Need to know how to configure Reverse DNS on a windows 2000 to stop Reverse DNS mail rejection

Posted on 2005-05-12
Last Modified: 2008-02-01
I just had a client send me a rejected email message that read as follows....

            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            < #5.7.1 smtp;554 5.7.1 The server sending your mail [] does not have a reverse DNS entry. Connection Rejected. Please contact your Dial-Up/DSL/Network ISP Provider. Default Reject!>

I have read many posts about what to do and most of them say "ask your ISP to configure the reverse DNS" which I'm sure that I'm the one that needs to correctly enter this into my server.  I have a windows 2000 server running DNS and points the Host and MX records to the correct IP addresses for both the websites and the email.  I read the following post.....

<<<<<<<<<<<<<<  You cannot resolve this by going to your server. You will need to contact your ISP and have them setup a reverse DNS entry for
your mail server. If your server is '', then you need to have them set the reverse IP for 123.45.678.90 to>>>>>>>>>>>>

Where in the DNS does this get set?  I have tried a couple of entries and haven't set it up correctly yet.

I tired to put some entries in the Reverse Lookup Zones but without any luck.  Is this where this would go?

Question by:Zantis
    LVL 20

    Accepted Solution

    you have right information. These changes should be made by your ISP and not you, unless you are hosting a public DNS server.

    "which I'm sure that I'm the one that needs to correctly enter this into my server" - are you hosting your own DNS server ?

    REASON: your mail server will have an MX record registered at the Public DNS server (generally the ISP). This ISP also holds the A record for your MX record in thier DNS server. The same A  record should have a reverse-DNS entry in the same DNS server.

    In short your ISP should configure the Reverse-DNS entry for your A record in thier DNS server

    Ask for more information if required

    Author Comment

    Yes, I'm hosting my own DNS server.... as explained above.  I have been doing all the DNS entries.  I just need to know how to correctly enter the Reverse DNS entry on my DNS server as it looks like  I haven't done it yet.

    I have the MX records pointing to the email server for each hosted domain also including my own domain.  

    In the above comment I should make an A record for my MX record?  I do have A records that point to the mail servers ip address                        ex-srv1                           A               
                                                             (same as parent folder)   MX             

    under the
    Reverse Lookup Zones it reads

    I tried putting my IP address for the email server in the "Network ID" when creating a Reverse Lookup Zone and without any luck.  And it seems there isn't much to the reverse lookup zones either.  Not too many options there.

    LVL 20

    Expert Comment

    what is ur subnet mask? Reverse-Dns works at IP level. Did your ISP delegated your DNS server to be responsible  for the range of IP addresses?

    Read this !

    Reverse-lookup uses the same principal of regular DNS but has a couple of special attributes.
    1.      All IP addresses are part of one domain called "".
    2.      Reverse-Lookup is delegated like regular DNS but it must be delegated all the way down to your DNS server and this is more complicated because the delegation design uses the octet level of the IP address. The reason this is more difficult is that many domains with controlling DNS servers do not have a full octet of IP addresses as they are sub-netted to a smaller number, such as 128, 64, 32, 16, or 8.
    ARIN is the (American Registry for Internet Numbers) registry for DNS numbers in the U.S. and some other continents.
    How it actually works:
    1.      Some client or server on the Internet wants to know who (random address) is. They want to know the name this translates to. Some mail services do a reverse lookup on the email domain to be sure it really exists before they will accept the email.
    2.      That client or server asks the question, "Who is" This goes to their DNS server. Their DNS server will act a the "agent" that resolves this thing and only sends back the finished query.
    3.      Or, if they are a DNS server, it goes to the root server and the root server replies with an NS record of the server who has been delegated the reverse lookup for that subnet. And, since it is acting as the "agent", it does all of the work.
    4.      Let's say that the Root server sends back a reply that says, "Well, I know that is delegated to Great Big ISP and his DNS server's IP address is ....."
    5.      So now the querying DNS server sends a query to Great Big ISP's DNS server, of record, and says the same thing again, "Who is"
    6.      Great Big ISP's DNS server replies, "Well, I don't know that one, but I do know that I own and I have delegated to Regular Big ISP and here's their DNS server's IP address....."
    7.      So now your DNS server sends a request to Regular Big ISP and asks the same question yet again, "Who is".
    8.      Regular Big ISP says, "I don't know who that is but I do know that I delegated to Little ISP so ask him. Here's his DNS server's IP address...."
    9.      Now your DNS server asks Little ISP's DNS server the same question, "Who is"
    10.      Little ISP's DNS server replies, "HEY, I KNOW THAT! That's!"
    11.      Your DNS server now has the name for that IP address and uses it, or returns it to the client who requested it.
        This becomes somewhat more complicated when it is done on a non-octet boundary since you have to create several zones for one Class C subnet, but this representation is accurate down to a Class C (256 addresses) subnet.
        ARIN was formed as a result of discussions between the large Internet registration entities such as IANA, RIPE, IETF, APNIC, NSF, and FNC. You can learn more about these organizations by using the links of the names above.
        You can do your own lookup at the ARIN Whois page. This page shows the delegation to the big providers and does not necessarily go all the way down to the IP address in question since it actually gives names and contacts for the subnets and no actual host names for an IP address. Usually you will only get down to the Class C subnet that the IP address  you are looking for is part of. NSLookup will have to be used if you want to go farther down.

    Author Comment


    My submet mask is  I have IP address - with a gateway at

    I have a better understanding from the list above but this is what my server has listed under reverse DNS on the DNS server...

    This is the list the that server created when it was installed.  Nothing has been changed in the Reverse DNS area.  I just need to make whatever entry for IP address to point to and whatever record that would be.

    Author Comment

    I did end up having Qwest adding a Reverse-DNS entry to route my IP address and all is good.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Find out how to use dynamic social media in email signatures with this top 10 DOs & DON’Ts.
    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now