Configure Symantec Messaging Gateway (SMG) appliances using industry-standard deployment methods to ensure optimal performance, mail routing reliability, and security.

This guide covers physical placement, DNS requirements, and comprehensive sender authentication (SPF, DKIM, and DMARC) to meet the evolving requirements of global mail providers. Proper implementation prevents communication issues between Control Centers and Scanners while maintaining a strong sender reputation.

• Product: Symantec Messaging Gateway (All versions)
• Components: Control Center, Scanner
• Deployment: SaaS, On-Premise, Virtual Appliance
• External Dependencies: DNS (A and PTR records), Firewall (SMTP port 25)

Physical location

Place multiple SMG hosts in the same physical location whenever possible.

If Messaging Gateway hosts must be deployed in different remote locations and communication issues occur (such as outdated statistics, timeouts, or host status unavailability in the GUI), deploy one Messaging Gateway Control Center at each location.

DNS Configuration

Every hostname must have a valid A record and a matching PTR record in DNS. Verify entries using the nslookup command. The following commands must return identical results for each host queried.

Command:

nslookup mx.example.com

Note: This command confirms the existence of an A record for the hostname

Example results:

Server: dnsserver.example.com
Address: 192.0.2.1
Name: mx.example.com
Address: 192.0.2.2

Command:

nslookup 192.0.2.2

Note: The command confirms the existence of a PTR record for the IP address.

Example results:

Server: dnsserver.example.com
Address: 192.0.2.1
Name: mx.example.com
Address: 192.0.2.2

Verification Requirements:

• The hostname mx.example.com must resolve to IP address 192.0.2.2.
• The IP address 192.0.2.2 must resolve back to mx.example.com.

Sender Authentication (SPF, DKIM, DMARC)

Implement multi-layered DNS-based authentication to protect against forgery and ensure deliverability to major providers. Major providers now require SPF, DKIM, and DMARC for organizations sending high volumes of email.

• SPF (Sender Policy Framework): Establish TXT records to identify authorized mail servers for your domain. Ensure you do not exceed the 10 DNS lookup limit defined in RFC 7208.
• DKIM (DomainKeys Identified Mail): Sign outbound messages to verify they haven't been altered.
  • Configuration: Navigate to Protocols > Domains, select your domain, and provide the required selector and key data to enable signing.
  • Verification: Use nslookup -type=TXT [Selector]._domainkey.[domain] to confirm the record is public.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tie SPF and DKIM together with a policy that tells receivers how to handle failures (p=none, quarantine, or reject).
  • Best Practice: Start with a p=none policy and review aggregate reports (RUA) before moving to a restrictive policy like p=quarantine or p=reject.
  • SMG Integration: Enable sender authentication in the SMG Control Center by navigating to Spam > Settings > Sender Authentication.