Re: [tlug] Reverse DNS Delegatation

["Stephen J. Turnbull" <stephen@example.com>]

Pier Fumagalli writes:

 > For small domains/servers (I'd say handful of thousands of messages
 > per day) things should be pretty easy as the IP you're sending from
 > won't be flagged in any of the automated blacklist/rate limiting of

Not something to bet your life on.  In general, it's common for shady
ISPs to sell on IPs that have been blacklisted.

 > The best practices I would follow are (see RFC-2119 for terminology):
 > 
 > * you MUST have a reverse IP DNS entry: it doesn't matter to who, but
 > if you don't, some finicky sysadmin might consider your IP as being a
 > dynamic IP and immediately reject email.
 > 
 > * you MUST have the name resolved by the reverse IP DNS lookup point
 > back to the same name (if 1.2.3.4 resolves as customerX.providerY.dom
 > then customerX.providerY.dom MUST resolve to 1.2.3.4).

OK so far.

 > * you SHOULD use the reverse IP DNS entry as your EHLO hostname: if
 > your ISP lists 1.2.3.4 as customerX.providerY.dom, use that as your
 > EHLO string,

This simply isn't true, not by RFC and not in practice.  There are far
too many reasons why an outgoing MX may be an alias.  See below for
the most important one.

 > if you don't you MUST use a name that DNS resolves to that IP.

Yes.

 > * you MUST an SPF record in your domain's DNS allowing the IP you're
 > sending from as a designated sender (just because it's 2013).

Not by RFC and not in practice.  It does help you get past some spam
and phishing filters.  I would say this is a SHOULD, for that reason,
but I don't think there's any authoritative RFC that says so.

 > * you SHOULD sign your outgoing messages for your domain with DKIM
 > (again, be a kind and trusted internet citizen).

Nope.  DKIM is too fscked to be a SHOULD.  For example, DKIM makes no
sense for discussion-style mailing lists, eg, TLUG.  A certain class
of mail will get better treatment if you DKIM sign.

 > * you MUST have some MX records for the domain in questions (it MAY be
 > better to have one pointing to the same IP address you're sending
 > from) and MUST make sure the "postmaster@domain" and "abuse@domain"
 > are valid mailboxes (per RFC-822 and RFC-2142).

Nope.  You MUST have an A (or AAAA) record for any domain (host) that
acts as an incoming MX.  (This is why an *outgoing* MX may not have a
PTR that points to itself.)  If you wish to accept mail for domains
that are different from that of the incoming MX, you MUST have MX
records for those (but they don't need to be a domain you own and they
may not be in your DNS).

 > * you SHOULD make sure that the host you're sending from accepts
 > connections on port 25 back

Huh?  Not at all.  You just need to make sure that there is somebody
accepting connections and mail to the HELO domain on port 25.

 > and MAY accept messages for your domain (see above), and if you do
 > you MUST make sure that you're not an open relay.

Indeed.

 > * you MUST make sure that your IP is never listed into any of the RBL
 > tables (check periodically)

Not at all -- anybody who uses an RBL doesn't deserve to receive my
mail anyway.<0.5 wink/>  YMMV of course.