We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Using MX Records

  • Last updated on

This article defines MX records and provides information about effectively using MX records in conjunction with Email Security Gateways.

MX Records

MX records are DNS entries that are used by sending mail servers to locate destination mail servers. An mail server sending an email to a particular domain will look up the MX record for that destination domain. The MX record provides a machine name or an IP address for the destination domain. For example, if an mail server wants to send an email to bob@mydomain.com, it would perform an MX record look up on mydomain.com to determine the destination IP address. Once the sending mail server has the destination IP address, it would then be able to contact the destination machine to deliver the email.

Figure 1: Basic MX record setup.

MXRecords1.jpg

Multiple MX Records

Some domains have several MX records associated with it. Each MX record has a different priority associated with it and each one points to a different server as illustrated in Figure 2:

Figure 2: Domain with multiple MX records.

  MXRecords2BESG.jpg

When a sending mail server performs an MX record lookup on a destination domain, it obtains the complete list of MX records and their associated priorities. Under normal circumstances, the sending mail server will attempt to send the email to the highest priority destination first and only proceed down the list if the higher priority machine is down, overloaded or cannot take the email for some reason. This is particularly useful when building robust and high availability systems. The email is delivered according to the highest priority MX record. If the mail server specified in that record is down, then the email is routed according to the next highest priority MX record.

Using a Email Security Gateway

To help block spam and viruses, some organizations may have their mail server’s highest priority MX record point to a Email Security Gateway rather than the mail server itself. This way the first machine to receive the email would be the Email Security Gateway. The Email Security Gateway would then process the email and determine if the email is legitimate. If it is, then it would forward the email to the destination mail server.

Figure 3: MX Record and the Barracuda Email Security Gateway.

MXRecords4BESG.jpg

To protect against the case of the Email Security Gateway going down, some organizations have a lower priority or backup MX record that points directly to the mail server.

Figure 4: Wrong method for obtaining high availability.

MXRecords5BESG.jpg

This, however, is not a recommended way to protect against a Email Security Gateway failing. Why? Spammers know about this method and will take advantage of the lower priority MX record that bypasses the Email Security Gateway. Spammers will send Spames directly to the lower priority MX record so that they will always bypass the Email Security Gateway and get through to the mail server.

For organizations who wish to protect against a Email Security Gateway failing, Barracuda Networks recommends having both the first and second priority MX records point to a Email Security Gateway and the Email Security Gateway pointing to an mail server. This way all email, regardless of which MX record is being used, is always processed by a Email Security Gateway first.

Figure 5: Correct method for obtaining high availability.

  MXRecords3BESG.jpg

Summary

To effectively use MX records with Email Security Gateways, Barracuda Networks recommends having the highest priority MX record point to the Email Security Gateway and the Email Security Gateway point to the mail server.

To have a high availability environment, Barracuda Networks recommends having a lower priority MX record point to another Email Security Gateway and the Email Security Gateway point to an mail server. It is not effective to have the lower priority MX record point directly to an mail server since spam and viruses will simply bypass the higher priority MX record and use the lower priority MX record to send spam and viruses directly to the mail server.

To use MX records with the Barracuda Email Security Gateway when configuring the destination mail server, set the Use MX Records option on the BASIC > IP Configuration page in the web interface. This setting is available globally (applied for all domains) and also can be specified at the domain level. 

Last updated on