Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

DNS role in email delivery

SMTP can be configured to operate without DNS, using IP addresses instead of domain names for SMTP clients, SMTP servers, and recipient email addresses. However, this configuration is rare.

SMTP as it is typically used relies upon DNS to determine the mail gateway server (MX) for a domain name, and to resolve domain names into IP addresses. As such, you usually must configure email servers and FortiMail units to be able to query a DNS server.

In addition, you may also be required to configure the DNS server with an MX record, an A record, and a reverse DNS record for protected domain names and for the domain name of the FortiMail unit itself.

MX record

Mail exchanger (MX) records are configured on a DNS server. MX records for a domain name indicate designated email servers or email gateways that deliver email to that domain, and their order of preference. In their most simple form, MX records use the following format:

example.com IN MX 10 mail.example.com

where:

  • example.com is the name of the domain
  • IN indicates the Internet protocol class
  • MX indicates that the DNS resource record is of the MX type
  • 10 indicates the order of preference (greater values indicate lower preference)
  • mail.example.com is the host name of an email server or gateway

When an email client sends an email, the sender’s MTA queries a DNS server for the MX record of the domain name in the recipient’s email address. To resolve the host name of the MTA referenced by the MX record, it then queries for the A record of the destination MTA. That A record provides the IP address of the email server or gateway. The sender’s MTA then attempts to deliver the email to that IP address.

For example, if the recipient email address is user1@example.com, in order to deliver the email, the sender’s MTA would query the MX and A records to determine the IP address of the email gateway of example.com.

Often, the domain name and/or IP address of the email domain is different from that of its email server or gateway. The fully qualified domain name (FQDN) of an email server or gateway may be a subdomain or another domain name entirely, such as that of the MTA of an Internet service provider (ISP). For example, the email gateways for the email domain example.com could be mail1.example.com and mail2.example.com, or mail.isp.example.net.

If your FortiMail unit will operate in transparent mode, and you will configure it be fully transparent at both the IP layer and in the SMTP envelope and message headers by enabling “Hide this box from the mail server” in the session profile, “Hide the transparent box” in the protected domain, and “Use client-specified SMTP server to send email” for the proxies, no MX record changes are required.

If your FortiMail unit will operate in gateway mode or server mode, or in transparent mode while not configured to be fully transparent, you must configure the public DNS server for your domain name with an MX record that refers to the FortiMail unit which will operate as the email gateway, such as:

example.com IN MX 10 fortimail.example.com

Note

If your FortiMail unit will operate in gateway mode or server mode, or in transparent mode while not fully transparent, configure the MX record to refer to the FortiMail unit, and remove other MX records. If you do not configure the MX record to refer to the FortiMail unit, or if other MX records exist that do not refer to the FortiMail unit, external MTAs may not be able to deliver email to or through the FortiMail unit, or may be able to bypass the FortiMail unit. If you have configured secondary MX records for failover reasons, consider configuring FortiMailhigh availability (HA) instead. For details, see FortiMail high availability modes.

Exceptions include if you are configuring a private DNS server for use with the Use MX Record option. In that case, rather than referencing the FortiMail unit as the mail gateway and being used by external SMTP servers to route mail, the MX record references the protected SMTP server and is used by the FortiMail unit to define the SMTP servers for the protected domain.

A record

Address records (A records) are configured on a DNS server. A records indicate the IP address to which a host name resolves. In their most simple form, A records use the following format:

mail IN A 192.168.1.10

where:

  • mail is the name of the host
  • IN indicates the Internet protocol class
  • A indicates that the DNS resource record is of the IPv4 address type
  • 192.168.1.10 indicates the IP address that hosts the domain name

When an email client sends an email, the sender’s MTA queries a DNS server for the MX record of the domain name in the recipient’s email address. To resolve the host name of the MTA referenced by the MX record, it then queries for the A record of the destination MTA. That A record provides the IP address of the email server or gateway. The sender’s MTA then attempts to deliver the email to that IP address.

You must configure the public DNS server for your host names with an A record to resolve the host names referenced in MX records, and the host name of the FortiMail unit, if any. For example, if an MX record is:

example.com IN MX 10 fortimail.example.com

the required A record in the example.com zone file might be:

fortimail IN A 192.168.1.15

Reverse DNS record

Because the SMTP protocol does not strictly require SMTP clients to use their own domain name during the SMTP greeting, it is possible to spoof the origin domain. In an attempt to bypass antispam measures against domain names known to be associated with spam, spammers often exploit that aspect of SMTP by pretending to send email from legitimate domains.

For example, the spammer spam.example.com might initiate an SMTP session with the command:

EHLO nonspam.example.edu

To prevent this form of attack, many SMTP servers query reverse DNS records to verify that the domain name provided in the SMTP greeting genuinely matches the IP address of the connecting SMTP client.

You should configure the public DNS server for your protected domain names with a reverse DNS record to resolve the IP addresses of your protected SMTP servers and/or FortiMail unit into domain names.

For example, if the outgoing MTA for example.com is the FortiMail unit, fortimail.example.com, and the public network IP address of the FortiMail unit is 10.10.10.1, a public DNS server’s reverse DNS zone file for the 10.10.10.0/24 subnet might contain:

1 IN PTR fortimail.example.com.

where fortimail.example.com is the FQDN of the FortiMail unit.

Note

Reverse DNS records are required for FortiMail units operating in gateway mode or server mode. However, they are also required for FortiMail units operating in transparent mode, unless they have been configured to be completely transparent.

DNS role in email delivery

SMTP can be configured to operate without DNS, using IP addresses instead of domain names for SMTP clients, SMTP servers, and recipient email addresses. However, this configuration is rare.

SMTP as it is typically used relies upon DNS to determine the mail gateway server (MX) for a domain name, and to resolve domain names into IP addresses. As such, you usually must configure email servers and FortiMail units to be able to query a DNS server.

In addition, you may also be required to configure the DNS server with an MX record, an A record, and a reverse DNS record for protected domain names and for the domain name of the FortiMail unit itself.

MX record

Mail exchanger (MX) records are configured on a DNS server. MX records for a domain name indicate designated email servers or email gateways that deliver email to that domain, and their order of preference. In their most simple form, MX records use the following format:

example.com IN MX 10 mail.example.com

where:

  • example.com is the name of the domain
  • IN indicates the Internet protocol class
  • MX indicates that the DNS resource record is of the MX type
  • 10 indicates the order of preference (greater values indicate lower preference)
  • mail.example.com is the host name of an email server or gateway

When an email client sends an email, the sender’s MTA queries a DNS server for the MX record of the domain name in the recipient’s email address. To resolve the host name of the MTA referenced by the MX record, it then queries for the A record of the destination MTA. That A record provides the IP address of the email server or gateway. The sender’s MTA then attempts to deliver the email to that IP address.

For example, if the recipient email address is user1@example.com, in order to deliver the email, the sender’s MTA would query the MX and A records to determine the IP address of the email gateway of example.com.

Often, the domain name and/or IP address of the email domain is different from that of its email server or gateway. The fully qualified domain name (FQDN) of an email server or gateway may be a subdomain or another domain name entirely, such as that of the MTA of an Internet service provider (ISP). For example, the email gateways for the email domain example.com could be mail1.example.com and mail2.example.com, or mail.isp.example.net.

If your FortiMail unit will operate in transparent mode, and you will configure it be fully transparent at both the IP layer and in the SMTP envelope and message headers by enabling “Hide this box from the mail server” in the session profile, “Hide the transparent box” in the protected domain, and “Use client-specified SMTP server to send email” for the proxies, no MX record changes are required.

If your FortiMail unit will operate in gateway mode or server mode, or in transparent mode while not configured to be fully transparent, you must configure the public DNS server for your domain name with an MX record that refers to the FortiMail unit which will operate as the email gateway, such as:

example.com IN MX 10 fortimail.example.com

Note

If your FortiMail unit will operate in gateway mode or server mode, or in transparent mode while not fully transparent, configure the MX record to refer to the FortiMail unit, and remove other MX records. If you do not configure the MX record to refer to the FortiMail unit, or if other MX records exist that do not refer to the FortiMail unit, external MTAs may not be able to deliver email to or through the FortiMail unit, or may be able to bypass the FortiMail unit. If you have configured secondary MX records for failover reasons, consider configuring FortiMailhigh availability (HA) instead. For details, see FortiMail high availability modes.

Exceptions include if you are configuring a private DNS server for use with the Use MX Record option. In that case, rather than referencing the FortiMail unit as the mail gateway and being used by external SMTP servers to route mail, the MX record references the protected SMTP server and is used by the FortiMail unit to define the SMTP servers for the protected domain.

A record

Address records (A records) are configured on a DNS server. A records indicate the IP address to which a host name resolves. In their most simple form, A records use the following format:

mail IN A 192.168.1.10

where:

  • mail is the name of the host
  • IN indicates the Internet protocol class
  • A indicates that the DNS resource record is of the IPv4 address type
  • 192.168.1.10 indicates the IP address that hosts the domain name

When an email client sends an email, the sender’s MTA queries a DNS server for the MX record of the domain name in the recipient’s email address. To resolve the host name of the MTA referenced by the MX record, it then queries for the A record of the destination MTA. That A record provides the IP address of the email server or gateway. The sender’s MTA then attempts to deliver the email to that IP address.

You must configure the public DNS server for your host names with an A record to resolve the host names referenced in MX records, and the host name of the FortiMail unit, if any. For example, if an MX record is:

example.com IN MX 10 fortimail.example.com

the required A record in the example.com zone file might be:

fortimail IN A 192.168.1.15

Reverse DNS record

Because the SMTP protocol does not strictly require SMTP clients to use their own domain name during the SMTP greeting, it is possible to spoof the origin domain. In an attempt to bypass antispam measures against domain names known to be associated with spam, spammers often exploit that aspect of SMTP by pretending to send email from legitimate domains.

For example, the spammer spam.example.com might initiate an SMTP session with the command:

EHLO nonspam.example.edu

To prevent this form of attack, many SMTP servers query reverse DNS records to verify that the domain name provided in the SMTP greeting genuinely matches the IP address of the connecting SMTP client.

You should configure the public DNS server for your protected domain names with a reverse DNS record to resolve the IP addresses of your protected SMTP servers and/or FortiMail unit into domain names.

For example, if the outgoing MTA for example.com is the FortiMail unit, fortimail.example.com, and the public network IP address of the FortiMail unit is 10.10.10.1, a public DNS server’s reverse DNS zone file for the 10.10.10.0/24 subnet might contain:

1 IN PTR fortimail.example.com.

where fortimail.example.com is the FQDN of the FortiMail unit.

Note

Reverse DNS records are required for FortiMail units operating in gateway mode or server mode. However, they are also required for FortiMail units operating in transparent mode, unless they have been configured to be completely transparent.