If DNS is configured incorrectly, over time your mail server IP will be added to blacklists. These days most email servers have some form of spam protection service which, in turn, means that all your incoming mail will be blocked if it appears on a spam blacklist.
In this article, I’ll describe how to properly set up your MX and reverse DNS records for your mail server. This article is based on an Exchange 2003/2007 server, but all other messaging servers will follow the same principle.
Assigning an IP address
Starting from the bottom up, the first thing you need to do is map a static external IP address to your mail server’s internal private address. You will need to apply these rules in your firewall to forward the SMTP port (port 25) and NAT to an external IP address to the internal address of the server.
Something that many administrators forget to do or check is to configure the outgoing NAT rule to use the same external IP address created for the incoming rule to the mail server. If this is not configured, the reverse DNS will not match and in turn your mail server will be blacklisted. If your firewall rules are configured correctly, the IP address listed on this page should be the same as the one you assigned to the mail server’s internal private IP address.
Create MX records for your mail server
For the purposes of this example, all the details of my mail server are listed below to help you understand what to do.
External IP: 87.22.1.22
Email domain: domain.com
You will need to be an administrative contact for your external DNS provider for your domain to make these changes. In most cases, this can be done through an online control panel through your DNS provider. Failing that, by phone or via E-Mail.
1. The first thing we need to do is create an A record to point to the external IP address assigned in your firewall to the mail server. The host A record can be called anything, but is commonly called “mail”. In our example we will create “mail.domain.com” to point to the IP address “87.22.1.22”
2. Next, we’ll create an MX record to point to the newly created A record for our mail server.
Within your DNS control panel, select “add MX record”. Make sure the host address is the root domain name in our case “domain.com”
Set the FQDN to the A record we just created, which in our case is “mail.domain.com”.
The lowest property is preferred, but in our example we will set the priority to 10.
Use NSlookup to verify that DNS and MX records apply
DNS can take up to 48 hours to propagate, but in most cases 12-24 hours. To verify that our DNS entries apply and are correct, we can use nslookup.
1. Open a CMD prompt and type nslookup
2. Type settype=mx
3. Write the domain name which in our case is domain.com.
In our example, the output should say the following if configured correctly:
> domain.com
Unauthorized answer:
domain.com MX preference = 10, mail exchanger = mail.domain.com
mail.domain.com internet address = 87.22.1.22
Configure reverse DNS
Reverse DNS is used to verify that the mail server is who it claims to be. The recipients’ mail server will perform a reverse lookup to make sure that the IP address of mail To or the host record in DNS is the same as the IP address it is communicating with. There can only be 1 RDNS entry per IP address.
To do this, you will need to contact your ISP to make this entry. You won’t be able to do this in your DNS control panel unless your ISP also hosts your DNS and gives you the functionality to add your own RDNS records.
In our case, we would contact our ISP and let them know that we would like to create an RDNS entry for our IP address. 87.22.1.22 which would also solve mail.domain.com.
Check reverse DNS
Again, DNS can take up to 48 hours to propagate, but in most cases 12-24 hours. To verify that the RDNS entries have been added and are correct, do the following:
1. Open a CMD prompt.
2. Type Ping-a 87.22.1.22 (This is the external IP address of your mail server. In our case, we used our external IP address given above)
If RDNS is configured correctly, the following output will be shown:
C:UsersUser>ping -a 87.22.1.22
Ping mail.domain.com [87.22.1.22] with 32 bytes of data:
SMTP flag
Every time a mail server establishes a connection to your mail server, it displays its SMTP banner. This banner should be resolvable on the Internet and the best practice is to have it as your mail host/A record.
Configuring Exchange 2003 SMTP Banner
1.Open exchange system administrator.
2.Expand your administrative group (“First administrative group” by default).
3.Expand servers.
4.Expand YourServerName.
5.Expand protocols container.
6. Select SMTP container.
7. In the right window, the right button of the mouse tea Default SMTP Virtual Server (Or the name you assigned to your SMTP server) and
Select Properties.
8. Select the Delivery Eyelash.
9. Click on the Advanced button.
10. Under the fully qualified domain name class mail.domain.com (The A/Host record you created in DNS for your mail server)
11.Click ok Y ok again to accept the changes
Configure Exchange 2007/2010 SMTP Banner
1. Open the exchange management console.
2. Select the Organization Settings container.
3.Select transportation hub container.
4. On the right, select the send connectors eyelash.
5. Right-click on your send connector and select properties.
6. in the General tab below Set the FQDN that this connector… type the domain name of the A record you created. which in our case is mail.domain.com. Click ok.
7. Under the server configuration click on the container transportation hub container.
8. In the Right window Select the properties of the receive connector low receive connectors eyelash.
9. in the General tab below Set the FQDN that this connector… type the domain name of the A record you created. which in our case is mail.domain.com. Click ok
To verify these changes, we can use telnet to view the output by establishing a connection on port 25 to our mail server. Use the following steps to do this:
1. Open a CMD prompt
2. friendly Telnet mail.domain.com 25.
The output you see should look like this and contain your A record from your mail server:
220 mail.domain.com Microsoft ESMTP MAIL Service ready Sunday February 28 2
010 17:51:20 +0000
If you use a perimeter server or a SPAM filter appliance like Barracuda, the SMTP banner will need to be configured on this appliance/server.
Check if your mail server is on spam lists and/or in an open relay
An excellent website to check your MX records, RDNS, check if your mail server is an open relay, and check if you are on spam lists is www.mxtoolbox.com. This is a great site and one to keep in your favorites.
By following these guidelines, you will successfully configure mail routing to and from your mail server. The next step is too secure and make sure your mail server is not an open relay. I will write a separate article dedicated to this in the near future.