Google's incorrect DNS check

Yesterday I spent sometime in answering questions on Google Apps forum. I really love this forum as I used to post a lot there. These days I don’t get much time for forum involvement.

Anyways, yesterday I came across very interesting post from a user named Sandip. He got an error from Google’s DNS checking in the Google Apps Toolbox.


Error:

Presence of mail server on A record of your domain can lead to subtle and hard-to-debug problems with mails ‘accidentally’ missing in case of DNS problems. You can check this problem yourself by typing

telnet your.domain.com 25

Normally this SHOULD result in ‘Connection refused’ message.

I did replied to Sandeep’s post and but here’s an explanation again. What’s happening is - Google is checking the A record of domain name and trying to see if it accepts emails or not on default SMTP port 25. This is completely wrong because if MX record is present, A record will be and SHOULD BE ignored. It is true that if MX is absent, the A record is taken as apex A record and emails are delivered to that but presence of MX, A should be just ignored.

As per RFC 2821, I quote the relevant lines:

The lookup first attempts to locate an MX record associated with the name. If a CNAME record is found instead, the resulting name is processed as if it were the initial name. If no MX records are found, but an A RR is found, the A RR is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.


Shared hosting limitations:

Also, another funny part here is that lot of small businesses use Google Apps for email hosting and other cPanel based web hosting providers for website hosting. In WHM/cPanel based hosting emails comes as bundled packages and thus even if one uses it or not, email is there and available. Hence unless one has a dedicated server, shared host won’t really turn off the SMTP for that specific domain name since IP is shared. Even if one has dedicated IP, then shared hosting provider would have to mess up with firewall rules to disable port 25 specifically for that dedicated IP which is hard at management level since one has to keep tracking of such custom rules somewhere. And all this should not really be required.

I replied to Sandeep’s question within forum + also informed Google Apps guides (one of perks of being Google Apps forum top contributor). Seems like that profile is all outdated. Will update it in a while!

Let’s see how Google works on improving that tool.

With hope that your domain’s MX are prefered over A records for emails, have a good week ahead! :)