Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Looking for best practices regarding junk destination domains


By doing regular tophosts on our outgoing appliances, I usually find many junk destination domains: that can be internal non-routable domains (typically mail sent from applications), mispelled domains, external non-routable domains, ...

I was thinking of adding a specific mail policy for such domains, but before doing that I wondered if you guys have something more clever to advise!

Thanks in advance for any idea


Cisco Employee

Most junk domains are related

Most junk domains are related to mail from hosts that have Relay access or bounces generated on-box for domains that do not exist.  We can prevent some of these by changing what is accepted into the ESA in the first place via Sender Verification.

Sender Verification rejects mail from any Envelope Sender address which does not exist in DNS based on an MX and A record lookup.  This is applied on each Mail Flow Policy.  You can do all Policies to affect mail in both directions, or take the more cautious approach of only enforcing this on non-Relay and less trusted Sender Groups.  Mail Flow Policies are accessed from the Mail Policies tab.

Relay to invalid Recipients is a bit trickier.  Since these tend to be less common, I'd suggest allowing Sender Verification to be enabled for some time (at least 4-7 days) so those situations are cleared from the system's Delivery Status output.  This should shorten the list of domains that cannot be delivered to considerably - and most reamining will relate to Relayed mail.

You would then use Tracking or the mail_logs to get details about specific messages to specific domains.  Based on your findings, you can take corrective actions.  Some possible situations:

- If an internal host is sending automated emails to or from a non-existent domain: I'd recommend approaching the admin of the tool that creates that email so they can correct the tool.

- If inbound mail is accepted for an invalid domain: You will want to check the RAT to make sure only valid domains are listed.  Any entry in the format of is a wildcard that allows mail to be accepted for - you may want to replace wildacard entries with exact domains that are verified to exist internally.

- If a specific domain is often typoed by users: You can use Destination Controls to refer to a Bounce Profile with a shorter Max Queue Age.  This lets the mail bounce much earlier than normal emails so the user becomes aware in a timely manner and the Delivery Status stays cleaner.


I hope this helps!

- Jackie

CreatePlease login to create content