issues using nslookup to authenticate an e-mail address

Posted on 2003-04-01
Medium Priority
Last Modified: 2008-02-26
I have a number of mail forms on my site, with the user's e-mail address a required field.  For years I've used nslookup to authenticate the user's e-mail before I sent the comment off to my company.  I did this by running the following script (more or less):
"set type=mx"
And then searching the return string for the string "mail exchanger."  This has proved a reliable technique, until I found a valid domain that does not return "mail exchanger."  It does, however, return "responsible mail addr."  

Does the presence of "responsible mail addr" in the nslookup return string guarantee valid e-mail?  
If not, what does?

Question by:aschafer324
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2

Expert Comment

ID: 8346936
Could you give an example of a domain name that's returning 'responsible mail addr'?

Author Comment

ID: 8349115
I'd rather not, but this is exactly what the nslookup returns (I replaced the real serial with "########" and the real domain with "domain.com"):

primary name server = ns1.adgrafix.com
responsible mail addr = webmaster.domain.com
serial = ##########
refresh = 10800 <3 hours>
retry = 3600 <1 hour>
expire = 604800 <7 days>
default TTL = 86400 <1 day>

Expert Comment

ID: 8349267
Ah, in that case you're looking at the 'SOA' record

So, responsible mail addr has got nothing to do with mail delivery. It means that 'webmaster@domain.com' is the person who you should send email to if you want to contact someone about this domain.

The 'responsible mail addr' is the 'RNAME' field of the SOA response (see RFC1035 section 3.3.13) and is basically an email address in a 'domain name format'

"RNAME           A <domain-name> which specifies the mailbox of the person responsible for this zone."

ALL domains should have an SOA record, so they should ALL have a 'responsible mail addr' record in your NSLOOKUP results.

Hope this helps
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks


Expert Comment

ID: 8349286
Oh, if you don't normally see an SOA record like this, then it's because you're asking for a specific type of record (eg 'set type=mx'). In this case the target DNS server is deciding to give you back an SOA record as well.

Try looking at other domains but have 'set type=all' first and you'll see what I mean about all domains having an SOA.

(Note that hosts don't have SOAs, just domains - so 'microsoft.com' has one, but 'www.microsoft.com' doesn't)

Author Comment

ID: 8351426
So is there any fail safe way to authenticate an e-mail domain that doesn't return "mail exchanger" in its nslookup return string?

Accepted Solution

pscsuk earned 315 total points
ID: 8351634
Not really

If a domain doesn't have a 'mail exchanger' (MX record), then it will still accept mail if the 'A' record ('internet address') entries point to a valid SMTP server (on port 25)

Strictly speaking this isn't 'good practice', but lots of people do it, and it works.

You really need to decide where to draw the line, eg a reasonable approach may be:

- nslookup
- set type=all
- domain.com

- if any 'mail exchanger's - then it accepts mail
- if any 'internet address' values, then try to connect to one on port 25 and if you get a valid SMTP server response back (a line beginning with a '2') then it accepts mail

Alternatively, you may decide that this is too complex, so you might decide to make the assumption that all valid domains (as opposed to hosts) will accept mail - in this case look for either an MX record (mail exchanger) or an SOA record (eg look for "responsible mail addr"). This isn't going to be as reliable, but may be a reasonable compromise.

(To be really strict you should ALWAYS test for an SMTP server and even start sending a message to it (send HELO, MAIL FROM, RCPT TO, and see if you get any errors - this will often check the full address validity))

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
The purpose of this video is to demonstrate how to set up Lists in Mailchimp. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchimp account. : Click on Lists. Click on Create List Button : Choose the desi…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question