Solved

FQDN and "A" Record

Posted on 2010-11-09
22
675 Views
Last Modified: 2012-06-27
I have a Windows 2003 Exchange Server with a fully qualified domain name of ServerName.domain1.com.  We use an external company that looks after our domains and firewall services.  

Should I have an “A” record set up against the fully qualified domain name of the server?  We have an “A” record for the domain and against the OWA address of mail.domain1.com but not the FQDN of the Exchange Server.  

I’m trying to understand best practice in terms of setting up DNS entries for Exchange Servers.    
0
Comment
Question by:DHPBilcare
22 Comments
 
LVL 7

Expert Comment

by:Anglo
Comment Utility
You would normally only need an mx record for smtp traffic.
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
Let's asume you have a domain called MYDOMAIN.COM

Typically, you would have the following DNS records: -

MYDOMAIN.COM - A RECORD - {IP address of your web server}
WWW.MYDOMAIN.COM - A RECORD or CNAME - {IP address of your web server or or CNAME entry for the server providiing service}
SMTP.MYDOMAIN.COM - A RECORD - {IP address of your inbound e-mail server}
MYDOMAIN.COM - MX RECORD - {MYDOMAIN.COM}
OWA.MYDOMAIN.COM - A RECORD or CNAME - {IP address of your OWA server or CNAME entry for the server providiing service}

You can also have SPF records which are sometimes required for sending/receiving e-mail.
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
typo...

MYDOMAIN.COM - MX RECORD - {SMTP.MYDOMAIN.COM}

sorry
0
 
LVL 16

Expert Comment

by:Carol Chisholm
Comment Utility
An MX record (mail.domain.com) for mail is needed.
You might want to have owa.domain.com so you can use a different IP address for the users accessing OWA and route it differently.
You DO NOT want to put the internal name of the server in a public DNS - it might change and telling the world the name of your server is not a good idea.

You will need the name of the server in the certificate for encryptign your OWA.
0
 

Author Comment

by:DHPBilcare
Comment Utility
We have an "MX" record against the FQDN of the server.

We have a requirement to email out from a secondary domain which is hosted in a sister company of ours.  

Am I corerect in thinking that all we need to do is update the SPF record of the sister company with the FQDN of our server?  

I want to ensure that the DNS is correct.  The plan is that I add the second domain to our Exchange receipient policy and the SMTP address to the applicable user but want to double check the DNS to do this.
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
This website will help you with understanding SPF records.

http://old.openspf.org/wizard.html

0
 

Author Comment

by:DHPBilcare
Comment Utility
OK.

So we curently have listed with the company that provids our hosting services.

"A" of Mail
"A" of Domain.com
"MX" of ServerName.Domain.com (matching the FQDN of the Server)

To email outbound from our Exchange Server with an SMTP address hosted by our sister company, from a DNS point of view, I would only need to have their SPF record updated to include our Exchange Server?  I want to ensure I don't get spammed when running this.  

0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
Your last comment looks spot on - good luck :)
0
 

Author Comment

by:DHPBilcare
Comment Utility
Just testing another point of logic.

I'm thinking that the company that provides our hosting services does not need to have any record of the sister company foreign SMTP address as the Exchange Server is in itself already known?
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
only if the second company is going to relay through your server.
0
 

Author Comment

by:DHPBilcare
Comment Utility
Thanks for that.

Does any receipient mailserver check incoming email and try to match the sender SMTP address againt the Originating Exchange Server's FQDN?  

In my scenario they would be different.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
some receiving e-mail servers do checks.  the typical ones are: -

does the reverse DNS lookup for the IP address match the sending servers FQDN
is the sending server allowed to send for this domain

We've got SPF covered off and I'm sure that youre reverse DNS entry is correct for your live e-mail server

so...you should be good to go.
0
 

Author Comment

by:DHPBilcare
Comment Utility
Thanks for the comments.

Last questions.

I'm assuing that if an SPF record for the secondary domain had not been created my emails could not be bounced?

The IP to FQDN check in my case would check the MX record?  As I don thave an "A" record against the FQDN of the server.
0
 
LVL 23

Accepted Solution

by:
jakethecatuk earned 500 total points
Comment Utility
lets asume that you have sent an e-mail to bill@yahoo.com from fred@company2.com and the sending server is smtp.company1.com.

when yahoo.com receives the message, it will check the MX record for company2.com and see that the receiving server is smtp.company2.com.  It will then look to see if the sending server is the same - if it isn't it will check the SPF record.  If smtp.company1.com doesn't exist in the SPF record, Yahoo COULD treat the message as SPAM and putting in to a junk mail folder.

0
 
LVL 15

Expert Comment

by:Insoftservice
Comment Utility
Hi
I agree with @jakethecatuk.
0
 

Author Comment

by:DHPBilcare
Comment Utility
I gues what I'm asking is what if @company2.com does not yet have an SPF record?
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
if company2.com doesn't have an SPF record for your e-mail server and you start sending on their behalf, there is a very big risk that messages could get treated as SPAM.

are you going to be receiving mail for them as well?
0
 

Author Comment

by:DHPBilcare
Comment Utility
No.

Basically we have a team spread over two seperate companies that is commercially going to use the same SMTP address for emails.  The new adress is registered and hosted wihin the second company.  Emails sent to my users at the new SMTP address is simply being forwarded to us at our noromal email address.  I then want to add the new SMTP address to my Exchange server so the selected users can "send as" the new identity.  

I just need to understand DNS/Spamming probelms with this proposed set up.  Company 2 does not yet have an SPF record for their domain.
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
ah......................now I've got you.

OK then - company2's DNS records must include the IP address/hostname of your sending server in their SPF records.  If they don't - any message sent by the team members that are based at your offices will probably get treated as SPAM.

what you are doing may introduce other problems at an exchange level which will manifest themself as soon as you try it.
0
 

Author Comment

by:DHPBilcare
Comment Utility
I will get them to set up an SPF record before we go with this.

what other problems do you see at the Exchange level?
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
well, setting a 'reply to' address for a domain that isn't hosted locally MAY cause Exchange to get a bit twitchy.  

It's not something I've tried to be honest with you but I seem to recall reading about someone have a problem when they tried it.  Can't recall the details though as it was back in Exchange 2000 days.  I'm not saying ou will have problems though - just making you aware that you may have problems.
0
 

Author Comment

by:DHPBilcare
Comment Utility
I would add the Domain2 SMTP address as the primary address againt the applicable local AD accounts.  

Each user would only ever email outbound as one domain (Either 1 or 2).  It should work as long as the DNS is correct.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now