Authors note: “Ménage à trios” literally translates to “household of three”.

It seems that something a number of IT operations fail to recognize is how tightly integrated e-mail is with DNS. To some that might sound incredibly obvious since DNS records are a requirement for connecting to anything on the Internet by its name, as well as contacting mail servers. But the daily onslaught of spam has brought DNS into the spotlight in terms of anti-spam filters. Because spam has become so prevalent and ingenious in the ways it is able to penetrate an anti-spam filter, increasing scrutiny is placed on the sending system itself as well as its accompanying DNS records.

The increased visibility and scrutiny of DNS is because of how spammer operations typically work – which is on the backs of exploited “zombie” computers world-wide. The overwhelming majority of spam comes from residential home computers, with a sprinkling of exploited corporate systems and servers. And what do these systems have in common? Well, for one they aren’t real mail servers. Second, since they aren’t mail servers, they typically don’t have the appropriate DNS records that any well-respected mail server should: A, MX, and PTR — or what I like to call “the DNS ménage à trios“.

Unfortunately, some IT operations have failed to take DNS fully into consideration, and have not created all of the appropriate DNS records for their MTAs either. Lets take a brief look at these at a high-level:

• The A record – otherwise known as the host name record or host address record is what translates the canonical (fully qualified domain name) into an IP address. If you want to communicate with a system on the Internet (or any IP based network) by its host name, it has to have an A record in DNS.
• The MX record – otherwise known as the mail exchange record is an indicator for which server (by its host name) receives mail for a particular domain. Without an MX record, no one would be able to tell which server is designated to receive e-mail for your domain.
• The PTR record – otherwise knows as the pointer record or reverse record is a means to translate an IP address to its intended host name — in essence, the reverse of what an A record does.

Since many incarnations of spam attempt to be anonymous, they use bogus domain names in the e-mail – so immediately the existence of an MX record is an excellent choice for an anti-spam filter to check for. But second – and this is what is typically overlooked by legitimate IT operations – is the PTR. The PTR is an ever increasingly important DNS record check because it allows the spam filter to deduce if the sending IP address has a host name within the same e-mail domain and/or matches a valid A record host name within that domain.

Initially confusing for people not experienced with administrating DNS, is that PTR records do not exist within the same DNS space as your A and MX records. Those fall under the DNS provider for your domain name. PTR records are based on the IP address, so they instead have to be hosted by the DNS provider of the network range the IP address falls within – which is typically your ISP.

• Yes, your ISP will need to create these records for you. Sometimes this requires some managerial pressure because the tech taking your call doesn’t realize the world has changed and that PTR records have become a requirement.

It’s simply an increasing fact of dealing with spam that more and more anti-spam filters are checking for each of these records, and more recently with applied scrutiny on the PTR. If you don’t have a PTR record for your sending mail server, you should get one in place as soon as possible. The chances that your mail will be blocked otherwise increases daily – and DNS records typically take time to get published!

If you employ different servers for sending and receiving email, you don’t currently need a PTR for your receive-only MTAs. Only your sending servers are going to be scrutinized for their PTR record. But I in any case – especially considering the future of spam and anti-spam filters – I recommend that you allow all your servers to do the DNS ménage à trois.

Share/Bookmark