Inbound Sender DNS Check Option

Created by Jason Carreiro, Modified on Thu, 15 Apr, 2021 at 12:07 PM by Jason Carreiro


Situation:


Spam domains will often not have a proper A/MX record configured on their DNS. Proofpoint performs additional checks to stop this type of email. If you are not receiving messages from a legitimate domain with incorrectly configured DNS records, this may be the reason. 


Solution:


This article provides an overview of what the Inbound Sender DNS check option will test for, as well as how to enable/disable the option from the Company Spam Settings.

 

What Is Inbound Sender DNS Check?

The Inbound sender DNS check option provides an additional layer of protection against spam and helps ensure that inbound messages that might not have a destination to bounce to are not allowed in. The proper step to address this is to get the sender to properly format their messages (i.e. fix the sender's domain to have a proper A/MX record), but the specific reason this feature was implemented was to allow a way to have such messages be delivered.

What Checks Does It Perform?


Specifically,  Inbound sender DNS check is a little used option that essentially turns on the sender domain validity DNS checks we perform on Inbound email. This involves two checks.

  1. Whether the sender domain has MX records. In other words, a check whether the email is "bounceable" and able to be returned to a sender should it be necessary later. Our MTA structure states that the request will get rejected if the MAIL FROM domain has:
    1. No DNS A or MX record, or
    2. A malformed MX record such as a record with a zero-length MX hostname. 
  2. All addresses used on an email should be valid in this sense, and if you turn this test off, suddenly you become an easier target for spam/etc. because spammers do not have to use real domains. If spammers are forced to use real domains, those domains can protect themselves using SPF and specify from where their email should originate.  Our spam engines efficiently detect spam based on the content, and we don't believe removing this check will measurably increase the amount of spam a customer receive.
  3. Whether the sender domain doesn't contain MX records pointing to private or reserved IP ranges like 10.0.0.0/8, 127.0.0.0/8 etc.  If the email creator designs a recipient address that will get bounced, and configures the sender domain MX possibly under his control with an IP address of an internal network resource, the email can be made to flow outside of its intended course (or sit stuck in an internal queue and not be able to go anywhere)

How To Enable/Disable:

  1. Go to Security Settings > Spam Settings. 
  2. Uncheck/Check the box labeled Inbound Sender DNS Check.
  3. Click Save at the bottom of the page.