Hanno's blog

I want to highlight a common misconfiguration in the DNS records for e-mail servers.

When a domain is configured to receive mails usually a DNS record of the type MX is configured pointing to the host name of the mail server.

Notably, according to the respective RFC 1035 the MX record must contain a domain name and may not directly point to an IP address. However some mail servers do configure an IP address. Many mail servers are lenient when it comes to this misconfiguration and will deliver mails nevertheless, so this may stay undetected.

I happen to use a mail server that is less forgiving (Courier), and every now and then I cannot send a mail due to this. It’s rare, but it does happen. If your mail server has such a configuration you may not receive some legitimate e-mails.

So I’m hoping to raise some awareness and get some of those servers fixed.

• Obviously if you run a mail and DNS server please don’t do this and correctly set your MX records.
• If you do any kind of IT service or consulting that is related to mail and DNS servers this is a good thing to add to your list of things to check regularly (here's a very simple python script you can use).
• If you run any form of service or tool that checks DNS and mail servers for misconfigurations, please add a check for IP addresses in MX records and warn your users. Unfortunately only few services do this currently (thanks to Hardenize and IntoDNS who will warn users about this), and some popular services don’t.

I did a quick scan of the Alexa Top 1 Million list. Currently around 0,06 % are affected (if you happen to know someone responsible for a host on this list please consider pointing them to this blogpost). I hope by writing this I can reduce that number, I may later try to contact them via their postmaster alias.

(Image source: nohat.cc / CC0)