I need some help on clarification of the reverse DNS and MX record setup. I wasn't able to find definitive answer on google. The case is following. Say I have domain "mydomain.com", I have a SMTP server named "mail.mydomain.com", which is hosted by myprovider.com. I want to send/receive mails from domain mydomain.com.
So I add MX record like this:
mydomain.com MX mail.mydomain.com
I also have A record, pointing to the myprovider.com server IP (suppose it is 1.2.3.4):
mail.mydomain.com A 1.2.3.4
Now, I want to make sure my mails will be delivered, so I check reverse DNS for this. I got following results:
mail.mydomain.com -> DNS check resolves to 1.2.3.4,
1.2.3.4 -> reverse DNS check resolves to s1.myprovider.com
Now – does it mean that anty-spam reverse DNS check fails, because 1.2.3.4 doesn't resolves back to mail.mydomain.com? BUT: it's a shared server, so it will never resolve to my domain.com – it will always resolve to myprovider.com – right? Does it mean the mail mail will be potentially marked as span? OR: the anti-spam filter will do one more DNS check, checking IP of s1.myprovider.com:
s1.myprovider.com -> DNS check resolves to 1.2.3.4
so it will decide that reverse DNS matches? Which one is true?
Perhaps I should do it different way, I should point my MX record directly to s1.provider.com, this way:
mydomain.com MX s1.myprovider.com
Then s1.provider.com resolves to 1.2.3.4, and 1.2.3.4 resolves to s1.provider.com, so everything is ok, right? (The only problem is that I'm not sure how stable is this "s1.myprovider.com" domain name – maybe they change it from time to time, and sometimes it is "s2.myprovider.com", and such setup will fail?)
Best Answer
I think you are confusing incoming and outgoing mail exchangers. I'll try to answer your question by treating both separately:
Incoming mail
When another MTA has a message for
$localpart@$yourdomain
it does a DNS query (typeMX
, data$yourdomain
). The answer is get ismail.$yourdomain
(and probably also it's IP). It uses this to connect to your machine on port 25 and try to deliver the mail. Since the other machine is sending (not accepting), it will not to anti-spam checks based on your machine.Outgoing mail
You want to send an e-mail from
$localpart@$yourdomain
to somebody else. Your machine (this does not have to be the same as the MX record) connects to the remote mail server and tries to deliver the mail. Now the remote machine will do anti-spam checks. It has two pieces of information from your machine: The 'HELO/EHLO name' and the IP address.Nowadays most servers demand that the 'HELO name' is a fully qualified domain name and that it resolves to your IP address. Some demand that your IP address has reverse DNS that does not look dynamic (like
dyn-127-0-0-1.example.com
). I have encountered some servers that applied rate-limiting or greylisting when the 'HELO name' did not match the reverse DNS, but never full rejection.My recommendations
mail.$yourdomain
.mail.$yourdomain
.A shared machine for outgoing mail is far from ideal, abuse from other users can easily get you on DNS-bases blacklists.