Problem with MX records as CNAME and email delivery

[petersphilo]

Hello,

This is just to inform you that 1&1 now refuses to interact with mail servers using the following DNS configuration:
say the MX record points to mail.domain.tld
if the record for mail.domain.tld is a CNAME record rather than an A record, 1&1 will refuse to accept mail from or deliver to your server!!

i discovered this because a client of mine receives the following error messages when communicating with a domain hosted on 1&1:
550-Requested action not taken: mailbox unavailable
550 invalid DNS MX or A/AAAA resource record


see this post, which seems to confirm:
- Removed -

Has anyone else seen this behavior?

if this is going to be a new trend, please note that cPanel, by default, has the MX record point to a CNAME record rather than an A record..

 

[sparek-3]

I believe this has always been the case. This is part of RFC 2181

RFC 2181 - Clarifications to the DNS Specification

Scroll on down to section 10.3

I do not believe cPanel's default behavior disobeys this rule.

What MX records are you seeing as being created by default in cPanel?

 

[petersphilo]

ok, thank you for the information, but i checked and every domain that i created using cPanel made the mail.domain.tld record a CNAME record rather than an A record...
Maybe it was just the version i was using when i created the domains....

EDIT:
i figured out what's going on...
i just checked my zone templates:

%domain%. IN A %ip%
%domain%. IN AAAA %ipv6%

%domain%. IN MX 0 %domain%.

mail IN CNAME %domain%.
www IN CNAME %domain%.
ftp IN CNAME %domain%.

since they are set to use domain.tld as the MX entry, they just CNAME the mail.domain.tld entry...

is there a reason to favor domain.tld over mail.domain.tld as your MX entry? (other than cheaper SSL certificates, if you're not using LetsEncrypt)

 

[sparek-3]

Certificates have nothing to do with mail exchanges.

The MX records just need to point to a hostname that resolves to an IP address that is where you want mail for that domain name to go.

 

[petersphilo]

Certificates have nothing to do with mail exchanges.

The MX records just need to point to a hostname that resolves to an IP address that is where you want mail for that domain name to go.

i'm aware that certificates have nothing to do with mail exchanges...
what i meant was that SSL certificates that include subdomains (like www or mail) are usually more expensive, so i can imagine wanting to run everything off of one domain...

i also imagine that the traditional mail.domain being used for MX is to allow for separate servers...

i guess what i was asking is this:
is there any reason, on a small server with under 30 mail accounts, a low-frequentation website, and basically no other services, to use mail.domain.tld rather than just domain.tld as the MX ?

 

[mtindor]

i'm aware that certificates have nothing to do with mail exchanges...
what i meant was that SSL certificates that include subdomains (like www or mail) are usually more expensive, so i can imagine wanting to run everything off of one domain...

i also imagine that the traditional mail.domain being used for MX is to allow for separate servers...

i guess what i was asking is this:
is there any reason, on a small server with under 30 mail accounts, a low-frequentation website, and basically no other services, to use mail.domain.tld rather than just domain.tld as the MX ?

I'm guessing cPanel by default creates an MX that points to domain.ext rather than mail.domain.ext, and that mail.domain.ext is a CNAME pointing to domain.ext simply for the purpose of having less records requiring editing when you migrate accounts. Just a guess. I don't think you asked that, but i'm just thinking out loud.

Anytime a hostname is entered as an A-record versus a CNAME, that requires one less DNS lookup to resolve it. So in my mind, it's preferable to have A-records rather than CNAMEs, except in instances where using CNAMEs makes things clearer or more efficient from an administrative standpoint. Again, I realize you didn't ask that.

I don't think there is really any preference for using domain.ext or mail.domain.ext as your MX. Just be aware that if your MX record points to domain.ext and you do something like move your website elsewhere but keep your mail on the cPanel box, you will want to make sure that you change mail.domain.ext to an A-record pointing to the local cPanel IP and then change your MX record to point to mail.domain.ext rather than domain.ext.

Mike

 

[cPanelMichael]

if the record for mail.domain.tld is a CNAME record rather than an A record, 1&1 will refuse to accept mail from or deliver to your server!!

i discovered this because a client of mine receives the following error messages when communicating with a domain hosted on 1&1:
550-Requested action not taken: mailbox unavailable
550 invalid DNS MX or A/AAAA resource record

Hello,

Did you reach out to 1&1 and confirm that to be the case? Generally, the error message you referenced stems from an invalid or non-working resolver in the cPanel server's /etc/resolv.conf file. Fixing the /etc/resolv.conf file solves the issue. To test this, try updating the /etc/resolv.conf file on your cPanel server to a public resolver (e.g. Google provides 8.8.8.8, 8.8.4.4) to see if the issue persists.

Thank you.

 

[mtindor]

Hello,

Did you reach out to 1&1 and confirm that to be the case? Generally, the error message you referenced stems from an invalid or non-working resolver in the cPanel server's /etc/resolv.conf file. Fixing the /etc/resolv.conf file solves the issue. To test this, try updating the /etc/resolv.conf file on your cPanel server to a public resolver (e.g. Google provides 8.8.8.8, 8.8.4.4) to see if the issue persists.

Thank you.

Michael,

What the OP referenced has nothing to do with the local cPanel server's resolver.

i discovered this because a client of mine receives the following error messages when communicating with a domain hosted on 1&1:
550-Requested action not taken: mailbox unavailable
550 invalid DNS MX or A/AAAA resource record

1and1 has been doing this for a long time actually. I'm fairly certain of that.

From RFC1912:

Don't use CNAMEs in combination with RRs which point to other names
like MX, CNAME, PTR and NS. (PTR is an exception if you want to
implement classless in-addr delegation.) For example, this is
strongly discouraged:

podunk.xx. IN MX mailhost
mailhost IN CNAME mary
mary IN A 1.2.3.4


[RFC 1034] in section 3.6.2 says this should not be done, and [RFC
974] explicitly states that MX records shall not point to an alias
defined by a CNAME. This results in unnecessary indirection in
accessing the data, and DNS resolvers and servers need to work more
to get the answer. If you really want to do this, you can accomplish
the same thing by using a preprocessor such as m4 on your host files.

Also, having chained records such as CNAMEs pointing to CNAMEs may
make administration issues easier, but is known to tickle bugs in
some resolvers that fail to check loops correctly. As a result some
hosts may not be able to resolve such names.

Having NS records pointing to a CNAME is bad and may conflict badly
with current BIND servers. In fact, current BIND implementations
will ignore such records, possibly leading to a lame delegation.
There is a certain amount of security checking done in BIND to
prevent spoofing DNS NS records. Also, older BIND servers reportedly
will get caught in an infinite query loop trying to figure out the
address for the aliased nameserver, causing a continuous stream of
DNS requests to be sent.

The simple answer is to not reference a hostname in an MX record if that hostname is a CNAME. Only reference a hostname in an MX record if that hostname has one or more associated A-records.

Mike