Wednesday, August 18, 2010

Step 2 - Get your Public DNS in order


When one first tackles the project of getting Internet mail delivered to their mail system, you are very quickly pointed to the need for getting an MX record published within your domain's public DNS zone. It is this record that tells all of the other mail servers on the planet where to route email destined for your domain.
What most do not tell you is the importance of getting both the forward (A record) and reverse (PTR record) DNS entries right for the server that is the send connector. In some cases this is the same server as the receive connector, but it does not need to be. It is very important that any server that is configured as an Internet Send Connector have both a forward (A record) and reverse (PTR record) published in DNS, and that these records exactly match what you have entered in the FQDN field on the general tab of your Send Connector. If this one server is hosting both the send and receive connectors, the MX record should also point to this same name. If your organization accepts mail for more than one domain, simply point the MX record in each domain to the same FQDN. There is no requirement that an MX record point to a server in the same DNS domain as the MX record.
You may be thinking, "Why is it so important that all of these names match?"… The underlying reason is that mismatched entries and a lack of a reverse DNS entry are used by most Anti-Spam services as a signal that mail messages from this host should be treated as Spam. Some organizations, such as AOL and Comcast, go as far as to outright block mail from hosts that do not have a matching reverse DNS entry. If your organization's email is to get delivered, you need to do everything you can to lower the suspicions of the Anti-Spam services.
You can check your organization's DNS entries quickly and easily using the tools at mxtoolbox.com. To look for the forward or A record of your server, simply enter a:Servername in the command box, where Servername is the fully qualified domain name of your server as entered in the FQDN of your Send Connector within Exchange. To look for the reverse or PTR record, simply enter ptr:IPAddress in the command box, where IPAddress is your server's public IP address. If the results of these queries are consistent, you are all set. If not, don't fret; the fix is not difficult.
Getting the forward (A record) entry published in DNS is no different than publishing any other address. You simply work with your DNS hosting provider to publish the name you have setup for your send connector just like you did when you added your MX record or published the WWW address for your domain by providing them with the full name and apparent IP address. It is the reverse entry or PTR record that is a bit tricky. This is because you cannot directly publish your own PTR record as you are most likely not the owner of the IP block your organization is using; your ISP is. You simply need to work with your ISP to publish the reverse entry. This is a common request and many of the larger ISPs have even added this functionality to their customer self-help portals. This approach only works though if you have a static IP address/range from your ISP.
If your Internet service is being issued a dynamic address, this above approach will not work. Assuming that you need to make sure your mail is delivered; you will then have a choice to make. You can either change your ISP service to one with a Static IP range and follow the instructions above, or use a "Smarthost". A Smarthost is simply another server or servers on the Internet that "Trusts you". This is usually a paid service where they provide you with a username/password combination to authenticate your mail server regardless of the IP address it is using at the time. It is these servers that then deliver your mail messages to their ultimate destination. Your ISP will often provide this service, so start with them 1st. It is important that you make sure that they do not provide this service for their customers as many ISPs actively block SMTP (email) traffic from their entire dynamic IP service range to keep themselves on good standing.

No comments:

Post a Comment