I'll keep publishing

We often notice that despite our advice clients insist on leaving a ‘backup’ MX record in their DNS, this means that they a) don’t understand how spammers operate b) don’t understand that we have primary, secondary and tertiary routes for their email.

So I thought it timely to explain how MX routing works and why it’s not a good idea to leave an  ‘extra’ MX record in place that DOESN’T point to us. Lets assume your companies domain name is ‘your-company.com’ and you have such a backup record in place, lets say it’s value is 100 and it’s named postoffice.your-isp.net.

Mail servers route inbound email for a domain to the MX record with the lowest value, so looking at your MX records;

your-company.com.    3600 IN    MX 10 mx811.clearemail.net.
your-company.com.    3600 IN    MX 30 mx813.clearemail.net.
your-company.com.    3600 IN    MX 100 postoffice.your-isp.net.
your-company.com.    3600 IN    MX 20 mx812.clearemail.net.

Any mail server sending mail to anyone at ‘your-company.com’ will try to deliver to us at  the MX 10 value above (mx811.clearemail.net), and if that fails then 20, then 30. If all fail then the sending mail server will try to send to MX 100. postoffice.your-isp.net.

Often clients initially setup a backup mail route like the MX 100 you have above because there’s a worry that the main routes will all be unavailable, which is very, very remote given these (MX 10, 20, 30) all point to different parts of our infrastructure.

The reason we advise against this practice is that spammers have realised that some organisations do this so they send their spam to the highest route first, that would be to MX 100. This routes the email to your-isp.net and that system will then deliver email to your mail server. This bypasses Cleartext (or any other managed email security platform) thereby causing several things to happen;

1) Our multi-layered spam and virus filtering will not be applied.
2) Inbound email will not be archived and therefore unavailable for e-discovery
3) Any custom email rules, perhaps for HR reasons will not be applied
4) This inbound email will not be recorded anywhere in our logs because it’s bypassed us.

Looking at the above, 1) isn’t too much of an issue because your ISP may be applying rudimentary filtering therefore catching some of the spam, but they may let through phishing emails, trojans etc, 2) could be an issue because this email won’t be archived which means you may not be complying with e-discovery legislation and 3,4) could also be an issue if you need to trace email that someone says they sent to you, or HR needs to for some reason.

Now it’s arguable that 2-4 above won’t be too much of an issue because legitimate mail servers will send to 10, 20 or 30 first, but even so there’s still a chance genuine mail will route this way and do you want that if you end up in court with the other party doing email discovery on your organisation?

So, to summarise, if you use a managed email security service and have such a ‘backup’ MX record in place you currently have a ‘backdoor’ into your email system which could let spam or malware in and that routes email without your corporate policy being applied.

So make sure you don’t get caught out by having email routed around the very platform that’s supposed to be providing your email security and compliance requirements.