Email Rejected: Invalid RDNS Entry

I am trying to send an email to someone and I keep getting an error message stating that it was rejected by their mail server with the reason of the RDNS entry being invalid for IP address xxx.xxx.xxx.13.

My MX record indicates xxx.xxx.xxx.10 for mail.mydomain.com.

The PTR record I have is xxx.xxx.xxx.13 for mail.mydomain.com.

I sent an email out to another email address and looked at the header. The header indicates that it was received from IP address xxx.xxx.xxx.13 and domain of mail.mydomain.com.

Why is my email continuing to be rejected when my PTR record matches the information found in the header?
Mike JensenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
You need an A record that points mail.mydomain.com to x.x.x.13.
Mike JensenAuthor Commented:
You need an A record that points mail.mydomain.com to x.x.x.13.

If I understand correctly, I could change the PTR record to match the A record and get the same result.

Why would the header state that it is coming from x.x.x.13 and not x.x.x.10 if my A record is set to x.x.x.10?

I should've also mentioned that I own both of those IPs.

Could it be that since x.x.x.13 is the last IP in the stack, that it simply defaults to show that when it is really coming from x.x.x.10?
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
The IP is completely dependent on what your firewall is NATing it to. So your A record and PTR records need to match that.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Mike JensenAuthor Commented:
The IP is completely dependent on what your firewall is NATing it to. So your A record and PTR records need to match that.

Just last night, I matched my PTR record with my MX A record and I am still unable to send out an email to the recipient. I am getting the same error message as before.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
So you now have:
- an A record for mail.mydomain.com that points to x.x.x.13
- A PTR for x.x.x.13 that points to mail.mydomain.com
Correct?
And the SMTP header shows that it is sending from x.x.x.13?

How long did you wait for DNS propagation before testing?
Mike JensenAuthor Commented:
I have an IP block from .9 to .13 plus the static for my modem .14. The MX A record for mail.mydomain.com is pointing to .10. My PTR record is pointing to mail.mydomain.com and .10. My SPF record is set to "v=spf1 mx a ?all". Though the email header I saw states mail.mydomain.com with IP .13.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
1. A records and MX records are different things. Your MX record points to an A, CNAME, or even an IP address. I assume it's pointing to mail.mydomain.com. This is fine. Don't change your MX record.

2. Since your email server is being NAT'd to x.x.x.13, the reverse lookup will fail and you'll still have an issue.

You can do one of two things:
Option 1 - Change your firewall to NAT your email server to x.x.x.10
Option 2 - Change your A record for mail.mydomain.com to point to x.x.x.13 and change your PTR record for x.x.x.13 to point to mail.mydomain.com.

Option 1 is generally easier.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike JensenAuthor Commented:
I ended up changing the firewall NAT policy for .10. This fixed my issue. I was finally able to send that email. Thanks for your help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.