If the DNS is misconfigured, over time, your IP address of the mail server will be added to the blacklists. Nowadays, most mail servers have some sort of spam protection service, which means that all your incoming mail will be blocked if you are on a spam blacklist.
In this article, I describe how to correctly configure your MX and reverse the DNS records for your mail server. This article is based on an Exchange 2003/2007 server but all other mail servers follow the same principle.
Assigning an IP Address
From the ground up, the first thing to do is assign an external static IP address to the internal private address from your mail server. You will need to apply these rules on your firewall to redirect the SMTP port (port 25) and NAT to an external IP address at the server's internal address.
Something that many administrators forget to do or check, is to set outgoing NAT rule to use the same external IP address created for the incoming rule on the mail server. If this is not the case, Reverse DNS will not match and your mail server will be listed on blacklists. If your firewall rules are correctly configured, the IP address listed on this page must match the IP address that you mapped to the internal private IP address of the mail server.
Creating MX Records for Your Mail Server
For the purpose of this example, you will find below all the details of my mail server to help you understand what you need to do.
External IP: 220.127.116.11
E- Domain: domain.com
You will need to be an administrative contact for your external DNS provider for your domain in order to make these changes. In most cases, this can be done via an online control panel through your DNS provider. Otherwise, by phone or email.
1. The first thing we need to do is create an A record to point to the external IP address mapped to your firewall to the mail server. The host A record can be called anything but is commonly called "mail". In our example, we will create "mail.domain.com" to point to the IP address "18.104.22.168"
2. Then we will create an MX record to point to the newly created A record of our mail server
In your DNS control panel, select "Add MX record". Make sure that the host address is the root domain name in our case "domain.com"
Set the FQDN as the A record we just created, in our case "mail.domain.com".
The property is the most preferred but in our example, we will set the priority to 10.
Use NSlookup to check DNS and MX records.
DNS propagation can take up to 48 hours but in most cases 12-24 hours. To verify that our DNS entries are enforced and correct, we can use nslookup.
1. Open a CMD prompt and type nslookup
2. Type together type = mx
3. Type the domain name that is in our case domain.com .
In our example, the output should be the following if properly configured:
domain.com MX preference = 10, mail echange = mail.domain .com
mail.domain.com Internet Address = 22.214.171.124
Setting Up the Reverse DNS
Reverse DNS is used to verify that the mail server is the same as the one you want. he says to be. The recipient mail server will perform a reverse lookup to ensure that the IP address of the A mail or the host record in DNS is the same as the IP address with which it communicates . Only one RDNS entry may be present per IP address
To do this, you will need to contact your ISP to make this entry. You will not be able to do this in your DNS control panel unless your ISP also hosts your DNS and gives you the option to add your own RDNS records.
In our case, we would contact our ISP and tell him that we would like to create an RDNS entry for our IP address 126.96.36.199 which would also resolve mail.domain.com .
Checking the Reverse DNS
may take up to 48 hours for the DNS to spread but in most cases 12-24 hours. To verify that the RDNS entries have been added and are correct, proceed as follows:
1. Open a CMD prompt.
2. Type Ping -a 188.8.131.52 (This is the external IP address of your mail server In our case, we use our external IP address shown above)
If RDNS is configured correctly, the following output will be shown:
C: UsersUser> ping -a 184.108.40.206
Ping mail.domain.com [220.127.116.11] with 32 bytes of data:
Whenever a mail server establishes a connection with your mail server, it displays its SMTP banner. This banner must be resolvable on the Internet and the best practice is to have it as an email / registration host.
Configure the SMTP Exchange 2003 Banner
1. Open Exchange System Manager .
2. Expand your administrative group ("First administrative group" by default).
3. Develop Servers .
4. Expand YourServerName .
5. Develop the container Protocals .
6. Select the container SMTP .
7. In the right window, right-click the default SMTP virtual server (or the name that you set your SMTP server) and
select Properties . 8. Select the Delivery tab.
9. Click on the button Advanced .
10. Under the FQDN type mail.domain.com (the A / Host record that you created in DNS for your mail server)
11. Click OK and OK to accept the changes
Configure the Exchange SMTP banner 2007/2010
1. Open the Exchange Management Console .
2. Select the container Organization Configuration .
3. Select the container Hub Transport .
4. On the right, select the Send Connectors tab.
5. Right-click your send connector and select Properties .
6. In the General tab under the Set FQDN, this connector … enters the A domain name that you created. Who in our case is mail.domain.com . Click on OK .
7. Under the Server Configuration click on the container Hub Transport . In the right window, select the properties of the Receive Connector tab on the Receive Connectors
9 tab. In the General tab under the Set FQDN, this connector … enters the A domain name that you created. Who in our case is mail.domain.com . Click OK
To check for these changes, we can use telnet to display the output when establishing a connection on port 25 of our mail server. Use the following steps for this:
1. Open a CMD prompt
2. Type Telnet mail.domain.com 25 .
The output you see should look like this and contain your A record of your mail server:
220 mail.domain.com Microsoft ESMTP MAIL Service Ready at Sun, 28 Feb 2
010 17:51 : 20 +0000
If you use an Edge Server or SPAM filtering device such as a Barracuda, the SMTP banner must be set on this device / server. 19659002] Check if your e-mail server is on spam lists and / or open relay
A great website to check your MX, RDNS records, check to see if your e-mail server is an open relay and check if you are listed on spam lists is www.mxtoolbox.com . This is an excellent site to keep in your favorites.
Following these guidelines will help you properly and correctly configure mail routing to and from your mail server. The next step is too safe and make sure your mail server is not an open relay. I will write a separate article devoted to this in the near future.