An MX (Mail eXchange) record is a type of DNS record that gives one or more host names of the email servers that are responsible for and authorized to receive email for a given domain. If the MX record has more than one host name, each name has a number that tells which is the most preferred host and which hosts to try next if the most preferred host is not available.
When an email server sends email, it first does a DNS query for the MX record of the recipient’s domain. When it gets the response, the sending email server knows the host names of authorized mail exchangers for the recipient’s domain. To get the IP addresses associated with the MX host names, a mail server does a second DNS lookup for the A record of the host name. The response gives the IP address associated with the host name. This lets the sending server know what IP address to connect to for message delivery.
Reverse MX Lookup
Many anti-spam solutions, including those used by most major ISP networks and web mail providers such as AOL, MSN, and Yahoo!, use a reverse MX lookup procedure. Different variations of the reverse lookup are used, but the goals are the same: the receiving server wants to verify that the email it receives does not come from a spoofed or forged sending address, and that the sending server is an authorized mail exchanger for that domain.
To verify that the sending server is an authorized email server, the receiving email server tries to find an MX record that correlates to the sender’s domain. If it cannot find one, it assumes that the email is spam and rejects it.
The domain name that the receiving server looks up can be:
- Domain name in the email message’s From: header
- Domain name in the email message’s Reply-To: header
- Domain name the sending server uses as the FROM parameter of the MAIL command. (An SMTP command is different from an email header. The sending server sends the MAIL FROM: command to tell the receiving sender who the message is from.)
- Domain name returned from a DNS query of the connection’s source IP address. The receiving server sometimes does a lookup for a PTR record associated with the IP address. A PTR DNS record is a record that maps an IP address to a domain name (instead of a normal A record, which maps a domain name to an IP address).
Before the receiving server continues the transaction, it makes a DNS query to see whether a valid MX record for the sender’s domain exists. If the domain has no valid DNS MX record, then the sender is not valid and the receiving server rejects it as a spam source.
MX Records and Multi-WAN
Because outgoing connections from behind your Firebox can show different source IP addresses when your Firebox uses multi-WAN, you must make sure that your DNS records include MX records for each external IP address that can show as the source when you send email. If the list of host names in your domain’s MX record does not include one for each external Firebox interface, it is possible that some remote email servers could drop your email messages.
For example, Company XYZ has a Firebox configured with multiple external interfaces. The Firebox uses the Failover multi-WAN method. Company XYZ’s MX record includes only one host name. This host name has a DNS A record that resolves to the IP address of the Firebox primary external interface.
When Company XYZ sends an email to [email protected], the email goes out through the primary external interface. The email request is received by one of Yahoo’s many email servers. That email server does a reverse MX lookup to verify the identify of Company XYZ. The reverse MX lookup is successful, and the email is sent.
If a WAN failover event occurs at the Firebox, all outgoing connections from Company XYZ start to go out the secondary, backup external interface. In this case, when the Yahoo email server does a reverse MX lookup, it does not find an IP address in Company XYZ’s MX and A records that matches, and it rejects the email. To solve this problem, make sure that:
- The MX record has multiple host names, at least one for each external Firebox interface.
- At least one host name in the MX record has a DNS A record that maps to the IP address assigned to each Firebox interface.
Add Another Host Name to an MX Record
MX records are stored as part of your domain’s DNS records. For more information on how to set up your MX records, contact your DNS host provider (if someone else hosts your domain’s DNS service) or consult the documentation from the vendor of your DNS server software.