Re: [tlug] Reverse DNS Delegatation

[Pier Fumagalli <pier@example.com>]

On Fri, Jul 19, 2013 at 1:03 PM, Curt Sampson <cjs@example.com> wrote:
> On 2013-07-18 12:56 -0300 (Thu), SCHWARTZ, Fernando G. wrote:
>
>> I agree with your comments except for the fact that there is little
>> workaround to a properly configured "rDNS" record. By properly I mean
>> one matching your domain.
>>
>> You can't expect your modern/secure mailserver to run smoothly without one.
>
> Well, I think I disagree, since I've been running for years what I
> believe is a "modern/secure mailserver" with an in-addr.arpa PTR record
> that is not pointing to a name in a domain I own.

I've been running email for an e-comerce business here in JP for a few
years now, and when it comes to it (especially when sending lotst, we
push out roughly 1M messages per day) the whole thing is a bit of dark
magic.

For small domains/servers (I'd say handful of thousands of messages
per day) things should be pretty easy as the IP you're sending from
won't be flagged in any of the automated blacklist/rate limiting of
the various providers, and Curt is indeed correct, no need for a
domain-bound reverse IP DNS configuration.

The best practices I would follow are (see RFC-2119 for terminology):

* you MUST have a reverse IP DNS entry: it doesn't matter to who, but
if you don't, some finicky sysadmin might consider your IP as being a
dynamic IP and immediately reject email.

* you MUST have the name resolved by the reverse IP DNS lookup point
back to the same name (if 1.2.3.4 resolves as customerX.providerY.dom
then customerX.providerY.dom MUST resolve to 1.2.3.4).

* you SHOULD use the reverse IP DNS entry as your EHLO hostname: if
your ISP lists 1.2.3.4 as customerX.providerY.dom, use that as your
EHLO string, if you don't you MUST use a name that DNS resolves to
that IP.

* you MUST an SPF record in your domain's DNS allowing the IP you're
sending from as a designated sender (just because it's 2013).

* you SHOULD sign your outgoing messages for your domain with DKIM
(again, be a kind and trusted internet citizen).

* you MUST have some MX records for the domain in questions (it MAY be
better to have one pointing to the same IP address you're sending
from) and MUST make sure the "postmaster@domain" and "abuse@domain"
are valid mailboxes (per RFC-822 and RFC-2142).

* you SHOULD make sure that the host you're sending from accepts
connections on port 25 back and MAY accept messages for your domain
(see above), and if you do you MUST make sure that you're not an open
relay.

* you MUST make sure that your IP is never listed into any of the RBL
tables (check periodically) and MAY use https://www.senderscore.org/
(or similar) for guidance on deliverability.

If on the other hands (like us) you need to send millions of emails
per day, especially in short bursts (we send the bulk of it in 15
minutes right before 9 PM JST), everything matters, from your WHOIS
records to how many spam traps you hit per day, to reverse DNS, ...
everything contributes "a bit" to increase the IP's reputation...

We use different services to give us various stats and insight into
the various provider's reputation over our IPs and constantly optimise
our server send rates dynamically based on how the ISPs respond to us
(our mailers do dynamic throttling, trying to be kind with the other
servers out there, but again, it's a bit of dark magic that even I
don't fully grasp).

Hope this helps, happy emailing!

    Pier