Is it okay for an outbound email server's IP to be in MX records without port 25 connectivity?

No, it is generally not acceptable. If an IP address is listed in your domain's MX records, it signals to other mail servers that it is an inbound mail server for your domain. Consequently, it is expected to accept incoming SMTP connections on port 25. Failing to do so can lead to deliverability issues and damage your sender reputation.

What is the primary function of an MX record versus an outbound email server?

MX records specify which mail servers are responsible for receiving email for a domain. Outbound email servers initiate connections to send mail and do not necessarily need to accept incoming mail for the domain they are sending on behalf of. Separate infrastructure and DNS records are typically best practice.

Why do DNS checking tools complain about this configuration?

Some DNS checking tools may flag such a configuration because they verify if a published MX record is functional (i.e., responds on port 25). While the IPs are used for outbound, their presence in MX records creates an expectation of inbound functionality, leading to these warnings.

What are the consequences of having outbound IPs in MX records without port 25 connectivity?

This misconfiguration can harm your sender reputation. Receiving mail servers may view it as an incorrectly configured or suspicious sender, potentially leading to your emails being directed to spam folders or rejected entirely. It can also lead to your sending IPs being added to an email blocklist (or blacklist).

What is the recommended DNS setup for optimal email deliverability?

For inbound mail, your MX records should point only to dedicated mail servers that accept incoming connections on port 25. For outbound mail, your sending IPs should have proper A/AAAA records and matching PTR records . Most email clients send email via submission ports like 587 or 465 to an outbound SMTP server.

Is it acceptable for outbound email server IPs listed in MX records to lack port 25 connectivity? - Technical - Email deliverability - Knowledge base

A common point of confusion arises when setting up email infrastructure, especially concerning DNS records and connectivity. I often encounter questions about whether outbound email server IPs, those responsible for sending mail, should also be listed in MX records and, consequently, have port 25 connectivity open for incoming mail. It is a nuanced area that can significantly impact email deliverability.

Some DNS checking tools might flag a lack of port 25 connectivity on an IP address that is listed in an MX record. While these tools are designed to identify potential issues, their complaints in this specific scenario can be misleading if the IPs are primarily used for outbound sending. The key is understanding the distinct roles of MX records and the different ports used in email communication.

This topic often leads to questions about how different parts of the email system interact, from DNS to SMTP ports. It is important to clarify these interactions to ensure optimal email flow and maintain a strong sender reputation.

The purpose of MX records

MX records, or Mail Exchanger records, are a fundamental part of the Domain Name System (DNS) that directs incoming email for a domain. When someone sends an email to your domain, their mail server performs a DNS lookup to find the MX record associated with your domain. This record then tells the sending server which mail server, or servers, are configured to accept mail for your domain. This is primarily for receiving email.

The information in an MX record includes a preference number, which indicates priority, and the domain name of the mail server. This server's domain name then resolves to an IP address via an A record, which is the actual destination for incoming emails. For example, a domain might have multiple MX records, pointing to different mail servers for redundancy or load balancing.

It is crucial to understand that MX records govern incoming mail flow, not outgoing. When your server sends an email, it looks up the recipient's MX record to know where to send the mail, but your own MX records don't dictate how your server sends mail. A well-configured MX record set is vital for ensuring your organization can receive emails reliably.

For more information on how MX records function, you can refer to resources that explain the purpose of an MX record and how it works. If an MX record is missing or misconfigured, it can lead to email delivery failures. I have previously discussed if a missing MX record indicates a bad email address, which highlights the importance of this record type.

The role of port 25 in email flow

Port 25 is the default port for SMTP (Simple Mail Transfer Protocol) relay, used by Mail Transfer Agents (MTAs) to send emails between servers. This means when one email server communicates with another to deliver a message, it typically uses port 25. It is, therefore, essential for the recipient's mail server to have port 25 open for incoming connections if it is listed as an MX record.

However, it is crucial to distinguish this from the ports used for email submission, which are typically ports 587 (with STARTTLS encryption) or 465 (SMTPS). These ports are used by email clients (like Outlook or Thunderbird) to send emails to an outbound mail server, which then relays them to the recipient's server via port 25.

Many Internet Service Providers (ISPs) and cloud providers block outbound port 25 traffic by default for residential and new business IP addresses to combat spam. If your email sending infrastructure is impacted by this, you would typically use an email relay service (often on port 587) to send your messages. This is a common setup, and it does not mean your outbound IPs need port 25 open for incoming connections.

Port 25 connectivity for sending

Your outbound email server needs to be able to connect out on port 25 to send mail to other MTAs. This is distinct from accepting inbound connections.

ISP port 25 blocks

Many ISPs block outbound port 25 by default to prevent spam. If this is the case, you'll need to use a dedicated SMTP relay service or an alternative port like 587 or 465 for submitting emails.

Why listing outbound IPs in MX records is problematic

If an IP address is listed in your domain's MX records, it means you are telling the entire internet that this IP address is configured to receive emails for your domain. If that IP address then does not accept incoming connections on port 25, it creates a discrepancy. Recipient mail servers might attempt to connect to that IP based on the MX record, fail, and then potentially treat your domain's email with suspicion.

This misconfiguration can negatively impact your sender reputation. When a receiving server performs a check and finds that an advertised MX server is unreachable or unresponsive on port 25, it can interpret this as a sign of an incorrectly configured or even malicious sender. Some anti-spam techniques specifically involve checking if the sending server's MX record (if it has one) will accept email. If it does not, the email you are trying to send might be permanently rejected.

Therefore, listing outbound-only IPs in your MX records without enabling inbound port 25 connectivity is not acceptable practice. It contradicts the fundamental purpose of an MX record and can lead to deliverability issues, including your emails being routed to spam folders or outright rejected. This issue is often associated with policy blocklists (or blacklists) that include IPs that should not be sending email directly.

Correct MX configuration

Purpose: Directs incoming emails to designated mail servers.
Connectivity: IPs listed in MX records must accept incoming SMTP connections on port 25.
Deliverability impact: Essential for reliable inbound email delivery.

Outbound IPs in MX records

Purpose mismatch: Confuses receiving servers trying to deliver mail inbound.
Connectivity issue: If port 25 is not open, it indicates a misconfiguration.
Deliverability impact: Can harm sender reputation and lead to rejections.

Best practices for outbound email DNS

For optimal email deliverability and to avoid confusion, it is best to maintain a clear separation between your inbound and outbound email infrastructure. Your MX records should point only to the servers that are actually intended to receive incoming mail for your domain. These servers must have port 25 open and be ready to accept SMTP connections.

Your outbound email sending IPs, on the other hand, should have proper A records (and AAAA records for IPv6) and corresponding PTR (reverse DNS) records. The PTR record should match the hostname your sending server announces when it initiates a connection. This consistency is a strong positive signal to receiving mail servers and helps establish trust.

The RFC standards, specifically RFC 5321 (Simple Mail Transfer Protocol), describe the behavior of SMTP. While they do not explicitly forbid an outbound IP from also being an MX, the expectation is that an MX record points to a server capable of receiving mail. Deviating from this expectation can lead to unnecessary deliverability hurdles.

Historical context and common misunderstandings

The notion that outbound IPs must be listed as MX entries is a misconception. Some older systems or specific certification programs (like what Return Path might have required historically) might have had peculiar DNS requirements, but generally, it is not a standard practice for maintaining good deliverability.

The consensus among deliverability professionals is that if an IP is published as an MX record, it should absolutely be accepting inbound connections on port 25. Failure to do so sends negative signals and can adversely affect your sending reputation, potentially leading to your emails being blocked or blacklisted by recipient mail servers.

Views from the trenches

Best practices

Ensure your MX records exclusively point to mail servers designed and configured to receive incoming email on port 25.

Verify that your outbound sending IPs have correct A/AAAA and PTR records that match their HELO/EHLO announcements.

Utilize SMTP submission ports (587 or 465) for sending mail from clients or applications, not port 25.

Common pitfalls

Listing IPs primarily used for outbound sending in your MX records, especially if they do not accept incoming connections on port 25.

Ignoring warnings from DNS checking tools about unresponsive MX entries, as this can negatively impact your sender reputation.

Attempting to send direct email from consumer IP ranges, as these are often blocked on port 25 by ISPs.

Expert tips

Separate inbound and outbound mail flows clearly in your DNS and server configurations.

An unresponsive MX record is a significant red flag for receiving servers.

Proper DNS setup, including MX and PTR records, is foundational to email deliverability.

Expert view

Expert from Email Geeks says that you do not need MX records for outgoing mail IPs, as MX records specify servers for accepting email messages on behalf of a domain name.

2019-07-12 - Email Geeks

Expert view

Expert from Email Geeks says if IPs are listed as MX records, they should absolutely be accepting inbound connections on port 25.

2019-07-12 - Email Geeks

Key takeaways for your email infrastructure

In summary, while your outbound email servers certainly need the ability to connect out on port 25 to send mail, they generally do not need to accept inbound connections on this port unless they are also designated MX servers. Placing outbound-only IPs in your MX records without inbound port 25 connectivity is a misconfiguration that can negatively affect your sender reputation and deliverability.

Proper DNS setup, including distinct MX records for inbound mail and A/AAAA records with matching PTRs for outbound IPs, is fundamental for email security and deliverability. Adhering to these best practices will help ensure your emails reach the inbox reliably and your domain maintains a positive standing with recipient mail servers.