NO MORE CAREER
POLITICIANS!
Get Out Of Our House: Replacing congress with TRUE citizens!
Contact Doug!
Email Doug!
Learn About Doug!
View Doug Boude's online resume
updated 11/18/2009

View Doug Boude's profile on LinkedIn
Link to me!

Follow Doug Boude on Twitter
Follow me!

Be Doug's friend on Facebook
Befriend me!
(I promise not to follow you home)
OO Lexicon
Doug Boude's OO Lexicon
Chat with Doug!
Recent Entries
THE DAY CFUNITED DIED

PHP vs COLDFUSION

D2W Conference Review

D2W Session Review - The Art and Science of RIAs

D2W Session Review - Using Facebook and Twitter to Market Your Creative Services by Lisa Heselton

D2W Session Review - Prototyping by Chris Griffith

D2W Conference: My Speaker Highlights

Designer Developer Workflow Conference!

CONDITIONAL INSERT IN A SINGLE QUERY

My Top 20 Life Lessons for Boys and Young Men

You may also be interested in...
Web Hosting

best web hosting - top web hosting sites, thetop10bestwebhosting.com

Czech your Page Rank!
Check Page Rank of any web site pages instantly:
This free page rank checking tool is powered by Page Rank Checker service
Surf's Up!
Visit Egosurf.org and massage YOUR web ego!
My Score: 9,001
Doug's Books

Read (and recommend)

  • Men are from Mars, Women are from Venus
  • The Wisdom of Crowds: Why the Many Are Smarter Than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations
  • Blink: The Power of Thinking Without Thinking
  • Head First Design Patterns
  • Transact-SQL Programming
  • What's So Amazing About Grace?
  • Just So Stories (Rudyard Kipling collection)

Reading

  • Prayer: Does it Make Any Difference?
  • Data Mining (Practical Machine Learning Tools and Techniques)
<< June, 2009 >>
SMTWTFS
123456
78910111213
14151617181920
21222324252627
282930
Search Blog

Recent Comments
Re: Railo 3.1 on Windows Server 2008 and IIS7 - Part 3 of 3 (by Jon at 8/27 2:04 PM)
Re: Hosts File Changes Not Acknowledged on Vista 64 (by Spacy at 8/24 3:46 PM)
Re: THE DAY CFUNITED DIED (by ComboFusion at 8/23 10:50 AM)
Re: My Grandpa (by Tasha at 8/10 4:29 PM)
Re: Just What IS a 'Service Layer', Anyway? (by dougboude at 8/02 10:10 AM)
Re: Just What IS a 'Service Layer', Anyway? (by Isaac at 8/02 2:25 AM)
Re: PayPal IPN Coldfusion CFC (by Soyestudiambre at 7/25 6:12 PM)
Re: PHP vs COLDFUSION (by Tony Garcia at 7/17 11:24 AM)
Re: PHP vs COLDFUSION (by dougboude at 7/14 8:45 AM)
Re: PHP vs COLDFUSION (by Lola LB at 7/14 5:51 AM)
Categories
Ajax (4) RSS
code snippets (43) RSS
ORACLE (1) RSS
bill's browser (3) RSS
CFUNITED (7) RSS
Coldbox (10) RSS
ColdFusion (74) RSS
coldspring (5) RSS
D2W (4) RSS
Eclipse (3) RSS
family (30) RSS
firefox (1) RSS
FLEX (1) RSS
Frameworks (20) RSS
Fusebox (2) RSS
FusionCharts (2) RSS
goog (162) RSS
hydrogen power (1) RSS
i18n (1) RSS
idea (7) RSS
ie (4) RSS
Java (2) RSS
javascript (14) RSS
JSON (4) RSS
Model-Glue (30) RSS
movie review (2) RSS
mysql (2) RSS
observations (29) RSS
OOP (24) RSS
Personal (61) RSS
PHP (6) RSS
placeblogger (31) RSS
Railo (6) RSS
rant (23) RSS
S.E.E. (4) RSS
scripts (2) RSS
SQL (8) RSS
Story (6) RSS
xclaim (1) RSS
Archives
July 2010 (2)
June 2010 (6)
May 2010 (2)
April 2010 (2)
March 2010 (3)
February 2010 (3)
January 2010 (1)
December 2009 (3)
November 2009 (4)
October 2009 (3)
September 2009 (11)
August 2009 (4)
July 2009 (4)
June 2009 (5)
May 2009 (2)
April 2009 (2)
March 2009 (5)
February 2009 (1)
January 2009 (3)
December 2008 (7)
November 2008 (10)
October 2008 (5)
September 2008 (2)
August 2008 (2)
July 2008 (4)
June 2008 (2)
May 2008 (6)
April 2008 (1)
March 2008 (6)
February 2008 (6)
January 2008 (5)
December 2007 (1)
October 2007 (5)
September 2007 (14)
August 2007 (11)
July 2007 (9)
June 2007 (6)
May 2007 (2)
April 2007 (1)
March 2007 (7)
February 2007 (3)
September 2006 (7)
August 2006 (8)
July 2006 (7)
June 2006 (16)
May 2006 (3)
Photo Albums
Funnies (5)
Family (3)
RSS
RSS 1.0 (all)
More RSS feeds...

Powered by
BlogCFM v1.11

14 June 2008
Email Non-Delivery Due To No Reverse DNS Record
Cause and Solution
Categories:   goog

Here's the scenario...

You're managing several domains on one IP address (beevis.com, butthead.com, and LakersSuck.com), using host headers with your web server in order to do so successfully. If you're unfamiliar with what "using host headers" means, it's a cryptic way of saying that "whenever a user arrives at your web server, check to see what the URL is and redirect them to the appropriate subdirectory based on that value". In our scenario, you're also managing your own email server, perhaps using something like Smartermail, so each of your domains can have their own email addresses (info@beevis.com, info@butthead.com, info@LakersSuck.com).

The Challenge...

Everything's working great for you. User's are being redirected to the appropriate subdirectories on your web server, and you're sending and receiving emails via each of those email addresses just fine. Oh, wait...SOMETIMES the email you send out doesn't arrive at its destination! A glitch in the system? A random gremlin in the processor? A rogue process? After many hours of re-doing settings, checking settings, system restarts, and hunting for common denominators with your clients, you finally stumble upon the fact that it's mostly only emails going to people who use AOL that are not making it to their destination, along with a few other friends who are using their local cable company for email. You turn on logging and watch for any clues, googling what you find until at last you have distilled things down to their cause: Your domains do not have a reverse DNS record in place. What this means is that an outside system cannot take your IP address and look it up to make sure it's associated with the actual domain that is sending the email.


Here's the clue from the mail server's log file:


"Failed Recipient: blabla@aol.com
Reason: Remote host said: 450 #4.1.3 Relaying temporarily denied. Cannot
resolve PTR record for 208.112.55.164"

Further substantiation from AOL's own site  (http://postmaster.aol.com/guidelines/standards.html) solidifies that this is indeed the issue:
 "AOL's mail servers will reject connections from any IP address that does not have reverse DNS (a PTR record). "

 Whew! At least now you know what's causing this faux random issue! Okay then, let's just add a reverse DNS record for each of our domains so that when a receiving system does their look up, they can see that you really are who you say you are.

The Additional Challenge...

After many MORE hours of attempting to create reverse DNS records (PTR records), you figure out that any given IP address is only allowed to resolve back to a single domain name. So your whole configuration of sharing one IP with several domains has now suddenly become a very bad idea, and it's time to give each its own address.

The Solution...

Tech support provides you with two new IP addresses, which you can see and verify on your Windows system by going to your Control Panel --> Network Connections --> [your connection name] --> Properties -->TCP/IP --> Properties.

Assign each of your domains a new IP address in your web server, then edit your DNS entries for each of those domains to reflect the new IP address. It is quite likely that, if you're using hosting, you will not be able to create your own PTR record and will have to contact your host to do this for you (that is the case with Host My Site), so just make sure you have them do that. After the reverse lookup records are in place, you can verify them by visiting http://remote.12dt.com/lookup.php and typing in the IP address. It should come back with the domain name you assigned to it.

Let everything simmer for 24 hours, just to account for whatever propogation delays and caching are floating around, and give things another whirl. You should be good to go at this point.

Doug out.




Posted by dougboude at 5:58 PM | PRINT THIS POST! |Link | 5 comments
Subscription Options

You are not logged in, so your subscription status for this entry is unknown. You can login or register here.

Comments
Re: Email Non-Delivery Due To No Reverse DNS Record
As long as you are on the subject of mail and DNS, be sure to review Sender Policy Framework (SPF) too. If this is not configured or configured improperly, it can negatively effect your ability to send email.
http://www.openspf.org/

Also ensure that you are properly using SENDER and/or FAIL-TO headers so that your outbound mesages don't look like forgeries.
http://www.openspf.org/Best_Practices/Webgenerated
Posted by James Moberg on June 14, 2008 at 11:57 PM

Re: Email Non-Delivery Due To No Reverse DNS Record
I don't think AOL explicitly says they use FCrDNS, I think they only check if a PTR is defined for the IP address. (which is a minimum effort at good policy)
"AOL's mail servers will reject connections from any IP address that does not have reverse DNS (a PTR record)."


A slightly stricter process it to make sure reverse matches forward with FCrDNS.
Name based Virtual Hosts can typically still be used with FCrDNS, the system doing the checking does a look up on the reverse DNS and then does a look up on the returned hostname to verify that it resolves back to the original IP address. So it is possible to have:
vhost1.com ----> IP_ADDRESS ----> mainhost.com ----> IP_ADDRESS
As long as IP_ADDRESS = IP_ADDRESS it will be accepted.

There seems to be a myriad of reasons why email is blocked, and there are a myriad of good ways to resolve the problem. It is a disservice to suggest that every HTTP based website have a unique IP address to send email reliably.
Posted by blech on June 16, 2008 at 4:42 PM

Re: Email Non-Delivery Due To No Reverse DNS Record
@blech, Thanks for the comment. Though I'm not sure how very useful it is since it's somewhat cryptic to "the rest of us" (those of us who don't harbor a special passion for the minute details of the internet's physiology and terminology). As a developer who also has the occasional task of performing some server maintenance type work, all I (and I'm sure a lot of others) really am interested in is the summarized, layman's termed explanation of how to make our frickin email arrive at its destination. I certainly was not purposefully performing a disservice in the information I shared; I was simply sharing it in the hope that someone else down the road who has a similar situation might not have to wade as deep or long through the mire of techno babble muck in order to find what it is they truly need. That having been said, if you can distill your comment down into something a bit more palatable and meaningful for "the rest of us", it would be greatly appreciated! I for one would LOVE to not have to visit this subject again, so doing it completely right the first time is the desired outcome. Anybody out there got a pretty good handle on the whole spam policy inner workings that are being instituted all over the place who wouldn't mind doing a "Email Server Management for Dummies" type post? Something like a checklist of settings to look at and things to do so that one's email server is all set to play properly with the rest of the email servers out there?
Posted by dougboude on June 17, 2008 at 5:16 AM

Re: Email Non-Delivery Due To No Reverse DNS Record
Hi Doug,

I think what blech is saying (and I agree) is that your solution of having a dedicated IP for each domain is overkill. Public IP4 addresses are a scarce resource (which is why we use host-headers and Network Address Translation to share them) and responsible ISPs will normally ask you to justify their use. Needing to use SSL on the domain (because Host Headers won't work over SSL) is a valid reason, but I don't think wanting domain specific ReverseDNS is.

As blech says it should normally be enough that the IP address being used to send mail *has* a reverseDNS/PTR record, not that it necessarily matches the domain. That should satisfy the receiving mail server that the IP address has at least been set up properly on an identifiable network. It's not reasonable to expect every domain to be resolvable back to a unique IP address: there simply aren't enough addresses to go round under IP4.

As James says, having proper a correctly configured SPF record in your domain's DNS and using headers properly are a better way of adding credibility your outgoing mail.

Cheers
Posted by Julian Halliwell on June 18, 2008 at 4:27 AM

Re: Email Non-Delivery Due To No Reverse DNS Record
Wow! I'm excited for you just because I know the pain this was to you and the benefit it is to me! Good job!
Posted by Joe on July 1, 2008 at 2:56 PM

Post a Comment
Name:   Required
Email:   Required your email address will not be publicly displayed.

Want to receive notifications when new comments are added? Login/Register for an account.

Time to take the Turing Test!!!

10 plus 1 equals
Type in the answer to the question you see above:

Your comment:

Sorry, no HTML allowed!