Hi Markus,

[TL;DR]  ;-)

a MX record pointing to a CNAME is generally not supported and a bad idea.
I am sure this is mentioned somewhere in one of the RFCs - but I currently have 
no time to look this up.

A MX should always point to a A record.

kind regards

Ralph

----- Am 19. Feb 2018 um 8:57 schrieb Markus Wild swinog-l...@dudes.ch:

> Hi there,
> 
> I've just come across a weird mail reception problem of some mails from
> Microsoft. Our servers insist that
> a specified MAIL FROM address can be resolved correctly, and this usually 
> boils
> down to the following checks
> on the domain-part of the email-address specified:
> - is there an MX? Does the target resolve using an A record (not a CNAME), and
> does it resolve to a publically
>  reachable address (not RFC1918 or localhost etc)
> - if there is no MX, is there an A record that fulfils the same criteria as 
> the
> MX target above?
> - if none of these are true, the address is considered to be invalid and mail 
> is
> rejected
> 
> Since about Feb 15, I've now come across mails from
> account-security-nore...@accountprotection.microsoft.com that
> get rejected. When I manually perform the above steps, I can see why, and I 
> also
> see a first: the domain part is
> actually a CNAME, something I've not encountered mentioned in standards as 
> being
> a legal way to perform address
> resolution when delivering email. But, I also don't recall reading about rules
> that explicitly deny this, contrary
> to the very explicit rules that for example deny having MX point to CNAME. The
> domain setup here is borked in multiple
> ways however:
> 
> $ host -t mx accountprotection.microsoft.com
> Host accountprotection.microsoft.com not found: 3(NXDOMAIN)
> 
> $ host -t a accountprotection.microsoft.com
> Host accountprotection.microsoft.com not found: 3(NXDOMAIN)
> 
> BUT:
> 
> $ host -t cname accountprotection.microsoft.com
> accountprotection.microsoft.com is an alias for mail.msa.msidentity.com.
> 
> and even if we should allow use of a CNAME here, we'd have to apply the same
> rules as stated initially on the
> CNAME target, and these fail as well:
> 
> $ host -t mx mail.msa.msidentity.com.
> Host mail.msa.msidentity.com not found: 3(NXDOMAIN)
> 
> $ host -t a mail.msa.msidentity.com.
> Host mail.msa.msidentity.com not found: 3(NXDOMAIN)
> 
> So, what's your take on this? Does someone see a legal way to resolv this
> sender, that I've missed? Am I right in
> considering these addresses to be unresolvable and thus reject these mails? 
> Who
> would I have to report this to at
> Microsoft to have any chance of a human person looking at the issue?
> 
> Cheers,
> Markus
> 
> 
> _______________________________________________
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog


_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Antwort per Email an