Two Tips For Making Sure Your Mail Gets Sent
Posted by
Brad Wood
Dec 08, 2009 06:31:00 UTC
A lot of you have web servers that double as mail servers to relay out mail from your ColdFusion applications. Even if you have a separate server that handles your mail relay, this post should still be helpful. The more and more that spam proliferates on the Internet, the more antsy ISPs get about blocking mail. There are a litany of reasons an ISP might reject mail from your server. GoDaddy has been one of the most annoying companies to deal with. There are two things I had to fix on my mail server before they would accept mail from my server. Reverse DNS and Helo host name.I find both of these items a little annoying. Yes, technically both of them are required by RFCs but they don't really tell you whether or not the owner of a server is legit or if the mail coming out of it is spam. All it tells you is that the server admin took the time to configure their server properly. There's absolutely nothing preventing a scum-of-the earth spammer from setting up these configurations on his server so that his mail is accepted.
http://ws.arin.net/whois/?queryinput=69.60.116.244
Reverse DNS
You are certainly aware of how forward DNS works. This is what turns your domain name into the IP address of your server. As the owner of your domain, you are responsible for configuring the name servers for your domain which are the authoritative location for your domain's DNS. A domain name is associated with an IP address via a DNS "A" record. Forward DNS is seen in action from a command prompt like so:[code] C:\>ping bradwood.com Pinging bradwood.com [69.60.116.244] with 32 bytes of data: [/code]Reverse DNS is the opposite. It is what turns an IP address back into a domain name. In theory it should resolve to a domain name that resolves back to the IP address you started with. To see reverse DNS in action we can use the ping command again with the "-a" option:
[code] C:\>ping -a 69.60.116.244 Pinging bradwood.com [69.60.116.244] with 32 bytes of data: [/code]Reverse DNS is set up by the entity that owns the IP address. This is generally your hosting company or their bandwidth provider. All IP addresses are managed by 5 regional internet registries. ARIN (North America), RIPE (Europe), etc. An ISP purchases the rights to a block of IP addresses from the appropriate registry based on their geographic location. They then assign them out to their customers and optionally delegate whois responsibility. The ISP or entity delegated whois responsibility for the IP address sets up a PTR record in their DNS using a special zone named "in-addr.arpa". The easiest way to demonstrate who owns my IP address is to ask ARIN directly:
http://ws.arin.net/whois/?queryinput=69.60.116.244
[code] Infolink INFOLINK-BLK-101 (NET-69-60-96-0-1) 69.60.96.0 - 69.60.127.255 Serverpronto INMM-69-60-114-0 (NET-69-60-114-0-1) 69.60.114.0 - 69.60.125.255 [/code]To see the PTR record Server Pronto set up for me in action looks like this:
[code] C:\>nslookup -type="PTR" 244.116.60.69.in-addr.arpa Non-authoritative answer: 244.116.60.69.in-addr.arpa name = bradwood.com [/code]So, in short-- you don't have to get hung up on the details (even though I find them incredibly intriguing). When you do a "ping -a xxx.xxx.xxx.xxx" on the IP address that sends your mail, the domain name that is output should resolve back to the IP address you started when you do a "ping you-reverse-DNS-domain.com" command.
Helo Host Name
The second item that needs configured on your sever is the host name that your SMTP server responds with. The host name needs to be a fully qualified domain name which resolves back to the IP address of your server. One way to check this is to simply connect to your mail relay and ask it. In the example below I typed in the "HELO foo" text and hit enter after my server's banner displayed.[code] C:\>telnet 69.60.116.244 25 220 bradwood.com ESMTP Exim 4.67 Mon, 07 Dec 2009 23:37:04 -0600 HELO foo 250 bradwood.com Hello foo [72.135.9.201] [/code]As you can see, bradwood.com is my server's host name which gets output in the welcome banner, as well as the response to my HELO command. SMTP is apparently a very polite protocol. :) Most SMTP servers allow you to customize the host name they supply without actually changing the computer name. And in case you're wondering-- yes it is technically a bad thing from a server hardening perspective that I am using the default connection banner that announces the fact that I'm using Exim 4.67.
The Easy Way
So, now that I showed you the hard way to check your reverse DNS and host name, I guess I should be nice and let you know there are a number of sites out there that will do these checks and much more for you automatically. One site that I like to use is http://www.mxtoolbox.com/diagnostic.aspx. Hopefully this will get you started.
JD
What about cases where websites share IP addresses? Same IP Address...just different host headers. Any idea how it's handled?
Brad Wood
@JD: Good question. What I did was simply pick one. I picked the one primary domain to be the host name for my server and I set up reverse DNS to point back to it. The trick is, you need to be using whatever IP address gets used when mail is sent. i.e., the one that will show up in the E-mail headers when your server sends mail. That is the address the receiving server will "see" you as and it is the IP address it will attempt to do a reverse DNS lookup on, and it is also the IP address the reverse DNS lookup needs to complete a forward lookup back to. I think as long as you don't have more than one SMTP service running on multiple IP addresses on the same box (not even sure if that is possible) you shouldn't have any problems.
Brad Wood
@JD: One more quick thing-- don't confuse host name with host headers. The former is the name of the server that the SMTP server hands out to identify itself on port 25. (That needs to resolve back to the IP sending the mail) The second is a setting in IIS or Apache that determine what web site or virtual host to server up based on the HTTP GET or POST headers that came in on port 80. (These won't affect your mail going out. In fact, the remote mail server probably won't even know the server at that IPaddress is also hosting a web site.)
MxToolBox Support
Thanks so much for recommending our DNS tools! We are working hard on creating an all in one tool that does all the DNS test and lookups you could ever need! If you have any other tools additions or feedback, please let us know.
Thanks, @MxToolBox