Symantec Messaging Gateway (SMG) IP reputation does not appear to block connections as expected, resulting in an increase in missed spam messages. The Brightmail Engine logs show multiple errors indicating that DNS TXT queries are failing.
 

DNS TXT query for "20.145.12.216.zodiac.brightmail.com" failed unexpectedly.

This error results from a failure in looking up the IP of a mail sender on the Symantec Global Reputation Service.

Note: This error does not appear if there is no record associated with the sender in the reputation service. This error appears only if there is a failure in the lookup process.

1. Ensure that you have a correctly configured DNS server for the appliance on which this error occurred. You can find the DNS server configuration for the appliance in question by accessing the Control Center's Administration > Hosts > Configurations screen. Select the checkbox next to the appliance with the error and click Edit. In the page that appears, click theDNS/Time tab and confirm that you have only valid entries for your DNS server.

2. Execute a DNS query using either the Admin CLI's nslookup command, or the Control Center's Administration > Hosts > Utilities > Nslookup tool. Extract the domain from the error in question. The domain looks similar to: 20.145.12.216.zodiac.brightmail.com.

   Execute a TXT record query for that domain. Following is a sample record query:

   > nslookup -type=TXT 20.145.12.216.zodiac.brightmail.com
   

   You must receive a response that includes:

   Non-authoritative answer:
   20.145.12.216.zodiac.brightmail.com     text = "H=1"
   

If the nslookup utility fails:

• Check if you can execute the same query off the appliance, preferably from another network segment.

If you cannot execute this query from another network segment:

• Contact your network administrator to ensure that there are no firewall rules that prevent communication between your appliance and the configured DNS server. Check your configured DNS server for errors and ensure that the forwarders are configured correctly on that DNS server.

Broadcom does not have a reputation record for every IP on the internet. So, it is expected that looking up some records may return a nxdomain response.  Effectively these messages are informational and can be considered benign.