John Water
asked on
Reverse DNS lookup and Authoritative vs non-Authoritative responses
We have a frequent business partner that uses Cisco IronPort for email scanning/filtering. We use Zscaler for incoming and outgoing email delivery.
The Cisco IronPort product gives a high SBRS score if the sending server does not provide an Authoritative response to Reverse DNS lookup.
Zscaler says "There is nothing wrong with non-authoritative answers. You get authoritative answers if the responding DNS is responsible for that zone".
I use mstoolbox.com and never get an Authoritative response when I am checking Zscaler's servers.
I am looking for any information you can provide me with the differences with Authoritative vs non-Authoritative responses to DNS reverse lookup.
IsZscaler's response (in quotes above) correct?
Is it appropriate or common for an incoming email to receive a higher SPAM (SBRS) score because its sending server does not provide an Authoritative reverse DNS response?
The Cisco IronPort product gives a high SBRS score if the sending server does not provide an Authoritative response to Reverse DNS lookup.
Zscaler says "There is nothing wrong with non-authoritative answers. You get authoritative answers if the responding DNS is responsible for that zone".
I use mstoolbox.com and never get an Authoritative response when I am checking Zscaler's servers.
I am looking for any information you can provide me with the differences with Authoritative vs non-Authoritative responses to DNS reverse lookup.
IsZscaler's response (in quotes above) correct?
Is it appropriate or common for an incoming email to receive a higher SPAM (SBRS) score because its sending server does not provide an Authoritative reverse DNS response?
Authoritative:
A DNS server that holds and is authority of those HOST A records within DNS.
Authoritative:
computera.my.domain.com
computerb.my.domain.com
printera.my.domain.com
servera.my.domain.com
Non-Authoritative:
An outside server or another server that owns those same records (other than your server).
computera.their.domain.com
computerb.their.domain.com
printera.thier.domain.com
servera.their.domain.com.
This might help, to study the path of where a DNS query goes:
https://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html
A DNS server that holds and is authority of those HOST A records within DNS.
Authoritative:
computera.my.domain.com
computerb.my.domain.com
printera.my.domain.com
servera.my.domain.com
Non-Authoritative:
An outside server or another server that owns those same records (other than your server).
computera.their.domain.com
computerb.their.domain.com
printera.thier.domain.com
servera.their.domain.com.
This might help, to study the path of where a DNS query goes:
https://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One solution might be to have your mail server use a Smart Host - in other words, have it bounce your outbound mail off your ISP's mail server. They'll typically allow you to do that, and that often fixes problems where the receiving mail server is trying to authenticate the sending host.
What I think they're looking for is for your domain to "own" your public IP address. Do you? Do you have a static IP address? If so, you should probably ask your provider to provide that reverse-lookup for you. If not, you should consider using a smart-host (like your ISP, or Public DNS host, or something) and then set up SPF to explicitly allow their host to send mail out from your domain. Something like that would probably help.