issues using nslookup to authenticate an e-mail address

Posted on 2003-04-01
Medium Priority
Last Modified: 2008-02-26
I have a number of mail forms on my site, with the user's e-mail address a required field.  For years I've used nslookup to authenticate the user's e-mail before I sent the comment off to my company.  I did this by running the following script (more or less):
"set type=mx"
And then searching the return string for the string "mail exchanger."  This has proved a reliable technique, until I found a valid domain that does not return "mail exchanger."  It does, however, return "responsible mail addr."  

Does the presence of "responsible mail addr" in the nslookup return string guarantee valid e-mail?  
If not, what does?

Question by:aschafer324
  • 4
  • 2

Expert Comment

ID: 8346936
Could you give an example of a domain name that's returning 'responsible mail addr'?

Author Comment

ID: 8349115
I'd rather not, but this is exactly what the nslookup returns (I replaced the real serial with "########" and the real domain with "domain.com"):

primary name server = ns1.adgrafix.com
responsible mail addr = webmaster.domain.com
serial = ##########
refresh = 10800 <3 hours>
retry = 3600 <1 hour>
expire = 604800 <7 days>
default TTL = 86400 <1 day>

Expert Comment

ID: 8349267
Ah, in that case you're looking at the 'SOA' record

So, responsible mail addr has got nothing to do with mail delivery. It means that 'webmaster@domain.com' is the person who you should send email to if you want to contact someone about this domain.

The 'responsible mail addr' is the 'RNAME' field of the SOA response (see RFC1035 section 3.3.13) and is basically an email address in a 'domain name format'

"RNAME           A <domain-name> which specifies the mailbox of the person responsible for this zone."

ALL domains should have an SOA record, so they should ALL have a 'responsible mail addr' record in your NSLOOKUP results.

Hope this helps
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Expert Comment

ID: 8349286
Oh, if you don't normally see an SOA record like this, then it's because you're asking for a specific type of record (eg 'set type=mx'). In this case the target DNS server is deciding to give you back an SOA record as well.

Try looking at other domains but have 'set type=all' first and you'll see what I mean about all domains having an SOA.

(Note that hosts don't have SOAs, just domains - so 'microsoft.com' has one, but 'www.microsoft.com' doesn't)

Author Comment

ID: 8351426
So is there any fail safe way to authenticate an e-mail domain that doesn't return "mail exchanger" in its nslookup return string?

Accepted Solution

pscsuk earned 315 total points
ID: 8351634
Not really

If a domain doesn't have a 'mail exchanger' (MX record), then it will still accept mail if the 'A' record ('internet address') entries point to a valid SMTP server (on port 25)

Strictly speaking this isn't 'good practice', but lots of people do it, and it works.

You really need to decide where to draw the line, eg a reasonable approach may be:

- nslookup
- set type=all
- domain.com

- if any 'mail exchanger's - then it accepts mail
- if any 'internet address' values, then try to connect to one on port 25 and if you get a valid SMTP server response back (a line beginning with a '2') then it accepts mail

Alternatively, you may decide that this is too complex, so you might decide to make the assumption that all valid domains (as opposed to hosts) will accept mail - in this case look for either an MX record (mail exchanger) or an SOA record (eg look for "responsible mail addr"). This isn't going to be as reliable, but may be a reasonable compromise.

(To be really strict you should ALWAYS test for an SMTP server and even start sending a message to it (send HELO, MAIL FROM, RCPT TO, and see if you get any errors - this will often check the full address validity))

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Take a look at these 6 Outlook Email management tools which can augment the working and performance of Microsoft Outlook to give you a more rewarding emailing experience.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month3 days, 11 hours left to enroll

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question