have difference IP addresses. In this case, should I add their PTR record as mail.xxx.com instead of xxx.com? Will rDNS fail?

[Hivos]

It is important that the ip-address has a PTR record, but it doesn't matter which one. It doesn't matter if it's mail.yourdomain.com or www.theirdomain.net (well, as long as it's a FQDN).

[uxbod]

the IP address associated with your MTA must have a rDNS entry that resolves exactly. With respect to your client just point their MX record at your MTA.

[bhwong]

Since my MTA host multiple domains on a single IP address, a rDNS on my IP address will get resolve to my domain instead of all my customers domains and fail the rDNS test for my customer PTR records.

Anyway, I have proceed to add PTR records of their MX records to our Zimbra IP address. Will monitor if they still have rejected emails...

[Hivos]

Quote:

Originally Posted by bhwong

... a rDNS on my IP address will get resolve to my domain instead of all my customers domains and fail the rDNS test for my customer PTR records...

That's no problem. An rDNS check is only meant to check IF there's a PTR record present, it doesn't validate this PTR record against DNS, since that would make it impossible to host multiple emaildomains on 1 ip-address.

Background: most open spam-relays (hacked home computers) do not have a PTR record. A rDNS check is therefore a "quick & easy" way of spam-filtering.

[LMStone]

It's most important that there be a PTR record in the first instance. Since most ISP allocated home IP addresses don't have PTR records, many email admins reject email from mail servers whose IP doesn't have a PTR record.

It's best if the PTR record matches exactly the A record, since some email admins will reject inbound email from servers with an A/PTR mismatch.

And it's ideal if the server's HELO, A and PTR records all have the same fqdn!

Hope that helps,
Mark

[Bill Brock]

My zimbra servers are configured to do DNS checking. As long as their is a ptr record of some kind it will accept. I agree that the ideal solution is the ptr record should match the A record.

However, if the HELO response doesn't match the A record then the mail is rejected. It surprises me how many e-mail servers fail this test. Most mail admins don't bother to read the RFC's.

[LMStone]

Quote:

Originally Posted by Bill Brock

My zimbra servers are configured to do DNS checking. As long as their is a ptr record of some kind it will accept. I agree that the ideal solution is the ptr record should match the A record.

However, if the HELO response doesn't match the A record then the mail is rejected. It surprises me how many e-mail servers fail this test. Most mail admins don't bother to read the RFC's.

Hi Bill,

I just had this same discussion on another thread, where I try to explain why so many email servers fail the HELO/A record match test--and why we no longer reject mail based on this test.

That thread is here.

All the best,
Mark

[Bill Brock]

try to contact the mail admin if the rejected e-mails are important. Most of the time they are receptive. I'll even make reference to MS's Exchange documentation explaining the issue and how to configure Exchange. Some of the responses get comical as to why they don't have it configured properly. This isn't the place to go into detail but suffice it to say some admins are sorely lacking.

Since this check blocks about 80% of the spam I keep it in place. I have on occasion setup a bogus zone file on my DNS server for temporary communications to provide the admin with the RFC's and link to documents on how to correct their server. Most admins will fix their server after reading the RFC's. I've even gotten phone calls from company owners asking why I'm rejecting their mail. After I quote RFC's and their admins have always changed their HELO response.

I am a firm believer that the Internet would be a better place if the rules were followed. So I leave the checks in place. Fortunately, my company's owner believes that as well and he has never asked me to relax the settings. He'll request a fax from a company that won't comply with the RFC's before he'll ask me to change it. Those RFC's are in place for a reason.

[LMStone]

Bill,

Your boss is clearly more tolerant of false positives than our clients are!

We do front-end conservative RBL checking to eliminate 80% - 90% of the mail flow from even hitting our Zimbra farm. We then run a bunch of other checks that catch (we believe) all of the garbage that the mismatched HELO/A record test would catch.

We do require a HELO of some sort FWIW, and a PTR record of some sort too, but since the mail flow actually hitting our Zimbra farm is 10% or so of what comes knocking on the front door, we have some spare cycles available to do more intensive spam checking on the servers themselves -- and we have had only two known false positives since we first deployed Zimbra back on version 4.0.3.

Hope that helps,
Mark