Reverse DNS lookup and Authoritative vs non-Authoritative responses

We have a frequent business partner that uses Cisco IronPort for email scanning/filtering. We use Zscaler for incoming and outgoing email delivery.
The Cisco IronPort product gives a high SBRS score if the sending server does not provide an Authoritative response to Reverse DNS lookup.
Zscaler says "There is nothing wrong with non-authoritative answers. You get authoritative answers if the responding DNS is responsible for that zone".

I use mstoolbox.com and never get an Authoritative response when I am checking Zscaler's servers.

I am looking for any information you can provide me with the differences with  Authoritative vs non-Authoritative responses to DNS reverse lookup.

IsZscaler's response (in quotes above) correct?

Is it appropriate or common for an incoming email to receive a higher SPAM (SBRS) score because its sending server does not provide an Authoritative reverse DNS response?
swfwmd2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David SpigelmanPresident / CEOCommented:
An authoritative lookup is a response from the DNS server hosting the zone. That's correct. A non-authoritative response is from a different DNS server, that may be completely correct, but isn't responsible for that reverse lookup zone.

What I think they're looking for is for your domain to "own" your public IP address. Do you? Do you have a static IP address? If so, you should probably ask your provider to provide that reverse-lookup for you. If not, you should consider using a smart-host (like your ISP, or Public DNS host, or something) and then set up SPF to explicitly allow their host to send mail out from your domain. Something like that would probably help.
0
ChiefITCommented:
Authoritative:
A DNS server that holds and is authority of those HOST A records within DNS.

Authoritative:
computera.my.domain.com
computerb.my.domain.com
printera.my.domain.com
servera.my.domain.com

Non-Authoritative:
An outside server or another server that owns those same records (other than your server).
computera.their.domain.com
computerb.their.domain.com
printera.thier.domain.com
servera.their.domain.com.

This might help, to study the path of where a DNS query goes:
http://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html
0
b_levittCommented:
A non-authoritative response is simply a cached response.  99% of all dns resolutions by clients would be non-authoritative since authoritative responses would be given to other dns servers that do not have a fresh resolution in their cache.  But I don't think they're talking about an authoritative response for your forward loop (ie, mail.yourdomain.com), I think they're talking about an authoritative response for the ptr record.

"The Cisco IronPort product gives a high SBRS score if the sending server does not provide an Authoritative response to Reverse DNS lookup."

I'd guess they're complaining about one of three things:

One, does your mail server have a ptr record for its IP(s)?  It doesn't necessarily need to resolve back to a particular host name but it should at least exist.  This is a simple mechanism to make sure your email server is hosted by a commercial ISP and not in a basement with a home cable or dsl service.  A ptr record is a standard request of a business to its commercial ISP, where somebody with a home internet provider is not going to get a ptr record.

Two, your ISP is delegating responsibility for reverse lookup of your IP block back to your DNS server, and either you've not configured your dns server to answer or you're answering incorrectly.

Finally, they may be comparing your mail server's ehlo reply to your ptr record.  For example:
Your server, mail.abc.com, connects to there smtp service and says "ehlo mail.abc.com".  That server then does a ptr lookup of your server's IP to see if it matches mail.abc.com.  I believe it is against RFCs to reject email based on this alone, but there's nothing in RFCs about the various scoring systems that a spam solution might use.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David SpigelmanPresident / CEOCommented:
One solution might be to have your mail server use a Smart Host - in other words, have it bounce your outbound mail off your ISP's mail server. They'll typically allow you to do that, and that often fixes problems where the receiving mail server is trying to authenticate the sending host.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.