Has my ISP mangled my DNS reverse lookup record for a single static IP address?
I've taken on the task of running a small email server, and the world of spam makes it more challenging for an individual, as many MTAs are highly paranoid about accepting email.
I think I've configured nearly everything that could be a problem successfully: A commercial SSL certificate, DKIM, a proper domain, and static IP address. My (piddly) email in fact goes out almost all of the time. But the most paranoid MTA's are still rejecting my email - Craigslist for example - and it appears to be my reverse lookup at fault.
I've recently changed my static IP address, and my service with my ISP. When they changed it, I tried to get this configured correctly, but I fear it is not. But I'm not 100% certain what is wrong, or what my reverse record should look like.
I especially don't want to approach my ISP with a "Look, I don't know what the problem is, but you need to fix it anyhow" attitude. If there's a problem I want to be able to describe exactly what it is before I get on the phone with the NOC. They don't offer a control panel for this as far as I can tell, so I don't want to try anyone's patience with a bunch of trial and error.
OK, the specifics, redacted & fictional, but consistent:
Domain: funkeedomain.org
Mailserver (DNS MX record): mx.funkeedomain.org
Static IP address: 111.222.333.444
Static IP address reversed: 444.333.222.111
FQDN originally requested of the ISP for reverse lookups: main.funkeedomain.org
Here's a typical rejection notice from my mail server (hMailServer):
Your message did not reach some or all of the intended recipients.
Sent: Thu, 12 Jan 2017 11:53:50 -0800 (PST)
Subject: Blah blah blah
The following recipient(s) could not be reached:
[email protected]
Error Type: SMTP
Remote server (64.235.154.109) issued an error.
hMailServer sent: .
Remote server replied: 550 permanent failure for one or more recipients ([email protected]:550 Sender IP reverse lookup rejected)
hMailServer
A commercial email-sending checker tells me:
main.funkeedomain.org.333.222.111.in-addr.arpa Failed - No A Record Found in DNS
So, fine. What do DNS tools tell me?
stew@griffin:~$ host 111.222.333.444
444.333.222.111.in-addr.arpa domain name pointer main.funkeedomain.org.333.222.111.in-addr.arpa.
stew@griffin:~$ dig -x 111.222.333.444
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -x 111.222.333.444
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16150
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;444.333.222.111.in-addr.arpa. IN PTR
;; ANSWER SECTION:
444.333.222.111.in-addr.arpa. 86365 IN PTR main.funkeedomain.org.333.222.111.in-addr.arpa.
;; Query time: 0 msec
;; SERVER: 10.0.0.4#53(10.0.0.4)
;; WHEN: Thu Jan 12 19:09:11 PST 2017
;; MSG SIZE rcvd: 93
From reading examples (http://www.gettingemaildelivered.com/how-to-set-up-reverse-dns-rdns for instance), my strong impression is that this is wrong, and my reverse record set up by my ISP should be a PTR to "main.funkeedomain.org", NOT "main.funkeedomain.org.333.222.111.in-addr.arpa."
Am I right to think this? What should I be expecting in my reverse record if not what I'm finding?
Thanks all who responded, and my post-post grammar copy-editor.
Both HBruijn and Andrew B's answers were correct, but they appear to want me to select HBruijn's, which is also shorter, and so I have.
I had to call no less than five times to get this resolved. Having a 100% accurate diagnosis was surely key to me getting this passed blindly up 3 levels of escalation successfully - I was never allowed to talk to the DNS department directly.
Thank you all again.
444.333.222.111.in-addr.arpa. 86365 IN PTR main.funkeedomain.org.333.222.111.in-addr.arpa.
Seems that in the reverse DNS zone data somebody forgot to add a trailing period . to your hostname to indicate that it is a fully qualified hostname. In DNS shorthand any simple hostname gets appended with $ORIGIN.
The correct zone data would be
444.333.222.111.in-addr.arpa. 86365 IN PTR main.funkeedomain.org.
or in DNS short-hand you can optionally omit the $ORIGIN
i.e. 333.222.111.in-addr.arpa
:
444 86365 IN PTR main.funkeedomain.org.
Look at the answer section a little more closely:
;; ANSWER SECTION:
444.333.222.111.in-addr.arpa. 86365 IN PTR main.funkeedomain.org.333.222.111.in-addr.arpa.
Specifically, the value of the PTR record:
main.funkeedomain.org.333.222.111.in-addr.arpa.
Your ISP forgot to add the trailing dot to your FQDN. This is causing the DNS software to helpfully append the name of the zone file to the end of the data.
Tell them to look at your reverse DNS record again, mention the trailing dot, and if they have any sense to them they'll know exactly what they did wrong.
In addition to fixing the reverse entry (see Andrew B and HBruijn's answers), it sounds like your forward entries may also be confused. If the server's hostname is main.funkeedomain.org, you shouldn't also have mx.funkeedomain.org involved; instead you should have a record of type "MX" pointing from funkeedomain.org to main.funkeedomain.org, and an "A" record pointing from main.funkeedomain.org to 111.222.333.444. Basically, you want the forward lookups to look like this:
$ host -t mx funkeedomain.org
funkeedomain.org mail is handled by 10 main.funkeedomain.org.
$ host main.funkeedomain.org
main.funkeedomain.org has address 111.222.333.444
The records in your zone file should look something like this:
funkeedomain.org. MX 10 main.funkeedomain.org.
main.funkeedomain.org. A 111.222.333.444
Or they might have the zone name (funkeedomain.org) be implicit, indicated by a missing final "." (as Andrew B suspects is the problem with the reverse record), like this:
MX 10 main.funkeedomain.org.
main A 111.222.333.444
...or any number of other variants.