26

I've taken on the task of running a small email server, and the world of spam makes it more challenging for an individual, as many MTAs are highly paranoid about accepting email.

I think I've configured nearly everything that could be a problem successfully: A commercial SSL certificate, DKIM, a proper domain, and static IP address. My (piddly) email in fact goes out almost all of the time. But the most paranoid MTA's are still rejecting my email - Craigslist for example - and it appears to be my reverse lookup at fault.

I've recently changed my static IP address, and my service with my ISP. When they changed it, I tried to get this configured correctly, but I fear it is not. But I'm not 100% certain what is wrong, or what my reverse record should look like.

I especially don't want to approach my ISP with a "Look, I don't know what the problem is, but you need to fix it anyhow" attitude. If there's a problem I want to be able to describe exactly what it is before I get on the phone with the NOC. They don't offer a control panel for this as far as I can tell, so I don't want to try anyone's patience with a bunch of trial and error.

OK, the specifics, redacted & fictional, but consistent:

Domain:                      funkeedomain.org
Mailserver (DNS MX record):  mx.funkeedomain.org
Static IP address:           111.222.333.444
Static IP address reversed:  444.333.222.111
FQDN originally requested of the ISP for reverse lookups: main.funkeedomain.org

Here's a typical rejection notice from my mail server (hMailServer):

Your message did not reach some or all of the intended recipients.

   Sent: Thu, 12 Jan 2017 11:53:50 -0800 (PST)
   Subject: Blah blah blah

The following recipient(s) could not be reached:

2125551111@tmomail.net
   Error Type: SMTP
   Remote server (64.235.154.109) issued an error.
   hMailServer sent: .
   Remote server replied: 550 permanent failure for one or more recipients (2125551111@tmomail.net:550 Sender IP reverse lookup rejected)

hMailServer

A commercial email-sending checker tells me:

main.funkeedomain.org.333.222.111.in-addr.arpa          Failed - No A Record Found in DNS

So, fine. What do DNS tools tell me?

stew@griffin:~$ host 111.222.333.444
444.333.222.111.in-addr.arpa domain name pointer main.funkeedomain.org.333.222.111.in-addr.arpa.

stew@griffin:~$ dig -x 111.222.333.444
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -x 111.222.333.444
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16150
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;444.333.222.111.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
444.333.222.111.in-addr.arpa. 86365 IN   PTR     main.funkeedomain.org.333.222.111.in-addr.arpa.

;; Query time: 0 msec
;; SERVER: 10.0.0.4#53(10.0.0.4)
;; WHEN: Thu Jan 12 19:09:11 PST 2017
;; MSG SIZE  rcvd: 93

From reading examples (http://www.gettingemaildelivered.com/how-to-set-up-reverse-dns-rdns for instance), my strong impression is that this is wrong, and my reverse record set up by my ISP should be a PTR to "main.funkeedomain.org", NOT "main.funkeedomain.org.333.222.111.in-addr.arpa."

Am I right to think this? What should I be expecting in my reverse record if not what I'm finding?


Thanks all who responded, and my post-post grammar copy-editor.

Both HBruijn and Andrew B's answers were correct, but they appear to want me to select HBruijn's, which is also shorter, and so I have.

I had to call no less than five times to get this resolved. Having a 100% accurate diagnosis was surely key to me getting this passed blindly up 3 levels of escalation successfully - I was never allowed to talk to the DNS department directly.

Thank you all again.

StewLG
  • 271
  • 4
  • 6
  • 10
    In general with DNS issues using the actual domain helps the community to resolve issues much more easily. – HBruijn Jan 13 '17 at 06:42
  • 1
    Google also verify the PTR record. Not sure why you call this paranoid; it stops a very large quantity of spam. – Michael Hampton Jan 13 '17 at 17:45
  • 1
    There’s been a lot of discussion about using the official example domains, not a random name. Since you hide the IP address, I’m guessing the name you use is not yiur actual domain, either? – JDługosz Jan 14 '17 at 09:32
  • xxxxxxxxxxxxxxx – StewLG Jan 20 '17 at 03:51

3 Answers3

49

Look at the answer section a little more closely:

;; ANSWER SECTION:
444.333.222.111.in-addr.arpa. 86365 IN   PTR     main.funkeedomain.org.333.222.111.in-addr.arpa.

Specifically, the value of the PTR record:

main.funkeedomain.org.333.222.111.in-addr.arpa.

Your ISP forgot to add the trailing dot to your FQDN. This is causing the DNS software to helpfully append the name of the zone file to the end of the data.

Tell them to look at your reverse DNS record again, mention the trailing dot, and if they have any sense to them they'll know exactly what they did wrong.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • If you're coming in from Hot Network Questions, please upvote HBrujin instead. This answer is already in my top 5 of all time and it's getting a little silly. (@HBrujin your psychological warfare campaign to make me regret answering this one 60 seconds before you is working) – Andrew B Jan 16 '17 at 03:27
  • If you think that's bad, take a look at my top 5 answers in StackOverflow. Only #2 is fairly interesting IMHO. – Barmar Jan 17 '17 at 22:14
  • @AndrewB I already have moderator privileges, you might as take the points so you can get your own [next level superpowers](http://serverfault.com/help/privileges) at 20k – HBruijn Jan 18 '17 at 21:59
33

444.333.222.111.in-addr.arpa. 86365 IN PTR main.funkeedomain.org.333.222.111.in-addr.arpa.

Seems that in the reverse DNS zone data somebody forgot to add a trailing period . to your hostname to indicate that it is a fully qualified hostname. In DNS shorthand any simple hostname gets appended with $ORIGIN.

The correct zone data would be

444.333.222.111.in-addr.arpa. 86365 IN   PTR     main.funkeedomain.org.

or in DNS short-hand you can optionally omit the $ORIGIN i.e. 333.222.111.in-addr.arpa:

444                           86365 IN   PTR     main.funkeedomain.org.
HBruijn
  • 72,524
  • 21
  • 127
  • 192
1

In addition to fixing the reverse entry (see Andrew B and HBruijn's answers), it sounds like your forward entries may also be confused. If the server's hostname is main.funkeedomain.org, you shouldn't also have mx.funkeedomain.org involved; instead you should have a record of type "MX" pointing from funkeedomain.org to main.funkeedomain.org, and an "A" record pointing from main.funkeedomain.org to 111.222.333.444. Basically, you want the forward lookups to look like this:

$ host -t mx funkeedomain.org
funkeedomain.org mail is handled by 10 main.funkeedomain.org.
$ host main.funkeedomain.org
main.funkeedomain.org has address 111.222.333.444

The records in your zone file should look something like this:

funkeedomain.org.       MX 10 main.funkeedomain.org.
main.funkeedomain.org.  A 111.222.333.444

Or they might have the zone name (funkeedomain.org) be implicit, indicated by a missing final "." (as Andrew B suspects is the problem with the reverse record), like this:

     MX 10 main.funkeedomain.org.
main A 111.222.333.444

...or any number of other variants.

Gordon Davisson
  • 11,036
  • 3
  • 27
  • 33
  • MX is irrelavant here as it is only about inbound mail. To be accapted as a source of outbound mail, the OP should check that there is a match between (1) the fqdn his MTA emits as EHLO greeting, (2) the fqdn obtained from looking up the reverse DNS of the IP his MTA uses, and (3) the IP this fqdn resolves to in forward DNS. In order to avoid confusion, it is additional better to avoid multiple PTR and/or multiple A records for the ip/fqdn involved ... – Hagen von Eitzen Jan 14 '17 at 13:10