About DNS Validation in Messaging Gateway

book

Article ID: 155770

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

You want to know how DNS Validation works in Symantec Messaging Gateway (SMG), for incoming SMTP connections.

Resolution

Reject connections where no reverse DNS record exists for the connecting IP address

Perform reverse DNS validation and reject the connection if the connecting IP address has no reverse DNS record. The reverse DNS record resolves an IP address to a domain name, whereas typical DNS resolves a domain name to an IP.

Reject connections where the reverse DNS record exists for the connecting IP address, but the 'A' or 'AAAA' record of the resulting domain does not match the connecting IP address

Perform reverse DNS validation and reject the connection if a reverse DNS record exists for the connecting IP address and the 'A' or 'AAAA' DNS record of the domain found by the reverse DNS lookup does not match the connecting IP address.

Reject connections where the domain provided at HELO and EHLO has neither an 'A', nor an 'AAAA', nor an 'MX' record in DNS

Perform DNS validation and reject the connection if the domain that is provided at HELO/EHLO has neither an 'A,' 'AAAA,' nor an 'MX' record in DNS. The connecting client uses the HELO or EHLO verb to state its identity.

If the connecting client does not have the specified records, then this would typically indicate that the connecting client is not a valid mail server.

Reject messages where the domain provided in the MAIL FROM address has neither an 'A', nor an 'AAAA', nor an 'MX' record in DNS

Perform DNS validation and reject the connection if the domain that is provided at MAIL FROM has neither an 'A,' 'AAAA,' nor an 'MX' record in DNS. The MAIL FROM verb indicates the sender's email identity.

If the sender's domain does not have the specified records, then this would typically indicate that the sender's domain does not have a valid mail server.

Note: If you use these options there is a risk that good intentioned senders may be blocked if they have not adhered to best practices for mail delivery. These features are solely related to the DNS query results referenced.