Home
Services
Consulting
Solutions
Resource Center
Support
Demo Center
Partners

Setting Up Secure Mail Delivery

Some senders of virus and spam do not follow DNS standards for selecting MX records. They send an email to the highest numbered server, or randomly pick a server. Sometimes spammers specifically target mail servers using low-priority DNS MX records or by directly looking up a server using an common naming scheme, mail.yourdomain.com.

This diagram shows email flow through the message security service, and email flow circumvented by spammers.

Configuring for All Domains

If all of your domains are registered in and routing through the message security service, we strongly recommend the following: Configure your email server or firewall to refuse port 25 traffic except for the IP ranges of the message security service, and portable address range. See IP Range for this information.

This configuration actively prevents actual traffic from bypassing the message security service instead of simply making the mail server harder to find. In the unlikely event that server processing is impaired, sending email servers will queue up their messages until processing resumes (no email is lost). During this time, you may wait until the message security service is processing properly, or you can temporarily reconfigure your mail server to accept email from any sending server. If you reconfigure your system, however, email that includes potential spam and viruses will be delivered to your users.

Configuring for Partial Domains

Configuring your email server or firewall to accept email traffic from only IP ranges for the message security service is suitable only for environments where all domains are registered. If not all of your domains are registered in and routing through the message security service, this solution will not work.

For example, in the diagram below, the domain jc.com is not configured for email flow through the message security service. If you configure your email server or firewall to accept email traffic from only the appropriate IP ranges, all email for the domain jc.com, which is not routed through the message security service, would bounce.

In this case, the recommendation is:

  • Remove the DNS MX records—only for the domains routing to the message security service—that point directly to your email server. In the event that servers are down, sending email servers will queue up messages for later delivery.
  • Pick another name for your mail server besides mail.yourdomain.com, since spammers will sometimes guess that your mail server is named mail.yourdomain.com and use this to avoid filtering.

WARNING: These recommended steps only obfuscate your mail server. They do not fully protect it. To protect your mail server, add all domains to your hierarchy and then use the suggestions above in Configuring for All Domains

.