Email Fundamentals: What is an MX Record?

Paul Cunningham — Sat, 06 Aug 2011 13:12:43 +0000

One of the less well understood components of a working email system is the MX record. I do find a lot of IT administrators looking after Exchange servers who don’t really understand what an MX record is and how they work.

DNS Fundamentals

MX stands for “mail exchanger”. An MX record is a type of DNS record, so any understanding of MX records has to begin with an understanding of the fundamentals of the Domain Name System (DNS).

The most important role of DNS for the majority of us is translating names into IP addresses so that network communications can occur.

For example, when you type www.microsoft.com into your web browser, DNS is used to look up that name to determine the IP address of the server to connect to. The domain name in this example is microsoft.com.

So if that is how a simple web browser connection is made, what about when somebody sends email to an @microsoft.com address?

Again DNS comes into play, but this time the look up is slightly different. The sending mail server will look up the MX record in DNS by following a sequence along these lines:

Look up the authoritative name servers for microsoft.com
Query the microsoft.com name servers for the MX records
Look up the names of the MX records in DNS to get their IP addresses

If you were to run your own manual DNS lookup of the MX records for microsoft.com it would look something like this:

C:\>nslookup
Default Server:  UnKnown
Address:  10.0.1.9

> set type=mx
> microsoft.com
Server:  UnKnown
Address:  10.0.1.9

Non-authoritative answer:
microsoft.com   MX preference = 10, mail exchanger = mail.messaging.microsoft.com

mail.messaging.microsoft.com    internet address = 94.245.120.86

So the IP address of the “mail exchanger” for microsoft.com is 94.245.120.86.

MX Preferences

You may notice the “MX preference” in the output above and wonder what that is referring to. To better explain it here is another DNS lookup for the google.com domain.

> google.com
Server:  UnKnown
Address:  10.0.1.9

Non-authoritative answer:
google.com      MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
google.com      MX preference = 50, mail exchanger = alt4.aspmx.l.google.com
google.com      MX preference = 40, mail exchanger = alt3.aspmx.l.google.com
google.com      MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
google.com      MX preference = 10, mail exchanger = aspmx.l.google.com

alt2.aspmx.l.google.com internet address = 74.125.115.27
alt1.aspmx.l.google.com internet address = 74.125.91.27
aspmx.l.google.com      internet address = 74.125.157.27

Notice that there are multiple MX records each with a different preference value. The preference is basically a way of setting the priority of each MX record. The lowest preference is the MX with the highest priority, ie the one that a sending mail server should try first.

The purpose of multiple MX records is to either:

Provide some load balancing by using multiple MX records with the same preference set
Provide a backup MX that can be used if the primary one is unavailable

The backup MX may be another mail server in your organization at a secondary site that has less bandwidth available to it. Or it could be a server hosted by a third party that provides backup MX services. Either way the purpose is to give sending email systems somewhere to send messages rather than have to store them and retry later.

Where Should Your MX Records Point?

Once you understand what an MX record does you then need to consider where your MX record should actually be pointing. Here are a few real world examples of where to point your MX records.

If your organization receives email directly then your MX record would point to a public IP address for your firewall or internet-facing email server (eg Edge Transport server).

If your organization uses a hosted cloud service for email filtering, then your MX record would point to their IP address (or an array of IP addresses depending on which service you are using).

Those are just two examples. There are numerous different scenarios that exist such as hybrid cloud/direct combinations, ge0-distributed networks, and so on. However in my experience with customers these are the two most common scenarios.

By now you should have a basic understanding of what an MX record is and how they work. If you have any questions please feel free to ask them in the comments below.

MS08-037 causes port conflicts with DNS and IAS services

Get more Exchange Server tips at ExchangeServerPro.com

MS08-037 causes port conflicts with DNS and IAS services

Paul Cunningham — Wed, 28 Jan 2009 01:32:52 +0000

You may encounter an issue with servers running both the DNS and IAS services that have installed update MS08-037 (Vulnerabilities in DNS could allow spoofing – 953230). The IAS services will fail to start and any authentication that relies on IAS (such as VPNs) will fail.

When connecting to the IAS server with the IAS management console the following errors may appear:

Event ID 7023 will appear in the System event log of the IAS server.

Event Type:    Error
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7023
Date:        28/01/2009
Time:        9:15:17 AM
User:        N/A
Computer:    SERVER
Description:

The Internet Authentication Service service terminated with the following error:

Only one usage of each sock address (protocol/network address/port) is normally permitted.

The cause of the issue is explained in KB956188:

You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)

This issue occurs because the service cannot obtain the port that it requires to function correctly. This issue occurs because of changes to the port allocation in the DNS Service after security update 953230 is installed.

Read full article

The solution is to reserve the IAS ports from the ephemeral port range to ensure that the DNS Server service does not dynamically allocate those ports to itself. To determine which ports are being used by IAS open the IAS management console, right-click the server name and select Properties.

Navigate to the Ports tab and note the port numbers in use.

Follow the instructions in KB812873 (How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003) and enter the correct ports in the registry key like this.

The server must be restarted for the change to take effect. After the restart the DNS Server will no longer allocate the IAS ports to itself, which will allow IAS to start properly.