Threat intelligence API Docs Pricing Blog Contact us

Threat intelligence analysis docs

Mail servers

Check DNS MX records' configuration and the corresponding mail servers.

Tests are based on the following standards:

Mail exchanger (MX) records

Type: Info

List domain's MX records.

Mail exchanger (MX) records of a domain name specify how emails should be routed with the Simple Mail Transfer Protocol (SMTP). It's a type of resource record in the Domain Name System which specifies the mail servers responsible for accepting email messages on behalf of the recipient's domain.

The purpose of multiple MX records:

  • Provide a backup MX that can be used if the primary one is unavailable
  • Provide some load balancing by using multiple MX records with the same preference
Field
Sample output
What it means?
Preference 20

Preference value is used to prioritize mail delivery if multiple mail servers are available. The lowest preference is the MX with the highest priority - the one that the sending mail server should try first.

Exchange ALT1.ASPMX.L.GOOGLE.com Mail server domain.
IPv4 74.125.23.26 Mail server IPv4 address.
IPv6 2404:6800:4008:c02:0:0:0:1b Mail server IPv6 address.
TTL 1800

Time to Live (TTL) indicates how long DNS servers should use the record before checking for updates.

It's measured in seconds, e.g. a TTL of 3600 means records will take an hour to update.

Higher TTL values lead to less traffic load for the DNS server, but changing the MX records will take longer.

By reducing TTL in advance, you ensure servers aren't using invalid records for too long when it's time to switch the MX records.

Configuration check

Type: Analysis

Check MX records and the corresponding Mail Server's configurations.

A records configured

Check if A records are configured for all the mail servers. This is required to be reachable via IPv4.

Tag
What it means?
OK All the mail servers have A records configured.
Failed

A records are not configured for the listed mail servers.

AAAA records configured

Check if AAAA records are configured for all the mail servers. This is required to be reachable via IPv6.

Tag
What it means?
OK All the mail servers have AAAA records configured.
Warning

AAAA records are not configured for the listed mail servers.

Mail servers are not present in CNAME records

Retrieve CNAME records and check if they don't contain mail servers.

RFC 2181, section 10.3: host name should be mapped directly to one or more address records (A or AAAA) and should not point to any CNAME records.

RFC 1034, section 3.6.2: if a name appears in the right-hand side of RR (Resource Record) it should not appear in the left-hand name of CNAME RR, thus CNAME records should not be used with NS and MX records.

Tag
What it means?
OK No mail servers present in CNAME records.
Failed

The listed mail servers are present in CNAME records.

Exchange fields contain valid domain names

Syntax check Exchange fields: should contain valid domain names. Mail servers with bad Exchange fields are unreachable.

Tag
Sample output
What it means?
OK - All MX record's Exchange fields contain valid domain names.
Failed m!<>>#ail.example.com

The listed MX record's Exchange fields contain invalid domain names.

IPs are public

Mail servers should have public IPs to be reachable over the Internet. If a mail server has a private IP address, it can't be reached outside it's subnet.

Tag
Sample output
What it means?
OK - All the mail servers have public IP addresses.
Failed mail.example.com: 10.0.10.10

The listed mail servers have private IP addresses.

Exchange fields don't contain IPs

MX records's Exchange fields should contain valid domain names, IP addresses are not allowed.

An IP address could not be used as it would be interpreted as an unqualified domain name, which cannot be resolved (RFC 1035).

Tag
Sample output
What it means?
OK - All the Exchange fields contain domain names only.
Failed 12.13.14.15 - ?

The following IP addresses found in the Exchange fields.

Name servers return identical MX records

Request all the domain's Name Servers in order to compare the MX records returned. All the name servers should return identical MX records.

Tag
What it means?
OK All the name servers return identical MX records.
Failed

Some Name Servers returned different MX records.

No duplicate MX records

All the mail servers should be defined only once.

It's recommended that mail servers point to different IPs. When an unreachable IP hosts multiple mail servers, multiple mail servers will be down. This rule is not applicable to Google's mail servers.

Tag
Sample output
OK -
Warning The following mail servers are defined more than once: <List of domain names>
Warning The following mail servers use the same IPv4 address: <IPv4>: <List of domain names>
Warning The following mail servers use the same IPv6 address: <IPv6>: <List of domain names>

SPF

Compare domain's TXT records against the SPF record pattern and check if SPF is configured.

Sender Policy Framework (SPF) is a simple email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.

RFC 7208 defines Sender Policy Framework as a "proposed standard".

DMARC

Compare domain's TXT records against the DMARC record pattern and check if DMARC is configured.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It's intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender address. Specified in RFC 7489, DMARC counters the illegitimate usage of the exact domain name in the From: field of email message headers.

DMARC is built on top of two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy on which mechanism (DKIM, SPF or both) is employed when sending email from that domain and how the receiver should deal with failures.

Identical SPF and DMARC records

Check that SPF and DMARC TXT records are identical on all the name servers.

Google Apps settings

If Google mail servers are used, check that settings meet the recommendations:

  • ASPMX.L.GOOGLE.COM is the top priority mail server
  • Any Time to Live values should be set to 24 hours (TLL = 86400)
Tag
Sample output
OK Google apps are configured correctly.
Warning The top priority mail server is ASPMX.L.GOOGLE.com, but TTL is not equal to the recommended value (86400).
Warning The top priority mail server is not ASPMX.L.GOOGLE.com.

Reverse IP addresses match

Type: Analysis

Compare mail server's IPs received though reverse DNS and the ones provided in the initial A records:

  • Mail server: get the mail server's domain name from the Exchange field
  • IP resolution: get mail server's IP from the corresponding DNS A record
  • Reverse DNS domain: run reverse DNS query for IP resolution
  • Reverse IP resolution: get reverse DNS domain's IP from the corresponding DNS A record
  • Check if IP resolution and Reverse IP resolution match
Tag
What it means?
OK Reverse DNS entries are configured correctly.
Warning

Some mail servers' domain names received through Reverse DNS are resolving to different IP addresses than the ones provided in the initial A records. Emails sent from the servers configured this way may be rejected.

Real-time blackhole check

Type: Analysis

Check all the mail servers against RBLs.

When a mail server is blacklisted, the list of those who returned positive answer is provided. Please refer to the RBL's websites for more information.

Our full database includes 106 RBLs. Basic subscription plans are limited to validation in 10 RBLs only:

  • b.barracudacentral.org
  • cbl.abuseat.org
  • http.dnsbl.sorbs.net
  • misc.dnsbl.sorbs.net
  • socks.dnsbl.sorbs.net
  • web.dnsbl.sorbs.net
  • dnsbl-1.uceprotect.net
  • dnsbl-3.uceprotect.net
  • sbl.spamhaus.org
  • zen.spamhaus.org
Tag
Sample output
OK Mail servers checked in 10 blacklists. No occurrences found.
Failed Mail servers checked in 10 blacklists. Some of the mail servers are blacklisted.

Mail servers response

Type: Analysis

Check mail server's SMTP connection response.

Connection check

Check if SMTP connection could be established to all the mail servers.

Tag
Sample output
What it means?
OK 220 <Mail server> ESMTP. SMTP connections were successfully established to all the mail servers.
Failed

Can't connect to the following mail servers: <List of mail servers>

Can't establish SMTP connection to the listed mail servers.

Mail greeting

Check if the mail server's domain name is present in the mail greeting.

After SMTP client establishes connection to SMTP server, the session is opened with a greeting by the server, usually containing it's Fully qualified domain name (FQDN).

Tag
Sample output
OK Greeting response contains the mail server's domain name.
Warning

Greeting response doesn't contain the mail server's domain name.

Accept Postmaster address

SMTP server should accept postmaster@<domain_name> address as a recipient (RFC 5321).

Tag
Sample output
OK <Mail server> allows to set postmaster@<domain_name> as a recipient.
Warning

<Mail server> doesn't allow to set postmaster@<domain_name> as a recipient.

Accept Abuse address

SMTP server should accept abuse@<domain_name> address as a recipient (RFC 2142).

Tag
Sample output
OK <Mail server> allows to set abuse@<domain_name> as a recipient.
Warning

<Mail server> doesn't allow to set abuse@<domain_name> as a recipient.

Have questions?
support@threatintelligenceplatform.com
We will get back to you within a day.
Threat Intelligence Platform, LLC

California
USA

Contact us