Understanding How DNS Validation Works
search cancel

Understanding How DNS Validation Works

book

Article ID: 178688

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

 If you need to know how DNS validation works with respect to Symantec messaging gateway

Environment

This is common for all versions of SMG

Resolution

To Enable DNS Validation, go to (Protocols -> Settings -> SMTP)

Check any of the following options you wish to enable.

  • Option 1: Reject connections where no reverse DNS record exists for the connecting IP address

This option will perform reverse DNS validation and reject the connection if the connecting IP address has no reverse DNS record.

(Note: This feature does not reject connections from IP addresses in the internal mail hosts.)

  • Option 2: Reject connections where the reverse DNS record exists for the connecting IP address, but the 'A' or 'AAAA' record of the resulting domain does not match the connecting IP address

This option will perform reverse DNS validation and reject the connection if both of the following statements are true:

  • A reverse DNS record exists for the connecting IP address.
  • The 'A' or 'AAAA' record of the domain found by the reverse DNS lookup does not match the connecting IP address.

(Note: This feature does not reject connections from IP addresses in the internal mail hosts.)

  • Option 3: Reject connections where the domain provided at HELO and EHLO has neither an 'A', nor an 'AAAA', nor an 'MX' record in DNS

This option will perform DNS validation and reject the connection if the domain that is provided at HELO/EHLO has neither an 'A,' 'AAAA,' nor an 'MX' record in DNS.

  • Option 4: Reject messages where the domain provided in the MAIL FROM address has neither an 'A', nor an 'AAAA', nor an 'MX' record in DNS

This option will perform DNS validation and reject the connection if the domain that is provided at MAIL FROM has neither an 'A,' 'AAAA,' nor an 'MX' record in DNS.

(NOTE: Any of these options that fire on a message will reject the connection, there is no configuration available to change the action of this feature.)

You can customize the reject message that will appear in the NDR (dependent on the senders' MTA). We recommend that you configure each option with a unique reject message that identifies the type of DNS failure triggered to facilitate troubleshooting.

Suggested message text:

  • Option#1: No reverse DNS record exists for the connecting IP
  • Option#2: Reverse DNS record exists, but the 'A' record does not match the connecting IP
  • Option#3: HELO or EHLO domain has neither an 'A', nor an 'AAAA', nor an 'MX'
  • Option#4: MAIL FROM address (domain) has neither an 'A', nor an 'AAAA', nor an 'MX' record

Powered by Wolken Software