Skip to main content
AT&T Community Forums
Announcements
Protect your device against loss, theft, damage and get expert technical support. Open Enrollment Ends 3/31/21.
lem3's profile
lem3
Crowd Pleaser 2
Rising Star
Helpful 2

Guru

 • 

469 Messages

Fri, Jul 10, 2020 12:24 AM

Prodigy.net Reverse DNS Lookup is Broken

Every day one or two (usually important!) emails sent to me are bounced by a prodigy.net server claiming the sending server fails reverse DNS lookup.  Investigations show the servers all have valid MX and PTR records.  In fact, if the same message is resent through the same server it is accepted and delivered to me.

This is the relevant portion of a bounce back message:

host al-ip4-mx-vip1.prodigy.net[144.160.235.143] said: 550 5.7.1 Connections not
    accepted from servers without a valid sender domain.alph755 Fix reverse DNS
    for 69.58.186.171 (in reply to MAIL FROM command)

 

This is the relevant header from a message that was accepted, probably because it hit a different system in prodigy.net.  Note the (same) IP address of the server and the correct rDNS hostname:

Received: from mx04.nic.name (mx04.nic.name [69.58.186.171])
	by alph754.prodigy.net (Inbound 8.15.2/8.15.2) with ESMTPS id 069FRYZN098085
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL)
	for <[email scrubbed]>

Please forward to the DNS network team. Do not send me to abuse_rbl.  This is not a blocked address or blacklist issue. 

 

Network Solutions has a page online documenting a similar problem from 2018.  It took them a week to find the correct person in AT&T and get the situation corrected.  I'm hoping to resolve it in less time.

https://www.netsolinc.com/prodigy-email-issues/

 

Responses

New Member

 • 

7 Messages

8 months ago

This has been happening to our mailserver also.

 

Mail only bounces from when the prodigy.net reverse DNS issue is involved.

 

Our reverse DNS has been set up correctly from the beginning. No other mailservers complain.

 

New Member

 • 

7 Messages

8 months ago

So I should have realized this sooner, but I have one extra avenue to try to pursue a solution:

 

We are AT&T Dedicated Internet customers (our office has a 1 Gbps circuit with AT&T).

 

So I have opened a trouble ticket with AT&T regarding this problem.

They have already escalated it to Tier 3 (whatever that means).

 

I'm crossing my fingers that we get some movement on this.

 

lem3

Guru

 • 

469 Messages

8 months ago

I can provide additional bounce messages if they need more data.

New Member

 • 

7 Messages

8 months ago

This is one of mine:

Failed to deliver to '(snip)@att.net'
SMTP module(domain att.net) reports:
return-path address <(snip)> rejected by al-ip4-mx-vip1.prodigy.net:
550 5.7.1 Connections not accepted from servers without a valid sender domain.alph772 Fix reverse DNS for 12.11.82.14

 

If you post yours, I can provide it to them if they ask.

 

(edited)

lem3

Guru

 • 

469 Messages

8 months ago

This is typical:

**********************************************
Arrival-Date: Thu, 16 Jul 2020 13:38:26 +0000 (UTC)

Final-Recipient: rfc822; [email]
Original-Recipient: rfc822;[email]
Action: failed
Status: 5.7.1
Remote-MTA: dns; ff-ip4-mx-vip1.prodigy.net
Diagnostic-Code: smtp; 550 5.7.1 Connections not accepted from servers without
    a valid sender domain.flph837 Fix reverse DNS for 72.13.32.171

**********************************************

IP 72.13.32.171 of course has, and always has had correct MX and PTR records.

(edited)

New Member

 • 

7 Messages

7 months ago

Here is something interesting:

Even though our reverse DNS is properly configured on our DNS servers, as I was testing the reverse DNS lookup using various outside services, one DNS Checking service actually reported our reverse DNS as being down.

 

A nice person at that DNS checking service forwarded me some detailed diagnostic information. He said one of the chain of servers that needs to respond to allow our reverse DNS lookup to succeed was not responding.

That server: one of the DNS servers run by AT&T. (Which makes sense, as our IP addresses are from AT&T).

 

So AT&T escalated it and has decided to solve the problem... by manually whitelisting my 2 mail servers. (And NOT solving the reverse DNS problem.)

 

I am working on getting them to fix the reverse DNS issue...

lem3

Guru

 • 

469 Messages

7 months ago

That is... discouraging.  Thanks for keeping on top of this.

 

"We [AT&T] understand that accurate reverse DNS is essential to the functioning of the internet.

 

"We acknowledge that our reverse DNS system is broken.

 

"We have no intent of fixing the problem."

 

rant:: There are complaints in the Community forums about this issue dating back to at least 2018.  What about those of us without the juice of a business account needed to get attention to the problem?

endrant::

 

Again, thanks for uncovering the root cause.

(edited)

New Member

 • 

7 Messages

7 months ago

My plan is to refuse to close the ticket until they fix the reverse DNS problem.

 

Hopefully it spurs the right people into action.

 

At least I am in direct communication with the AT&T DNS team separately from the team working on the SMTP problem.

 

I will let you know if there is any progress.

New Member

 • 

7 Messages

7 months ago

Ok, so we have reached a positive resolution... although I am not sure the fix is going to apply to other people's situation.

 

So, several times AT&T tried to explain the problem as simply "intermittent DNS response failure", meaning "hey, sometimes it just doesn't work. Nothing needs to be done."

 

We refused to accept that this was the problem, as the DNS failures were 100% reproducible (and therefore, NOT intermittent).

 

What was true was this:

1. For some clients/situations, reverse DNS was 100% successful.

2. For some clients/situations, reverse DNS was 100% failure.

3. We did not now what the difference was.

 

Certain online Reverse DNS checkers would succeed every time, others would fail every time. Most would succeed, but not all.

 

So, after a certain amount of back-and-forth, AT&T actually presented the problem to a DNS admin.

(I have no idea why it was not presented to them earlier.)

 

The DNS admin noticed that two things:

1. Not all our reverse DNS secondary servers were responding.

   (This was true, but not causing the problem.)

2. We have some CNAME records for our DNS servers, which is not supposed to happen.

They explained that the CNAME records were making it appear as if the responding DNS servers were NOT the authoritative DNS servers, and so the AT&T DNS servers were not accepting their non-authoritative responses.

 

Hence, the lack of response to the reverse DNS query by the AT&T DNS servers.

 

Hence the failure of the Prodigy.net SMTP server.

 

We reconfigured our DNS servers so there were no CNAME records.

 

This fixed the AT&T reverse DNS problems.

 

Reverse DNS now appears to work properly even for the clients which previously failed 100% of the time.

 

So I do not know if this information will help your situation.

The upshot is that the AT&T DNS servers in question are being stricter about your configuration than other DNS servers.

 

The AT&T DNS servers are probably being more correct;

perhaps most DNS servers are just being overly accepting of lightly mis-configured DNS.

 

I hope this helps some people with this issue.

 

lem3

Guru

 • 

469 Messages

7 months ago

That's useful information although my situation is the opposite: failures appear to be random even though there is probably an underlying cause.  Twenty messages from smtpserver.com might be accepted before one is rejected.  Which means I don't expect to get far with the "sometimes it just doesn't work" bunch at AT&T networking.

 

I've been checking rDNS mostly with nslookup and MXToolbox, which never fail.  Which tool(s) failed in your lookup tests?

New Member

 • 

7 Messages

7 months ago

Hm. That is interesting... and different.

 

I hope this list of reverse-DNS checking sites helps.

 

The ones that failed 100% of the time:

 

https://tools.dnsstuff.com

 

https://www.dnscheck.co

 

Note that you need to make an account to use dnscheck.co, but the account is free for low usage.

 

Both of these sites succeeded after my issue was addressed.

 

 

The others, that succeeded 100% of the time:

https://mxtoolbox.com/SuperTool.aspx?action=ptr

 

https://www.debouncer.com/reverse-dns-check

 

https://www.whatismyip.com/reverse-dns-lookup/

 

https://hackertarget.com/reverse-dns-lookup/

 

lem3

Guru

 • 

469 Messages

7 months ago

I ran one of the problem servers through the dnsstuff rDNS search 25-30 times without a single failure.  I also verified that none of the DNS servers associated with the sending domain has a CNAME record. So the good news is I know where the problem doesn't lie.  The bad news is I'm still not getting all my mail.

 

Back into the fray.  Thanks for your help.

Get started...

Ask a new question