MX Record, Exchange 2007 Question

dns-hostingexchange-2007mx-record

If you have an Exchange 2007 server, you setup an MX record in DNS in the Forward Lookup Zone pointing to whatever prefix *.domain.com you configured in Exchange Console correct? Then you create an MX record in your Domain manager on your domain vendor's site? Or is that redundant?

I am getting SOME emails but not receiving MOST emails from external sources. I've checked certificates and they seem to be updated and pointing to the correct server.domain.com. However I've checked some of the bounce back error logs for other companies, and their email servers are connecting to my actualy domain name "domain.com" and thus it seems the wrong IP address too. So they time out and bounce back. Hotmail seems to come in just fine oddly enough. At first I thought it was a Certificate/TLS issue, but I'm beginning to think it is an MX issue. Any ideas?

Any suggestions would be appreciated.

My brain is fried, been at this since last night.

In Server 2008 in DNS the following is configured: MX [10] mail.mydomain.com; A mail ip.address.here (external Exchange IP); I also have a Zone separate from our root domain, that is named our mail.mydomain.com. In that Zone, there exists records for NS, SOA, MX, and A.

Now on our Domain Manager on our Domain Host vendor's site:
MX – mail.mydomain.com
A – our.exchange.server.external.ip

Do I have a needlessly redundant setup? I was just contacted by our Domain Host and they mentioned they were having DNS issues, which is most likely our problem. However I am still curious about our setup.

Thank you

Best Answer

There is more then one DNS step to ensure a mail server you have on a company network can send/receive email from the Internet.

  1. Your internal Active Directory DNS server is usually not related to incoming email. If your host your domainname.com on your internal DNS server as well as Internet DNS, that's known as "split brain DNS" and is the proper way for most people to do it. For now ignore it for troubleshooting incoming mail.
  2. Your Internet DNS needs at least two records. One A record giving a name to your email server public IP, and a MX record pointing your domainname.com to a specific A record. They together would look something like this

    mail.domainname.com A 3600 333.333.333.333
    domainname.com MX 3600 mail.domainname.com

  3. Like Hyppy says, get your ISP who gave you the public IP for your mail server to change your reverse DNS for that IP to the same name as the A record.
  4. Recommended but not required for outgoing email is to make a SPF record http://old.openspf.org/wizard.html which tells the world that email coming from your mail server IP is legit and should be trusted, while any email pretending to be you coming from unknown IP's is not to be trusted. This helps keep your email from ending up in other companies spam folders.
  5. Yyou should also ensure your Exchange 2007 server has a separate anonymous-only SMTP receive connector for incoming Internet mail, that has the EHLO response header the same as your Internet A record. i.e. mail.domainname.com

Internet SMTP servers don't generally use PKI Certificates for communications, although modern Exchange servers (and maybe others) are trying to change this.

Related Topic