SMTP client's hostname doesn't match PTR - email

I'm building an SMTP server and I'm struggling with an issue regarding hosts connecting to my SMTP server.
For instance, one client is connecting to my SMTP server with the given hostname: EUR02-AM5-obe.outbound.protection.outlook.com.
Unfortunately, the server's IP doesn't match that hostname (52.101.131.25).
Based on the SMTP rules, I should refuse this email, but when I do a reverse IP lookup for 52.101.131.25, I get mail-bgr052101131025.outbound.protection.outlook.com, which also comes from Outlook.com!
So, even if the hostname doesn't match the IP, the IP is originating from a valid source in that case (outbound.protection.outlook.com).
And Outlook is not the only one doing so, here's the case with Zoho:
HELO sender21-mail.zoho.eu coming from the IP 185.20.209.254.
But when you do a reverse lookup, you don't find sender21-mail.zoho.eu, but ... sender.zoho.eu
How can I do to ensure that both hostnames come from the same valid source, that's just the IP that is badly configured?

With content distribution networks & load balancing, the EHLO name and IP/reverse DNS often don't match. You could check the IP's validity against SPF records (not every domain has SPF records, but it is quite common). Taking zoho.eu as an example, the SPF record for the domain is
v=spf1 include:spf.zoho.eu -all
Which is essentially a ref out to the record spf.zoho.eu
v=spf1 ip4:185.20.209.0/24 ip4:31.186.226.0/24 ip4:87.252.213.0/24 ip4:84.207.209.0/24 ~all
185.20.209.254 falls within ip4:185.20.209.0/24 and is thus a reasonable source for messages from zoho.eu.
How to validate the source IP against SPF records depends on the SMTP server being used. There are milters for Sendmail and policy servers for Postfix that validate SPF.

Related

Setting up various DNS records for my mail server with external DNS

I have a domain name, mysite.com registered with a provider at ns1.dnsprovider.com and ns2.dnsprovider.com.
mysite.com is a Wordpress site on WHM/cPanel at IP: 111.222.333.444
I can set my DNS records at DNSProvider to point at 111.222.333.444 for the websites - no problem. I also need to set up email facilities.
This I'm struggling with. I'm simply running the standard Exim package in cPanel.
I figure I need to set up an A record mail.mysite.com for IP 111.222.333.444 but I also need to set up MX records. Would this be to mail.mysite.com with priority 0 and 10?
Also what about DKIM and SPF records? What would I need to enter?
First a quick note: If the mail server is on the same IP address you do not need the extra A record, since there is already an A record the MX record can use.
As for the MX record, it depends on what the mail addresses will be. For the one you mentioned the mail addresses will be user#mail.example.com, if you want them to be user#example.com, then the MX record must be for example.com, like this:
# MX 10 mail.example.com.
Where mail.example.com is the extra A record you wanted to create, you can also point the record to example.com, since it has an A record pointed to the IP of the mail server.
Now for the SPF record it depends on which servers will be send mails on behalf of your domain. If only your server (this includes your web site, since they are on the same IP) the SPF record can be like this:
# TXT "v=spf1 a -all"
This allows the IP of your A record to send mails and "forbids" everybody else.
The DKIM record is in the following format:
default._domainkey TXT "v=DKIM1; p=yourPublicKey"
You should generate yourPublicKey and also a private key, with which you will sign your mails (note that you can simply skip the whole DKIM part)

AWS EC2 Reverse DNS (PTR) Failing

Have searched everywhere, can't find answer.
I have the domain mydomain.com. The root and www records point to my main server, which runs my website.
I am now using a separate AWS ec2 instance to set up an email server for my domain. This is running on the subdomain mail.
My dns looks like this:
A # webserverip
A www webserverip
A mail ec2ip
To prevent my server from getting flagged for spam, I submitted the amazon reverse dns form here: https://aws.amazon.com/forms/ec2-email-limit-rdns-request
I gave them the ip of my ec2 mail server, and put "mail.mydomain.com" in the "Reverse DNS Record for EIP 1" box.
However, I keep receiving emails back from them saying:
When attempting to map the reverse DNS entry, we notice that this is failing because the PTR record doesn't match the A record for that domain.
We currently require the forward A record to match the PTR record for all reverse DNS entries.
I really don't understand what I am doing wrong. The "mail" subdomain has an A record pointing to my ec2 server ip. Any assistance would be greatly appreciated!
(I am using cloudflare for my dns if this makes any difference)
You can follow these steps to configure the DNS for your EC2 dedicated mail server on AWS:
STEPS
Add two A host records for pop.mydomain.com and
smtp.mydomain.com that point to your elastic IP and assign your
MX record to the smtp.mydomain.com host.
Add a CNAME record (not A host record) for mail.mydomain.com that points to the DNS entry assigned by AWS (e.g., ec2-XXX-XXX-XXX-XXX.REGION.compute.amazonaws.com).
Submit your rDNS request for smtp.mydomain.com mapping to your EIP.
Don't forget to add the SPF TXT record for your mail server. For example, v=spf1 mx a
Once you're done with this setup, you should have a proper mail server configuration in terms of DNS that would pass SMTP tests and avoids being flagged as spam.

temperror when email is sent to hotmail & end up in junk/spam folder

When i send emails to hotmail main inboxes it ends up in spam/junk folder with the following in the header:
Authentication-ResultsĀ : hotmail.com; spf=temperror (sender IP is X.X.X.X)
smtp.mailfrom=marieke#X.X; dkim=temperror header.d=X.com; x-hmca=none
However, both the Dkim and Spf are good since at least one week, and it shows "pass" when an email is sent to gmail. By the past, the domain was hosted on a different server with a different spf and dkim record in the DNS.
Is it possible that microsoft servers don't do a DNS lookup or perhaps a DNS lookup from time to time?
There are several reasons why it happens:
First of all, the microsoft DNS lookup takes some time due to the TTL of DNS records, perhaps several weeks.
Then, my mistake was to set up two A records for my smtp server hostname rather than one. Consequently due to round robin, the Forward Confirmed Reverse DNS Lookup failed from time to time as the wrong IP address was returned from time to time. Consequently if you have a smtp mail server, you should only have one A record (and one AAAA record), meaning one IP address for it.
IPv4:
One server hostname = Only ONE IP address (A record)
One IPv4 address = Only ONE server hostname (Reverse DNS)
IPv6:
One server hostname = Only ONE IP address (AAAA record)
One IPv6 address = Only ONE server hostname (Reverse DNS)

How to properly set up DNS SPF records for a .local server?

We send out mail via Microsoft Exchange 2010 running on a Windows Server set up as server.organization.local.
When error messages are generated it shows:
Generating server: server.organization.local
I am confused as to what our SPF records should look like based on this. Should it simply contain the external IP address that this server uses to send out mail, or both this .local address and external IP address?
Currently it is set as:
# 10800 IN SPF "v=spf1 mx a:server.organization.local ip4:10.10.10.10 -all"
The mx is included to be safe but I'm not sure if it needs to be? The MX records on the domain name is set to a third-party filtering service, no mail is sent via it.
You need to specify the public IPs if you want to send emails to the internet.
If you are sending emails to another mail server on the LAN then you might have to add the private IPs as well.
I suggest to use a testing utility to check your SPF records.

SPF questions - how to set up

I would like to set up SPF for my domain example.com on my own server but I don't really understand how to do this, so here are my questions:
1) What does my SPF record(s) have to look like if I would like to allow my server IP x.x.x.x sending mail using mail#example.com (or better *#example.com)?
2) Where do I have to add the SPF record? To my DNS records? How do I store it there???
3) I would also like to send Mails from my laptop using myname#example.com, and I'm using my server IP x.x.x.x as SMTP server, I guess that's not a problem with the SPF record then?
Hope it doesn't sound too stupid, but I find this SPF thing a bit confusing ;)
Use a SPF generation wizard, like this one: http://spfwizard.com/
1) What does my SPF record(s) have to look like if I would like to
allow my server IP x.x.x.x sending mail using mail#example.com (or
better *#example.com)?
In BIND record format, it could be something like:
example.com. IN TXT "v=spf1 mx ip4:x.x.x.x ~all"
Basically, it allows to send emails from:
all the MX records for example.com
the ip x.x.x.x
the other cases are qualified as softfail.
2) Where do I have to add the SPF record? To my DNS records? How do I
store it there???
You must be allowed to edit the DNS records for the domain example.com. Most likely it's a service provided by your registrar. You say you have 2 fields: you should add example.com (your domain) in the host field, and the "v=spf1.." string (withoud quotes) in the rule field.
3) I would also like to send Mails from my laptop using
myname#example.com, and I'm using my server IP x.x.x.x as SMTP server,
I guess that's not a problem with the SPF record then?
Well said, you got the point.