We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Configuring DNS ROUTING so your mail server works better with BESS

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00006828

Barracuda Email Security Service


If you want or need to filter your outbound mail thriough the Barracuda Email Security Service (BESS) we recommend setting up your outbound mail server to use the outbound smarthost that is shown on your BESS domains settings page.

There are a couple of problems that can occur when pointing all your outbound mail to our service.

First. If you send to a large group of users it may take longer for us to verify all the users then your mail servers timeout (default timeout is 5 minutes) this will result in a sender timeout and the mail will not be delivered. One way to resolve this is to increase your outbound connector timeout.

Second is that some mail servers (Exchange in particular) when sending mass mailings (one email to multiple addresses in multiple domains) will see a failure to one address as a failure to all addresses. Exchange incorrectly reports the failure to one recipient as a failure of the entire message.

You can force your mail server to break this outbound mail into per domain packets which will limit the delays/failures in mail delivery. This is called DNS routing and you can either do it with a DNS server on your network (delivers mail directly to the domains mail server) or by using the Barracuda DNS server (delivers mail for all domains to BESS).

As noted when using DNS routing your mail server will break the mass mailing into per domain groups but still deliver the mail to BESS. The BESS DNS routing servers are configured to return the Barracuda Inbound hostname for your region as the MX record for all domains. If you use your own local DNS routing server please configure it to return this same hostname (see below) as the MX record for all domains.

If you want to use the BESS DNS routing server please configure your mail server to use the BESS DNS server based on your location (region). This is for your DNS routing ONLY and not for other DNS requests.

US IP Addresses - and <<<<<< NEW ADDRESSES 1/28/2019
UK IP Addresses - and
DE IP Addresses - and

(enter both IP addresses into your DNS configuration to provide better redundancy)

This DNS server is for MX lookups only and returns for all MX queries:

US - dout.ess.barracudanetworks.com
UK - dout.ess.uk.barracudanetworks.com
DE - dout.ess.de.barracudanetworks.com

This allows your mail server to break up outbound mail into "per domain" packets but still send all the mail through the ESS service.

NOTE: If you use DNS routing for your outbound mail you will lose the redundancy the normal smarthost provides. We do not foresee any outage with these servers but it is something anyone using DNS routing needs to be aware of.

Another solution would be to NOT filter your mail through the Barracuda Email Security Service when your mail server is Exchange. This will allow you to deliver mail normally using DNS routing directly to the destination mail servers.

Note: that if you are only seeing connection timeouts due to too many recipients then the sending server needs to dramatically increase their SMTP timeout. The default is 5 minutes which is often just not long enough when using the Barracuda Email Security service as your relay.

Microsoft technet documents that might be of assistance with this


Link to this page: