Home / Blogs

Fight Spam With the DNS, Not the CIA

It seems like spam is in the news every day lately, and frankly, some of the proposed solutions seem either completely hare-brained or worse than the problem itself. I’d like to reiterate a relatively modest proposal I first made over a year ago: Require legitimate DNS MX records for all outbound email servers.

MX records are one component of a domain’s Domain Name System (DNS) information. They identify IP addresses that accept inbound email for a particular domain name. To get mail to, say, linux.com, a mail server picks an MX record from linux.com’s DNS information and attempts to deliver the mail to that IP address. If the delivery fails because a server is out of action, the delivering server may work through the domain’s MX records until it finds a server that can accept the mail. Without at least one MX record, mail cannot be delivered to a domain.

However, when the DNS was first put in place there was no requirement to be able to trace the identity of a sending mail server. This means that, as things stand, any IP address on the Internet can act as a mail server, even though it may be virtually anonymous and extremely difficult to trace. My proposal aims to close this loophole, so that only registered mail servers can send email.

Since this proposal depends on the existing DNS structure, it could be enacted (presumably with a grace period for organizations to get their mail servers registered) without requiring any initial technological changes whatsoever.

Over time, mail servers could be configured to reject mail that comes from other mail servers that have no MX record. Furthermore, since the MX record would be tied to the legal owner of the domain in question, additional filtering could be done to reject mail from servers that are owned by known spammers. In the longer term, this would decrease the complexity and increase the accuracy of mail filtering software. It also gives spammers fewer places to hide.

Of course this solution is useful only if the contact information for the domain in question is reliable, but this is an area that has been tackled already to some degree. ICANN-accredited domain registrars are required to include a contractual provision that contact information for a registered domain must be valid and up-to-date.

A downside to requiring MX records is that a mail server with an MX record is presumed to be capable of receiving mail. This would create headaches for organizations that currently depend on a division between outbound and inbound mail servers. This “headache,” however, is more palatable than the current “life-threatening illness” that spam has become. In addition, one of the root causes of much of the spam we receive is the fact that mail servers can so easily be configured to send millions of messages without any legitimate mechanism for returning those same messages to the original sending IP address.

There are a number of steps organizations could take to mitigate the initial effects of having to register outbound mail servers, if they currently don’t accept inbound mail on those servers:

Give the MX record of an outbound mail server a very low priority. A sending mail server is less likely to pick a receiving mail server that has an MX record with a low priority.
Register a separate domain for “outbound-only” MX records. If inbound mail is typically addressed to “[email protected]” and you have outbound servers registered under “someplace_outbound_mail.com”, then your outbound servers will never be selected for normal inbound mail.
With these mitigating measures in place, it would be safe to keep outbound mail servers closed to inbound mail. Current mail server technology is reliable enough to deal with the situation where one (or more) of many listed mail servers is found to be unavailable.
In the longer term though, it would be better to discontinue the practice of separating outbound and inbound mail server IP addresses. That was a legitimate technique when there was no other practical way to handle load-balancing and security, but today multi-homing and firewalling products can handle the load and security issues without requiring a specific division of mail server IP addresses. Discontinuing this practice would leave spammers sticking out like a sore thumb.

One final attraction of mail server registration: Enforcement is simple. No army of “men in black” is needed to chase down the lawbreakers—if you choose not to register your mail servers, or repeatedly send spam from those you do, then nobody will accept your mail.

Simple as that.

By John Fitzgibbon, Software Engineer

Filed Under


Mark Jeftovic  –  Jul 9, 2003 2:57 PM

There is a recent proposal around this idea called Reverse MX or RMX. An internet draft exists at http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-02.txt
and the author maintains a site at http://www.danisch.de/work/security/antispam.html

I think its an idea whose time cannot come fast enough.

Joe S Alagna  –  Sep 8, 2003 7:12 PM

This sounds like a great idea.  I have regularly been a victim of those that use my family web site address as the return address when they send out email.

This is very aggravating.  I would definitely switch to an ISP or host that could help me to prevent this from happening by using some type of reverse MX (RMX) check to disallow someone else from using my domain. I know it is more complicated than what I just described, but I certainly would support efforts to prevent this.  I think any legitimate email user or provider should support it.

Neil Schwartzman  –  Sep 15, 2003 1:55 PM

“Require legitimate DNS MX records for all outbound email servers”
One wonders how to “require” anything on the net these days, given that even a multi-partite letter from the FTC, Industry Canada and a ton of other International signatories was sent out in the vain hopes of getting installations to close open relays they have in place. Which, as far as I can tell, has failed as badly as the multitudinous anti-relay blacklists in use today.

The fight against spam is a multi-faceted one, requiring technical, legal and educational solutions to be put in place. Placing our eggs in one basket, the technical approach has brought about a crisis after ten years of trying. Time to give the other two the credence, time and effort the first one has been given.

Not to mean that approaches be developed at the expense of the tech solutions, but alongside them. Anything else is just waiting for people on the “other side” to find yet another way to send their wares.

Dananwi  –  Sep 22, 2003 2:35 PM

Sounds good to me John! I agree that your proposal is far better than the current dilemma and certainly more feasible than a “W3 Swat Team”.

Matthew Elvey  –  Sep 28, 2003 6:16 AM

Some of the more advanced RMX-style systems should have legs.  Please acknowledge that there are some that are better than yours, and endorse the best one, so we can get to a consensus and get it broadly implemented.  The system shoudn’t be mandatory; it should simply be optional.  If a domain MAY designate a list of servers can send email ‘from’ it, then there are three categories: black (not on the list), white (on the list) and grey (there is no list).

Henrique Moreira  –  May 7, 2006 11:55 AM

There is an excelent draft on : http://www.danisch.de/software/rmx/
(updated the link referred above)

Some big email providers like google, hotmail and yahoo have separate inbound and outbound email servers.

If you “dig wr-out-0506.google.com a”, for instance (see legitimate message below), you will get an impressive list of IPs (those take care of some google outbound mail).

But without the proposed DNS RMX RR, there would be no way to find out whether wr-out-0506.google.com would be potentially legitimate or not.

2006-05-03 03:22:36 1Fb70Y-0007ce-OB <= .(JavaScript must be enabled to view this email address) H=wr-out-0506.google.com [] P=esmtp S=1736 [email protected]
2006-05-03 03:22:36 1Fb70Y-0007ce-OB SA: Action: scanned but message isn't spam: score=-1.6 required=5.0 (scanned in 6/6 secs | Message-Id: 44580391.13f2
.(JavaScript must be enabled to view this email address)). From (host=wr-out-0506.google.com []) for .(JavaScript must be enabled to view this email address)

In short, in my opinion, I think John Fitzgibbon touched the right direction: providers that use different inbound & outbound mail servers, should register not only MX servers (for the inbound messages), but also RMX for the outbound servers.

We will have to wait meanwhile… IETF first, then IANA, to authorize such added (DNS RMX RR) schemes.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Domain Names

Sponsored byVerisign