Preventing MX record fallback

Question

I have a website, example.com, running on a Windows 2008 server with IIS 7 and the "IIS 6" SMTP service. The website regularly sends out emails to info@example.com.

In rare instances, the MX record lookup for example.com fails, and so the SMTP service falls back to the A record, which I understand is expected behavior. However, this is not desired behavior, since the mail server for example.com is on a different machine, so the occasional email bounces.

What's the best way to prevent this?

EDIT: My DNS setup looks like this:

A - example.com -> 11.22.33.44
A - mail.example.com -> 55.66.77.88
CNAME - www.example.com -> example.com
MX - example.com -> server-a.outside-spam-filter-service.com
MX - example.com -> server-b.outside-spam-filter-service.com
MX - example.com -> server-c.outside-spam-filter-service.com
MX - example.com -> server-d.outside-spam-filter-service.com

I am not running a DNS server on the local machine. The machine is set to use DNS servers of our hosting provier (PEER1).

EDIT 2, answers to troubleshooting questions:

1. Is the web server part of an AD domain?

The server is not a part of a domain.

2. Is the smtp service on the web server configured to accept email for example.com? If it is, and is not configured to relay email, it will try to deliver the message locally, as opposed to looking for the MX records, which could be confused with falling back to the 'A'.

The SMTP service is configured to accept all local SMTP connections, and is configured to relay all emails. (Plus, if it wasn't configured to relay, wouldn't it bounce all emails as opposed to just some?)

3. ... Check the dns servers that the web server is using, and from the web server run the queries to check the mx records for example.com, and make sure it is returning the the correct info ....

I did a command-line nslookup using both servers listed as the DNS servers for the primary NIC. The MX records came back as expected.

Your MX lookup shouldn't be failing in a way that makes the client think that there's no MX records - How's your DNS set up? — Shane Madden, Sep 13 '11 at 14:32
I mean more along the lines of: what servers does your public DNS reside on, how many are there, and what are they running? — Shane Madden, Sep 13 '11 at 14:48
You said primary nic? does it have more than 1 nic are there NS servers on that nic? IF the primary nic fails can the server fail over to the other nic. Just trying to figure out why you will fail to get an MX record sometimes, yet still get an A. — Doon, Sep 13 '11 at 18:24
@anon. Sorry, I am at a loss. The only way it should attempt to deliver to the 'A' is it doesn't receive any MX records from its DNS server. So I am out of ideas as to how that can happen.. — Doon, Sep 14 '11 at 15:10
@Doon - No problem. I'll leave this question open for a bit to see if anyone else has any suggestions. Meanwhile, I've set up a scheduled task to run log nslookup results every 5 minutes to see if there's some sort of pattern and to see how often it happens. — anon, Sep 14 '11 at 15:58

score 5 · Answer 1 · edited Sep 13 '11 at 18:23

5

The A record should only be delivered to if no mx records exist. If they exist but the server doesn't answer or 4xx the mail, the sending server should queue the message and try again. If the MX fails to answer and the sending server then tries the A record it sounds to me like that server is broken.

Edit-.. Troubleshooting steps--

As it only happens on the web server it self here are things to look at.

Is the web server part of an AD domain? Is the AD domain the same as the outside domain name? If they are using the same Domain name (example.com) then the internal AD will override the external DNS servers, and you will need to make sure that your internal AD DNS has the correct MX records.
Is the SMTP service on the web server configured to accept email for example.com? If it is, and is not configured to relay email, it will try to deliver the message locally, as opposed to looking for the MX records, which could be confused with falling back to the 'A'.
What DNS servers is the web server configured to use? Check the DNS servers that the web server is using, and from the web server run the queries to check the MX records for example.com, and make sure it is returning the the correct info. Do the following from the web server. Also look at the configuration from the web server and try against every server listed as its local DNS server, not the external servers at your hosting company.
```
nslookup 
   > set type="mx"
   > example.com 
```

edited Sep 13 '11 at 18:23

Mircea Vutcovici

17,619
4
56
83

answered Sep 13 '11 at 14:35

Doon

1,441
9
9

Okay. So what do you suggest as initial troubleshooting steps? – anon Sep 13 '11 at 15:26
if you could provide your real domain name, we can look at see what the zone looks like from the outside world.. does this happen from world in general or only from your website? Is your website running an SMTP server on it, Does the smtp server have a configuration for your domain in it? Does your web server have more than 1 Name Server configured, have you tried querying each of the ones specified to make sure they all answer correctly? – Doon Sep 13 '11 at 15:56
Unfortnately, I don't feel comfortable giving out the real domain name. The web server is running the Microsoft SMTP service. I'm not sure what you mean by "Does the smtp server have a configuration for your domain in it?" -- Outgoing connections are configured to have an FQDN, if that's what you mean. There are two DNS servers that PEER1 configured for us. I did an MX record lookup from the nslookup command line using the IPs of both of these DNS servers, and the records for example.com came up fine. – anon Sep 13 '11 at 16:17
Does the problem happen from the outside world? Or only from your webserver? – Doon Sep 13 '11 at 16:19
The problem only happens from the web server, so far as I know. – anon Sep 13 '11 at 16:23
I'll edit my answer with steps to try. – Doon Sep 13 '11 at 16:37
Is the domain name a secret? Why do you have a domain in the first place if you don't want people to know what it is? Not to be sarcastic, but there's a crazy idea that if you divulge information about your domain then you've somehow opened yourself up to some security risk. Listen, you're on the internet, you have some number of servers on the internet (by virtue of having a web site and an email server), you have a registered domain name, there isn't anything you can tell us about your domain that isn't already known so how about helping us help you by telling us what your domain name is? – joeqwerty Sep 13 '11 at 17:48
I've updated my question with answers to your troubleshootng steps. Thanks for all your help so far! @joeqwerty - Sorry, professional paranoia. I'm not concerned about security here, just information leakage. I know I'm handcuffing you here, but just don't feel comfortable with it. – anon Sep 13 '11 at 18:20
Understood, we'll do our best. Is example.com configured as an Alias domain or a Remote domain in IIS, I'm a little confused? – joeqwerty Sep 13 '11 at 18:23

dunxd · Answer 2 · 2011-09-13T19:43:31.213

0

Since you mean that you only want your messages to a specific email address on a specific server to go straight through, you could send to info@55.66.77.88 and configure the mailserver to accept mail sent to its IP address and deliver to the correct mailbox. That would cut out the DNS lookup altogether.

edited Sep 13 '11 at 19:43

answered Sep 13 '11 at 14:38

dunxd

9,632
22
81
118

score 0 · Answer 3 · answered Sep 13 '11 at 14:43

0

You have to fix your DNS resolver on the box. Even with two or more MX records, you would still receive the bounces as your box can not resolve any of them in your rare instances.

A dirty workaround would be to install the Windows DNS services; best if you can make it a DNS-Slave to get all updates automatically. For that you are likely to add some rules at the master dns-server, depending on the type of OS and dns daemon.

answered Sep 13 '11 at 14:43

CyberOptic

307
3
13

1

That is an *exceptionally* dirty workaround: The leap from "My DNS is broken" to "Run a local slave for every zone that misbehaves" is the antithesis of scalability. – voretaq7 Sep 13 '11 at 14:47
Thats right ;-) You could also just use another DNS server if your ISP can't provide working stuff ;-) – CyberOptic Sep 13 '11 at 15:04
@CyberOptic - Well, it's dirty, but awfully tempting. I even entertained the thought of editing the HOSTS file on the local machine. – anon Sep 13 '11 at 15:50

score 0 · Answer 4 · answered Sep 13 '11 at 15:29

0

The problem as I see it is that you don't have an A record for the host spam-filter.example.com to which the MX refers.

I could be wrong but I believe fallback to the domain A record should only occur in the absence of an MX record... not in the absence of the A record to which the MX refers, and not due to an empty MX, and not due to an nxdomain.

answered Sep 13 '11 at 15:29

joeqwerty

109,901
6
81
172

Argh. My example was a little misleading. The spam filter is an outside service. Corrected. – anon Sep 13 '11 at 15:35

Preventing MX record fallback

4 Answers4