Pros / cons of smart host vs. DNS MX records?

Very rusty with this. Working on an SBS 2010 standard.  Mail is not going out.  It's the weekend.  I see 58 emails in the send connector queue.

The connector was set up years ago to use a web / email hosting company as smarthost.   it's talking about authentication errors.  If the hosting company stopped that account  set up in the send connector, what other options do we have?

What companies are out there to let us use as a smart host? Why do we need a smart host? Why not be able to just push the emails out onto the web?  And how would we set that uo?

http://www.mustbegeek.com/configure-send-connector-in-exchange-2010/

talks of choosing use dns and MX to route mail.  Can we just use that? What's the pros / cons of doing that?  And /or how do you set up a 2nd smart host entry - if it can't send mail with first, smarthost, failover to 2nd?
INeedYourHelp00Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
If you change the setting your server leverages public DNS to validate the domain.  If the server finds a MX record for the domain you are sending to it attempts to send to the server.  The issue you have with this method is if the recipients server does validation of the senders address by doing a Reverse DNS check.  

I use a smarthost, but it is a reputable service.  If this is not an option then you only have MX to route.
0
BeGentleWithMe-INeedHelpCommented:
Care to suggest a smart host company?
0
yo_beeDirector of Information TechnologyCommented:
Mimecast
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Saif ShaikhServer engineer Commented:
DNS configuration VS Smarthost configuration:

DNS: If you route mails through DNS and if your exchange server is sending too many spam mails out it is likely that your exchange server public IP will be blacklisted and it stops sending emails out until you remove it from RBL's list by contacting ISP.

Smarthost: Smarthost is the safest and most robust method of sending emails out. It like all emails from your exchange server will go out using the smarthost i.e. all emails will accumulate on their servers these emails will be scanned for any suspicious activities and then will be delivered to the receipients. Also if your mx is pointed to smart host the same thing will be for inbound emails will be scanned and then will be delivered to your exchange server.

Example and best smarthost are: Reflexion, Mimecast,

So now you may choose what options you would like to go with DNS or smarthost.

Also since you said there are 58 emails stuck are these emails from different domains or single domain. Please see the last error in the queue for these emails and send us the screenshot.
1
Sajid Shaik MSr. System AdminCommented:
DNS; is pointing to your server DNS name to public IP ... in this sence E-mail can directly route to your exchange server.... here high risk of security..

Smart Host:  A smart host is a type of email message transfer agent that allows a Simple Mail Transfer Protocol (SMTP) server to route email to an intermediate mailserver rather than directly to the recipient's server... here the Smart host will take kare of security... i.e Spam, Virus etc...
Smart host can be an applicae software/hardware (email security appliance i.e Sonicwall ESA, Barracuda, Ironport etc.) or it can be a hosting provicer.

it's depends upon your budget...weather you want publish outside... or you want onpremise...

Mx =  you can create multiple ...
backup mx point to any other ISP/Public IP for backup in case of one ISP internet failes e-mails will route through the backup MX ... which will automatically take cares...

all the best

it's de
1
BeGentleWithMe-INeedHelpCommented:
Funny in a sad way. I use reflection for several years now as a spam filtering company. I don’t think I’ve ever heard them called them selves a smart host.

But I have no love for them. A couple times in the last couple years Theyve gotten their servers put on blacklists because while they offered outbound mail filtering service, it turns out it’s only for virus filtering not spam filtering. So somebody was using them and sending out spam and they didn’t catch that till they got on blacklists and it took them a week to get off of them. In the meantime my clients couldn’t send out mail reliably.

Reflection charges $1.50 per mailbox that has filtering turned on.  I can’t find mine casts pricing would anyone know that?
0
BeGentleWithMe-INeedHelpCommented:
And as a sidenote does anyone use office 365 exchange? Do you have anything in front of it for spam filtering?
0
MichelangeloConsultantCommented:
Let's sum up:
SMARTHOST
-smarthost is a host that is being used to SEND email. It performs MX Lookups via DNS and deliver emails. It lets you send your email through its own SMTP service. It can do so via authentication. Authentication means you have a username/password OR your IP has been authorized for sending through them. Did you change your servers IP recently? if so, that could explain the error.
NOTE: benefits are you are not mantaining REPUTATION and reverse DNS (things your smarthost provides has to care after).  Reputation means chances your emails are delivered in recipients inboxes wothout being filed as spam or rejected
MX LOOKUP (not MX)
-means your own server performs MX lookups via DNS and connects to recipient MX servers directly.
that means you manage your own email system and have to care about reputation of your email server IP (see here for some info: https://sendgrid.com/blog/5-ways-check-sending-reputation/)
MX record
- MX record is defined in DNS and represents the mail server IP (or IPs) to which  emails directed to that domain need to be delivered.

So, switching from smarthost deliver to direct deliver means doing Reputation checks:
for instance, you have to set up reverse DNS correctly,  check your IP is not in some dialup residential class, it is not shared among others (possibily behind NAT) and whatnot. It's not just matter of switching mode. Also, it depends on your organization needs in terms of email deliverability
I would suggest to solve the issue with your current smarthost provider or switch smarthost provider. If you mean to avoid smarthosts in the future, do so with some planning.
0
BeGentleWithMe-INeedHelpCommented:
OK, thanks for the distinction.    And a reminder why we did the smart host approach.  I think getting the reverse lookup entered with  the internet provider was a sticking point.

So now:

1) Echange office 365 eliminates needing to decide between smarthost / MX lookup, right?
2) I was disappointed that Shaif mentioned Reflexion with high regard (nothing against you.... I thought me as a noob not likiing them was the tip of the iceberg?
0
MichelangeloConsultantCommented:
O365 adoption means moving mailboxes there and paying per user.
Don’t have exact erience with reflexion
0
Saif ShaikhServer engineer Commented:
I thought you were on premise server and not on office 365.

If you are on office 365 there is no need for smarthost I mean you can point mx directly to office 365 or point mx through smarthost it's your choice.

If your mx is directly pointed to office 365 then Microsoft has FOPI we're emails gets scanned through it. You can also say SPF record and also have dmarc and dkim records set for your domain for additional protection.

So office 365 eliminates need for smarthost.
0
BeGentleWithMe-INeedHelpCommented:
Saif - sorry for not being clear. I was asking about IF we move to office 365, would that eliminate having to debate these choices.
0
AlanConsultantCommented:
Hi BeGentleWithMe-INeedHelp,

Yes - if you move to Office 365, you won't need a SmartHost, since your emails will be going out from MS servers.


Alan.
0
Saif ShaikhServer engineer Commented:
Yes definitely office 365 is more secure when it comes to spam. It has a good protection system. There is no need for a smarthost if you are on O365 since it has FOPI (forefront identity manager) which scan all emails and works like charm. Additional protection is SPF record which you can add, DKIM and DMARC record for your domains can also be added for additional SPAM settings.

Even with the default i.e. without DKIM and DMARC it's more robust and will not allow anyone to spam from outside since SPF does a validation check on the sending exchange server from remote domain.
0
MichelangeloConsultantCommented:
Office 365 has got EOP (exchange online protection) . You would need to add SPF record for your domain (which is used when you send emails to authorize which mail servers are authoritative for your domain name) in case you manage your own dns, and you can quite easily add dkim for your domain name. You would need to point your mx servers for your domain to EOP. So moving to office 365 means you will have to do some initiatives al DNS planning and some very light daily review of the EOP antispam (depending on how many users you have). Reputation will be mantained by microsoft. Note that you’re u may meet a higher rate of spam / spoofing coming from Microsoft own email servers due to the way office 365 works (shared ip/ domain name between tenants: onmicrosof.com)
0
BeGentleWithMe-INeedHelpCommented:
ah!!! I'm realizing that's my next question...  other than an MX record pointing to the mail server, what else do you need to do for outgoing mail to be accepted these days!?

SPF I've done.
There's a couple other things, right?
DKIM & DMARC - those are new to me... any others?

Reverse DNS - that's if you have the mail server at your location and not using a smart host?  Then you have to go to the internet provider to >try< to get them to add an entry?  Is reverse dns going away because of the difficulty with that?  DKIM & DMARC are easier to do?

And I posted another question elsewhere about imap/pop/web host provider recommendations.

If I say DNS hosting, what do you think of?  Someone with redundant servers,etc.?  Or the same company thats doing web and pop hosting?  Or the registrar?  Godaddy for me. Do they give you full control of your zone or they lock you to their products / can't send web & mail to other places?
0
AlanConsultantCommented:
Hi,

I would recommend you always setup SPF, DKIM, and DMarc - in that order of priority.

Reverse DNS - Yes, you only need to worry about this if you are hosting you own mail server.

Imap/pop/web host provider recommendations - Best to leave that in your other question(s) else it will get confusing if you split the conversations(s).

DNS Hosting - Can be separate (or done yourself), but for most people, their registrar is fine.  Most give you fairly full control over your DNS settings, but if you are thinking of moving, ask those questions before you do so you know what you can and can't do with a new provider.



Alan.
0
MichelangeloConsultantCommented:
Is reverse dns going away because of the difficulty with that?  DKIM & DMARC are easier to do?

Reverse DNS correctly set up for your OUTGOING smtp servers (which do not need to coincide with your INGOING smtp servers i.e your MXes)  is the basic of proving your system is not just popped out overnight to send out spam and then disappear. It basically means you have gone through a bit of configuration work as you need to have your own zone properly configured on a DNS.
DKIM needs to be supported by your MTA and requires registering records in DNS. It allows to digitally sign your outgoing emails and to verify incoming emails against sender domain signature.
DMARC ha more or less same requisites of DKIM, it is used mainly to validate the sender in the FROM: header (whereas SPF validates the envelope sender i.e. the MAIL FROM: header). It is a more recent method to examine emails and builds upon both SPF and DKIM (you cannot implement standalone DMARC). it requires registering records in DNS.

I'm not able to tell you if they are easier to implement as they build upon the same basis and require you to have control of your DNS records, and of course your MTA software needs to support them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.