Hi Markus,
[TL;DR] ;-)
a MX record pointing to a CNAME is generally not supported and a bad idea. I am sure this is mentioned somewhere in one of the RFCs - but I currently have no time to look this up.
A MX should always point to a A record.
kind regards
Ralph
----- Am 19. Feb 2018 um 8:57 schrieb Markus Wild swinog-list@dudes.ch:
Hi there,
I've just come across a weird mail reception problem of some mails from Microsoft. Our servers insist that a specified MAIL FROM address can be resolved correctly, and this usually boils down to the following checks on the domain-part of the email-address specified:
- is there an MX? Does the target resolve using an A record (not a CNAME), and
does it resolve to a publically reachable address (not RFC1918 or localhost etc)
- if there is no MX, is there an A record that fulfils the same criteria as the
MX target above?
- if none of these are true, the address is considered to be invalid and mail is
rejected
Since about Feb 15, I've now come across mails from account-security-noreply@accountprotection.microsoft.com that get rejected. When I manually perform the above steps, I can see why, and I also see a first: the domain part is actually a CNAME, something I've not encountered mentioned in standards as being a legal way to perform address resolution when delivering email. But, I also don't recall reading about rules that explicitly deny this, contrary to the very explicit rules that for example deny having MX point to CNAME. The domain setup here is borked in multiple ways however:
$ host -t mx accountprotection.microsoft.com Host accountprotection.microsoft.com not found: 3(NXDOMAIN)
$ host -t a accountprotection.microsoft.com Host accountprotection.microsoft.com not found: 3(NXDOMAIN)
BUT:
$ host -t cname accountprotection.microsoft.com accountprotection.microsoft.com is an alias for mail.msa.msidentity.com.
and even if we should allow use of a CNAME here, we'd have to apply the same rules as stated initially on the CNAME target, and these fail as well:
$ host -t mx mail.msa.msidentity.com. Host mail.msa.msidentity.com not found: 3(NXDOMAIN)
$ host -t a mail.msa.msidentity.com. Host mail.msa.msidentity.com not found: 3(NXDOMAIN)
So, what's your take on this? Does someone see a legal way to resolv this sender, that I've missed? Am I right in considering these addresses to be unresolvable and thus reject these mails? Who would I have to report this to at Microsoft to have any chance of a human person looking at the issue?
Cheers, Markus
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog