cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1025
Views
0
Helpful
2
Replies

Question About MX registry check

Hello dear community,

 

We would like to check if it is possible to check the MX registry for the senders. I know that the ESAs have an option to check sender IP, but as far as I know that verification only validates if the sender IP  have a domain associated, but it doesn't check if that IP appears on MX registry.

 

It is possible check MX registry for senders on Ironport?

 

Regards,

Aitor

2 Replies 2

charella
Cisco Employee
Cisco Employee
Hello aito.domingo2190

Does the term MX registry mean the same as MX record?
I wanted to confirm.

The MX Record; lists the names of server names that are designated to receive email for a domain.

* A domain may send their email from a different source than what is listed in their MX record.
* That is especially true with larger corporations as well as companies which may use a hybrid setup.
* An example would be: inbound email arrives to the ESA1 which has an mx record. Outbound mail sent from ESA2 dedicated for outbound mail only (not listed in mx record).

No, the mx registry is not directly checked for inbound email for verification.

There are multiple checks that can be configured to assist in determining the validity of the sending source.
SPF Verification
DMARC Verification
Dkim Verification
Sender Verification
SBRS
TLS preferred|required Verify

12.0 and newer:
SDR (Sender Domain Reputation)

Thank you,
Chris

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

You can enable sender verification on the mail flow policy for the envelope sender, which is perhaps something similar to what you're looking for. 

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_0110.html#con_1106897

 

In more detail: AsyncOS performs an MX record query for the domain of the sender address. AsyncOS then performs an A record lookup based on the result of the MX record lookup.

 

As Chris mentioned, there are many other preferred methods of verification for senders as these types of DNS checks can be hit or miss depending on the domain and may cause some false-positives due to administrators not setting up DNS properly. 

 

Thanks!

-Dennis M.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: