Hi Markus, [TL;DR] ;-)
a MX record pointing to a CNAME is generally not supported and a bad idea. I am sure this is mentioned somewhere in one of the RFCs - but I currently have no time to look this up. A MX should always point to a A record. kind regards Ralph ----- Am 19. Feb 2018 um 8:57 schrieb Markus Wild swinog-l...@dudes.ch: > Hi there, > > I've just come across a weird mail reception problem of some mails from > Microsoft. Our servers insist that > a specified MAIL FROM address can be resolved correctly, and this usually > boils > down to the following checks > on the domain-part of the email-address specified: > - is there an MX? Does the target resolve using an A record (not a CNAME), and > does it resolve to a publically > reachable address (not RFC1918 or localhost etc) > - if there is no MX, is there an A record that fulfils the same criteria as > the > MX target above? > - if none of these are true, the address is considered to be invalid and mail > is > rejected > > Since about Feb 15, I've now come across mails from > account-security-nore...@accountprotection.microsoft.com that > get rejected. When I manually perform the above steps, I can see why, and I > also > see a first: the domain part is > actually a CNAME, something I've not encountered mentioned in standards as > being > a legal way to perform address > resolution when delivering email. But, I also don't recall reading about rules > that explicitly deny this, contrary > to the very explicit rules that for example deny having MX point to CNAME. The > domain setup here is borked in multiple > ways however: > > $ host -t mx accountprotection.microsoft.com > Host accountprotection.microsoft.com not found: 3(NXDOMAIN) > > $ host -t a accountprotection.microsoft.com > Host accountprotection.microsoft.com not found: 3(NXDOMAIN) > > BUT: > > $ host -t cname accountprotection.microsoft.com > accountprotection.microsoft.com is an alias for mail.msa.msidentity.com. > > and even if we should allow use of a CNAME here, we'd have to apply the same > rules as stated initially on the > CNAME target, and these fail as well: > > $ host -t mx mail.msa.msidentity.com. > Host mail.msa.msidentity.com not found: 3(NXDOMAIN) > > $ host -t a mail.msa.msidentity.com. > Host mail.msa.msidentity.com not found: 3(NXDOMAIN) > > So, what's your take on this? Does someone see a legal way to resolv this > sender, that I've missed? Am I right in > considering these addresses to be unresolvable and thus reject these mails? > Who > would I have to report this to at > Microsoft to have any chance of a human person looking at the issue? > > Cheers, > Markus > > > _______________________________________________ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog