Home / server / Questions / 1168764
Accepted
Tom Griffith
Asked: 2024-12-12 01:38:09 +0800 CST

matching up DNS A and PTR records

  • 772

If you have a minute, I am a little confused about addressing rDNS warning for outbound emails. I have this setup...

http web server (ip 1.2.3.4, hostname apps.acme.com)
smtp mail server (ip 1.2.3.5, hostname mail.acme.com)

DNS A record (Domain name = acme.com, ip = 1.2.3.4) --> web server
PTR record (Domain name = acme.com, ip = 1.2.3.5) --> smtp server

The smtp server only sends mail, no inbounds, no MX record, etc.

However, when I check mail reputation score, I see rDNS warning and found that PTR records should have corresponding A record (forward-confirmed). However, if I create a second DNS A record for the smtp server...

DNS A record (Domain name = acme.com, ip = 1.2.3.5) --> smtp server

Won't this mean that the authoritative server will direct some acme.com DNS resolution traffic to the smtp server? thank you very much for reading this.

domain-name-system

1 Answers

  1. Best Answer

    Yes, it would, at least for traffic other than that destined for apps.acme.com. So rather than DNS A record (Domain name = acme.com, ip = 1.2.3.5), what you do is make DNS PTR record (ip = 1.2.3.5, domain = mail.acme.com). You may still want a PTR record for acme.com, of course, but you apply that to ip = 1.2.3.4 which is where you're sending all that traffic anyway.

    EDIT: Since the comments have gotten incredibly unwieldy, with information that should have properly gone in the initial question, I'll toss all of that in here as well.

    Given that the SMTP server mail.acme.com does in fact receive mail (destined for specific addresses, directed there by the principal mail server acme.mail.protection.outlook.com, and from certain web apps), we do need to have an active MTA on mail.acme.com which means that if there is an MX record, no matter what priority we set of the record, some mail will erroneously get sent to mail.acme.com. (This will happen when the primary is not responding, by design, and I'll note in passing that spammers pay no attention to MX priority, firing messages at any MX they find.) So the first step in the process is to add a firewall that is set to reject any connection to the MTA except from the primary and the hosts where the web apps run.

    Once that's done, we can create three records in DNS as follows:

    A mail.acme.com 1.2.3.5
PTR 1.2.3.5 mail.acme.com
MX acme.com mail.acme.com priority 50

    Traffic for acme.com still resolves to 1.2.3.4 as before; the only traffic that ends up going to mail.acme.com is mail, and that's blocked by the firewall unless it's from the primary or the web apps. As far as I can see there's no need for an A record for acme.com at 1.2.3.5, as that one is set to resolve both forward and back to mail.acme.com, and the MX record provides the link that shows this is an MX for the domain.

    • 0