Does a mail server on an IPv4 address need AAAA records?

I was very surprised to get an unexpected bounceback from Gmail to an email from my own domain's SMTP/IMAP server send via Outlook (details anonymised):

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

  some.email.address@gmail.com
    SMTP error from remote mail server after end of data:
    host gmail-smtp-in.l.google.com [1234:a1b2:4321:a12::1a]:
    550-5.7.1 [1234:1234:1234:a12::12a1] Our system has detected that this message
    550-5.7.1 does not meet IPv6 sending guidelines regarding PTR records and
    550-5.7.1 authentication. Please review
    550-5.7.1  https://support.google.com/mail/?p=IPv6AuthError for more information
    550 5.7.1 . 123ab123456abc.123 - gsmtp

I didn't understand why it was a IPv6AuthError but after checking that reverse IP lookups did work using my PTR and that my DKIM and SPF records were fine, I did a DNS IPV6 lookup test which threw a simple "not found" error:

aaaa:my-domain.com

Find Problems aaaa

Test: DNS Record Published Result: DNS Record not found

Which isn't surprising: my domain is on an IPV4 ip address so I've never set any aaaa records, thinking (perhaps niavely?) that I didn't need them unless I was using an IPV6-only IP address.

Further emails from the same my-domain.com address to the same GMail address dind't give the same error, so it's an intermittent problem. I've added AAAA @, mail, and www records pointing to the auto-converted IPV6 version of my IPV4 ip address, and it seems fine so far but it's hard to say if it's fixed an intermittent problem.

My emails are sent using Exim with some dynamic configuration that assigns an IPv4 address to each domain on the mail server. There's nothing in my Exim configuration that I'm aware of that would assign an IPv6 address instead, but netstat -tulpn | grep :25 does show that Exim listens to IPv6 addresses:

netstat -tulpn | grep :25
tcp        0      0 0.0.0.0:2525           0.0.0.0:*             LISTEN      2788/exim   
tcp        0      0 0.0.0.0:25             0.0.0.0:*             LISTEN      2788/exim   
tcp        0      0 :::2525                :::*                  LISTEN      2788/exim   
tcp        0      0 :::25                  :::*                  LISTEN      2788/exim

So my question is: under what circumstances would a mail server configured to use an IPV4 IP address need AAAA records to send and receive mail?

user56reinstatemonica8

Posted 2017-07-18T11:59:22.497

Reputation: 3 946

Your e-mail server is obviously not configured to only use IPv4 or it wouldn’t have connected to GMail using IPv6. – Daniel B – 2017-07-18T12:13:20.307

So you're saying: mail servers need AAAA records, unless they're explicitly configured to only use IPv4? – user56reinstatemonica8 – 2017-07-18T12:23:04.800

That’s what Google says, yes. It you want to connect to its SMTP server using IPv6, you need to follow their rules. – Daniel B – 2017-07-18T12:24:26.440

Answers

Apparently your email server connected to Google over IPv6. Which is great because this internet needs more people to support IPv6!

What you were looking at (A, AAAA records etc) is for inbound connections to you. What Google sees are your outbound connections. Even if you have no AAAA records in DNS your server might still be able to communicate over IPv6, and apparently it did.

First: do not put IPv4 addresses in AAAA records using some conversion trick! This will severely damage your reachability. Take a look at our presentation at RIPE 74 for horror stories. IPv4 and IPv6 are different protocols, and you can't just convert addresses. Use your real IPv6 addresses. Your server apparently has them, otherwise it couldn't have connected to Google over IPv6.

When Google received an incoming connection over IPv6 it will do a reverse lookup (PTR records) on that address to see what the canonical hostname for that address is. Then it will do a lookup on that name to see if that name really has that address (AAAA records) to check that the reverse record was not lying. Then it will check the source IPv6 address against the SPF record to see if this address is supposed to send mail from that domain.

Basically these are the same checks Google (and many others) do for IPv4. Because IPv6 is a newer protocol Google did decide to be more strict with the checks though. They want people to get it right from the start, so we don't get a similar legacy mess as we have in IPv4. That might be why you notice it sooner when communicating over IPv6.

I hope this helps you. First thing to do is to find out the IPv6 address of your mail server. And if you didn't consciously configure them you might also want to check your IPv6 firewall settings and align them with your IPv4 settings. Supporting IPv6 is great, but do make sure you do it securely :)

Sander Steffann

Posted 2017-07-18T11:59:22.497

Reputation: 4 169

Interesting, thanks, I thought my server would not have an IPv6 address unless I had explictly requested or bought one but it looks like I assumed wrongly. The second IPv6 address in the bounceback, the one I anonymised as 1234:1234:1234:a12::12a1, points a whois check to my hosting company but doesn't find anything with a PTR check. I think this means it must be my mystery IPv6 address, do you know any way I could confirm this?

– user56reinstatemonica8 – 2017-07-18T12:37:26.333

@user568458 Just run ip addr/ifconfig on your server? IPv6 addresses usually don’t have reverse DNS by default because there’s so many of them. – Daniel B – 2017-07-18T12:38:59.197

Ha, of course. ip -6 addr found two IPv6 addresses with nothing in my DNS tying them to the domain so I guess I need to set up the same PTR for them to point at my domain (as well as the AAAA and checking firewall etc) – user56reinstatemonica8 – 2017-07-18T12:46:10.763

@user568458 If you have two, make sure one of them isn't "temporary"; these are rotated every ~10 hours unless you turn off the "Privacy Addressing" feature. (You don't need it on a server, and it makes rDNS difficult.) – user1686 – 2017-07-18T14:37:42.593