MX Record Best Practices

Unanswered Question
Jun 15th, 2007

Greets. I have a question on MX Records. I'm 95% certain of the answer, I just want a sanity check.

Our email domain matches the hostname of our mail server. eg, [email protected] is handled by our server

We have a C350 ( sitting in front of, and the MX Records for look like this:


A lot of spam is being delivered to the lowest priority MX Record, bypassing

Can I remove the "10" MX Record? I know a lot of MTA's will look for an A Record to deliver mail to if there are no MX Records for a domain.

But in this case, there are MX Records. If I remove the 10 priority, and for some reason the C350 is offline, will all mail to [email protected] bounce, or will MTA's try delivered to the A Record after the 0 priority MX Record?

Thanks for any help.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jpcarna_ironport Fri, 06/15/2007 - 22:44

If I understand what you are saying, both the Ironport and Non-Ironport MTAs are listed in the mx record, 0 cost being the Ironport and 10 cost being the non-Ironport. Based on this, inbound connection attempts try the Ironport first and if it can not connect then try the 10 cost "Non Ironport". sounds like the spammers figured out they can't deliver to the Ironport because of Senderbase and are targeting the Non-Ironport MTA..

Short answer is "Yes" you can remove the non-Ironport from the MX record. But I am not sure if I understand what you are trying to accomplish. If it is a 2-tier architecture (Ironport facing the internet "infront of"..e.g. Using Ironport as your Perimeter protection, I would remove from the MX record and lock the non-Ironport down so it only delivers To/From the Ironport and to your internal domain. You can always enable multple listeners on the C350 if you'd like. Are you looking to use the non-Ironport only if the Ironport is down hard..for what ever reason?? I am not sure any MTA will try an A record if an MX record exists. Usually that is when NO MX exists.

Donald Nash Sat, 06/16/2007 - 22:04

Spammers will try every MX record they see. They'll also remember old MX records after you've removed them, and they'll use port probing to discover SMTP listeners for dictionary attacks. They're relentless. What we do with our mail server is refuse all SMTP connections that don't come from our IronPorts, so there is no "back door" for the spammers to exploit.

As for being totally dependent on your C350, don't sweat it. We've been totallly dependent on our IronPorts for a few years now. They're at least as reliable as the mail server they're protecting. And in your case, if your C350 does go down, your inbound mail won't bounce. It'll be held in the mail queues of the servers which are trying to send you mail. You'll only start losing mail if you're down for longer than their queue retention times (usually at least 24 hours).

You could increase your reliability by having two C350s, both taking traffic. That way, if one goes down then the other will handle the whole load. That takes more money, of course.

blopez_ironport Wed, 07/25/2007 - 18:36

I would never name one of my MX records as IronPort because its a way of saying spammers "you won't go through here, please try the other MX record". If you want to have 2 MX records name one and the second one Still as mentioned before, spammers might send spam to any MX record they see....


This Discussion