Avatar of Jim Wobig
Jim Wobig
Flag for United States of America asked on

DNS issues and email problems

I just started working for a company that the old admin had placed their own external DNS server on the internet and it has died.  He didn't document the server or the setting so I cant recreate.  I decided the easiest way to get their web, email, and VPN solution back up was to register with Network Solutions.  All is working properly but email which I can send/receive to most companies we work with but there are several domain that I cant send to.  It doesn't give me a non-delivery error but Exchange will say after several day that it given up on trying to deliver the message. If I do a DNS report it says the following:

"One or more addresses referenced by MX records do not have a matching reverse DNS entry" and this is what I have registered:
206.188.198.41 has mx.mycompany.com. | 70.xx.xx.10 listed.
205.178.190.41 has mx.mycompany.com. | 70.xx.xx.10 listed.

We had our ISP do a reverse lookup entry which took them four weeks but I still can send email to some domains.  Here is the revers DNS lookup;

Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
10.xx.xx.70.in-addr.arpa canonical name = mx.mycompany.com.

Authoritative answers can be found from:
mycompany.com
      origin = NS81.WORLDNIC.com
      mail addr = namehost.WORLDNIC.com
      serial = 114041815
      refresh = 10800
      retry = 3600
      expire = 604800
      minimum = 3600

I really need to get this fixed and appreciate any input to get this resolved.
DNSEmail Protocols

Avatar of undefined
Last Comment
Jim Wobig

8/22/2022 - Mon
Jan Bacher

I know EE says don't publish the IPs but this is on the public internet and there is no security issue with identifying both the domain name and MX records.

That would help a lot.
Jim Wobig

ASKER
mx.domain.com
Alan Hardisty

There is absolutely no need to publish IP's or domain names - it just makes you a bigger target, so please don't publish them.

If you are having problems sending emails to certain domains, you can use telnet to manually test mail-flow from your server to their server and see if you get any obvious errors.

http://support.microsoft.com/kb/153119

Alan
(EE Zone Advisor)
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Jan Bacher

This is a DNS problem related to matching forward and inverse records.

Security by obscurity is not security.
Alan Hardisty

Having seen the domain and having checked that myself, I can confirm that that isn't the problem.

Alan
Jan Bacher

This is a DNS error:

"One or more addresses referenced by MX records do not have a matching reverse DNS entry"
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jim Wobig

ASKER
It is a problem because we cant send email to certain domain.  Jesper, how would I fix this problem?
Alan Hardisty

I take that back - I ran a lookup on the domain posted and then a reverse lookup on my Mac and got the same result, but running the same check on www.blacklistalert.org shows a problem with no Reverse DNS.

So you need to call your ISP and ask them to add Reverse DNS to your fixed IP address as mx.yourdomain.com and that should help.

If that doesn't completely resolve the issue, please have a read of my article:

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/A_2427-Problems-sending-mail-to-one-or-more-external-domains.html

Alan
Jim Wobig

ASKER
I have called them and it took me 4 weeks to have them make add the reverse entry.  Up until today if I did a reverse lookup I would get nothing but now I get this;


Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
Name: mx.mycompany.com
Address: 70.xx.xx.10

And thank you Alan for the advice, I was hesitant to publish but am desperate to get answers.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Alan Hardisty

Just visit www.blacklistalert.org and put in your IP Address - it will be obvious that there still isn't Reverse DNS set properly or there is a DNS problem because they don't see Reverse DNS, yet I do see it on my Mac!

Alan
Alan Hardisty

You can also run a command prompt nslookup on your IP Address and you should get mx.yourdomain.com returned as the result.

e.g., nslookup 70.xx.xx.10
ASKER CERTIFIED SOLUTION
Jan Bacher

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Alan Hardisty

No-one has said it violates any security - it is just preferred by EE not to disclose such details and it isn't necessary to know such details to be able to resolve a problem like this.  If the problem is Reverse DNS, then we can advise the person asking the question to go to somewhere like www.blacklistalert.org where they can put their own IP Address into the website and find out for themselves if it is set or not.  Then if it isn't and they don't know how to set it, they can ask for advise and we can offer it.

I'm totally for you getting the points for this question because you pointed out about Reverse DNS 1st, and can make sure that happens if it doesn't, assuming that lack of Reverse DNS resolves the problem, despite it supposedly having been added by the ISP, which it doesn't appear they have done properly.

Alan
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jim Wobig

ASKER
Per Alan's response I tried to telnet to the mail server (mx.mycompany.com).  I get e response but it is from our Symantec Messaging Gateway server and not the mail server.  I also ran Dig and got the following results;


C:\>dig mycomany.com

; <<>> DiG 9.9.5-W1 <<>> mycompany.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6854
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mycompany.com.                        IN      A

;; ANSWER SECTION:
mycompany.com.         11936   IN      A       70.xxx.xxx.13

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon May 12 10:17:46 Pacific Daylight Time 2014
;; MSG SIZE  rcvd: 48


C:\>dig mycompany.com MX

; <<>> DiG 9.9.5-W1 <<>> mycompany.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48911
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mycompany.com.                        IN      MX

;; ANSWER SECTION:
mycompany.com.         13142   IN      MX      10 mx.mycompany.com.

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon May 12 10:18:16 Pacific Daylight Time 2014
;; MSG SIZE  rcvd: 51
c:\

I'm not sure if this matters or not but could the problem be that some external email servers get a response from the Symantec gateway and not the email server?