This article defines MX records and provides information about effectively using MX records in conjunction with Email Security Gateways.
MX records are DNS entries that are used by sending mail servers to locate destination mail servers. An mail server sending an email to a particular domain will look up the MX record for that destination domain. The MX record provides a machine name or an IP address for the destination domain. For example, if an mail server wants to send an email to firstname.lastname@example.org, it would perform an MX record look up on mydomain.com to determine the destination IP address. Once the sending mail server has the destination IP address, it would then be able to contact the destination machine to deliver the email.
Figure 1: Basic MX record setup.
Multiple MX Records
Some domains have several MX records associated with it. Each MX record has a different priority associated with it and each one points to a different server as illustrated in Figure 2:
Figure 2: Domain with multiple MX records.
When a sending mail server performs an MX record lookup on a destination domain, it obtains the complete list of MX records and their associated priorities. Under normal circumstances, the sending mail server will attempt to send the email to the highest priority destination first and only proceed down the list if the higher priority machine is down, overloaded or cannot take the email for some reason. This is particularly useful when building robust and high availability systems. The email is delivered according to the highest priority MX record. If the mail server specified in that record is down, then the email is routed according to the next highest priority MX record.
Using a Email Security Gateway
To help block spam and viruses, some organizations may have their mail server’s highest priority MX record point to a Email Security Gateway rather than the mail server itself. This way the first machine to receive the email would be the Email Security Gateway. The Email Security Gateway would then process the email and determine if the email is legitimate. If it is, then it would forward the email to the destination mail server.
Figure 3: MX Record and the Barracuda Email Security Gateway.
To protect against the case of the Email Security Gateway going down, some organizations have a lower priority or backup MX record that points directly to the mail server.
Figure 4: Wrong method for obtaining high availability.
This, however, is not a recommended way to protect against a Email Security Gateway failing. Why? Spammers know about this method and will take advantage of the lower priority MX record that bypasses the Email Security Gateway. Spammers will send Spames directly to the lower priority MX record so that they will always bypass the Email Security Gateway and get through to the mail server.
For organizations who wish to protect against a Email Security Gateway failing, Barracuda Networks recommends having both the first and second priority MX records point to a Email Security Gateway and the Email Security Gateway pointing to an mail server. This way all email, regardless of which MX record is being used, is always processed by a Email Security Gateway first.
Figure 5: Correct method for obtaining high availability.
To effectively use MX records with Email Security Gateways, Barracuda Networks recommends having the highest priority MX record point to the Email Security Gateway and the Email Security Gateway point to the mail server.
To have a high availability environment, Barracuda Networks recommends having a lower priority MX record point to another Email Security Gateway and the Email Security Gateway point to an mail server. It is not effective to have the lower priority MX record point directly to an mail server since spam and viruses will simply bypass the higher priority MX record and use the lower priority MX record to send spam and viruses directly to the mail server.
To use MX records with the Barracuda Email Security Gateway when configuring the destination mail server, set the Use MX Records option on the BASIC > IP Configuration page in the web interface. This setting is available globally (applied for all domains) and also can be specified at the domain level.