(Provided as extra info on dlnash:)

Most likely your own downstream mail servers can not be (reversed DNS) resolved by the Ironports. This is expected when you use the default Ironport DNS configuration (used root servers). I assume your downstream systems use a private range IP and those can never be resolved by the public DNS system.

It might be a solution to use your local DNS server for your Ironport….. but be very careful, Ironport generates a massive load on your DNS system.

Steven

One way to deal with the load that IronPort appliances place on DNS servers is to have a dedicated set of DNS servers specifically and exclusively for them, with a little hot-wiring so they know how to find the in-addr.arpa zones for your RFC 1918 space.

You may even be able to prevent these servers from caching anything. The IronPorts do their own DNS caching, so these external servers don't need to do so as well. They just need to be a conduit that can send queries to the right places. Eliminating caching on these servers means they won't consume very much memory (and also eliminates one avenue of cache poisoning attacks). They'll just need enough CPU and network bandwidth to handle the query rate that the IronPorts will generate. And let's face it, DNS processing isn't very hard. IronPort units generate a flood of DNS while still managing to do all the really heavy lifting they do, and all on reasonably inexpensive (for enterprise-grade, anyway) commodity hardware.