Does your mail server do the DNS ménage à trois?
Jul 18th, 2007 by Micheal Espinola Jr
Authors note: “Ménage à trios” literally translates to “household of three”.
It seems that something a number of IT operations fail to recognize is how tightly integrated e-mail is with DNS. To some that might sound incredibly obvious since DNS records are a requirement for connecting to anything on the Internet by its name, as well as contacting mail servers. But the daily onslaught of spam has brought DNS into the spotlight in terms of anti-spam filters. Because spam has become so prevalent and ingenious in the ways it is able to penetrate an anti-spam filter, increasing scrutiny is placed on the sending system itself as well as its accompanying DNS records.
The increased visibility and scrutiny of DNS is because of how spammer operations typically work – which is on the backs of exploited “zombie” computers world-wide. The overwhelming majority of spam comes from residential home computers, with a sprinkling of exploited corporate systems and servers. And what do these systems have in common? Well, for one they aren’t real mail servers. Second, since they aren’t mail servers, they typically don’t have the appropriate DNS records that any well-respected mail server should: A, MX, and PTR — or what I like to call “the DNS ménage à trios“.
Unfortunately, some IT operations have failed to take DNS fully into consideration, and have not created all of the appropriate DNS records for their MTAs either. Lets take a brief look at these at a high-level:
- The A record – otherwise known as the host name record or host address record is what translates the canonical (fully qualified domain name) into an IP address. If you want to communicate with a system on the Internet (or any IP based network) by its host name, it has to have an A record in DNS.
- The MX record – otherwise known as the mail exchange record is an indicator for which server (by its host name) receives mail for a particular domain. Without an MX record, no one would be able to tell which server is designated to receive e-mail for your domain.
- The PTR record – otherwise knows as the pointer record or reverse record is a means to translate an IP address to its intended host name — in essence, the reverse of what an A record does.
Since many incarnations of spam attempt to be anonymous, they use bogus domain names in the e-mail – so immediately the existence of an MX record is an excellent choice for an anti-spam filter to check for. But second – and this is what is typically overlooked by legitimate IT operations – is the PTR. The PTR is an ever increasingly important DNS record check because it allows the spam filter to deduce if the sending IP address has a host name within the same e-mail domain and/or matches a valid A record host name within that domain.
Initially confusing for people not experienced with administrating DNS, is that PTR records do not exist within the same DNS space as your A and MX records. Those fall under the DNS provider for your domain name. PTR records are based on the IP address, so they instead have to be hosted by the DNS provider of the network range the IP address falls within – which is typically your ISP.
- Yes, your ISP will need to create these records for you. Sometimes this requires some managerial pressure because the tech taking your call doesn’t realize the world has changed and that PTR records have become a requirement.
It’s simply an increasing fact of dealing with spam that more and more anti-spam filters are checking for each of these records, and more recently with applied scrutiny on the PTR. If you don’t have a PTR record for your sending mail server, you should get one in place as soon as possible. The chances that your mail will be blocked otherwise increases daily – and DNS records typically take time to get published!
If you employ different servers for sending and receiving email, you don’t currently need a PTR for your receive-only MTAs. Only your sending servers are going to be scrutinized for their PTR record. But I in any case – especially considering the future of spam and anti-spam filters – I recommend that you allow all your servers to do the DNS ménage à trois.
Addendum: To easily interrogate these records to verify your own DNS setup, you might want to check out this PowerShell script by Michael B. Smith, Exchange MVP. Sphere: Related Content
How do you deal with ptr records, if your exchange server sends mail for multiple domains? would you ptr records have to resolve to a host record for each domain? even if it is the same IP?
thanks,jb
Primarily, the anti-spam filter doing a PTR check should only be verifying that it exists. A secondary function though can be to check to see if it is named in a way that indicates that it is dynamically allocated. As an example, comcast.net has PTR records for all of its residential users in the form of something like: c-24-61-36-227.hsd1.ma.comcast.net.
This is a valid PTR, but being a residential host means that it probably shouldn’t be sending e-mail. If the spam filter didn’t use a DNSBL to check for this fact, the PTR could be compared with a regexp (regular expression) to see if it matches any known residential network hostnames. Many residential PTRs contain information about its IP address.
If your ISP has provided you with a PTR that reflects your IP address, it may be a good idea to proactively request that it be changed so as to not be classified as a residential host PTR accidentally in the future.
I should have also noted, more specific Jason’s question, is that the only exact comparison that might occur in regards to the PTR: is to see if it matches the HELO used by the outbound mail server. Some anti-spam filters will perform this check. By definition of the RFC specifications, these should be the same, as they are meant to identify the host specifically – regardless of the mail it is sending. I hope this answers your question!