Dns mx record vs reverse dns

mx-recordreverse-dns

I need some help on clarification of the reverse DNS and MX record setup. I wasn't able to find definitive answer on google. The case is following. Say I have domain "mydomain.com", I have a SMTP server named "mail.mydomain.com", which is hosted by myprovider.com. I want to send/receive mails from domain mydomain.com.
So I add MX record like this:

mydomain.com MX mail.mydomain.com

I also have A record, pointing to the myprovider.com server IP (suppose it is 1.2.3.4):

mail.mydomain.com A 1.2.3.4

Now, I want to make sure my mails will be delivered, so I check reverse DNS for this. I got following results:

mail.mydomain.com -> DNS check resolves to 1.2.3.4,

1.2.3.4 -> reverse DNS check resolves to s1.myprovider.com

Now – does it mean that anty-spam reverse DNS check fails, because 1.2.3.4 doesn't resolves back to mail.mydomain.com? BUT: it's a shared server, so it will never resolve to my domain.com – it will always resolve to myprovider.com – right? Does it mean the mail mail will be potentially marked as span? OR: the anti-spam filter will do one more DNS check, checking IP of s1.myprovider.com:

s1.myprovider.com -> DNS check resolves to 1.2.3.4

so it will decide that reverse DNS matches? Which one is true?

Perhaps I should do it different way, I should point my MX record directly to s1.provider.com, this way:

mydomain.com MX s1.myprovider.com

Then s1.provider.com resolves to 1.2.3.4, and 1.2.3.4 resolves to s1.provider.com, so everything is ok, right? (The only problem is that I'm not sure how stable is this "s1.myprovider.com" domain name – maybe they change it from time to time, and sometimes it is "s2.myprovider.com", and such setup will fail?)

Best Answer

I think you are confusing incoming and outgoing mail exchangers. I'll try to answer your question by treating both separately:

Incoming mail

When another MTA has a message for $localpart@$yourdomain it does a DNS query (type MX, data $yourdomain). The answer is get is mail.$yourdomain (and probably also it's IP). It uses this to connect to your machine on port 25 and try to deliver the mail. Since the other machine is sending (not accepting), it will not to anti-spam checks based on your machine.

Outgoing mail

You want to send an e-mail from $localpart@$yourdomain to somebody else. Your machine (this does not have to be the same as the MX record) connects to the remote mail server and tries to deliver the mail. Now the remote machine will do anti-spam checks. It has two pieces of information from your machine: The 'HELO/EHLO name' and the IP address.

Nowadays most servers demand that the 'HELO name' is a fully qualified domain name and that it resolves to your IP address. Some demand that your IP address has reverse DNS that does not look dynamic (like dyn-127-0-0-1.example.com). I have encountered some servers that applied rate-limiting or greylisting when the 'HELO name' did not match the reverse DNS, but never full rejection.

My recommendations

Keep your MX record as mail.$yourdomain.
If you also use this machine for outgoing mail, set the 'HELO name' to mail.$yourdomain.

A shared machine for outgoing mail is far from ideal, abuse from other users can easily get you on DNS-bases blacklists.

Best Answer

Incoming mail

Outgoing mail

My recommendations

Related Solutions

Reverse DNS for multiple IP address with same domain name

How to set reverse DNS in AWS for the private nameserver

Related Topic