SMTP Server Configuration: Is MX Record Required for Outbound-Only Email Delivery?


2 views

When configuring a dedicated SMTP server exclusively for outbound email delivery (like Postfix in your DMZ), the MX record requirement becomes a nuanced technical consideration. The fundamental misunderstanding many engineers have is conflating MX records (Mail Exchange) with SMTP authentication and delivery mechanisms.

The sending process doesn't consult MX records of the origin server. Here's what actually happens during outbound delivery:

# Sample Postfix outbound email flow:
1. Your application -> Postfix (submission port 587)
2. Postfix performs DNS lookups:
   - MX lookup for recipient domain (e.g., gmail.com)
   - A/AAAA record for recipient's mail servers
3. Delivery via SMTP to recipient's MX hosts

MX records specifically declare where incoming mail should be delivered. They have no technical relationship with outbound mail authorization. For your scenario where Exchange handles incoming mail:

# Correct DNS configuration example:
example.com.    IN  MX  10 mail-exchange.example.com.
smtp-dmz.example.com.    IN  A    203.0.113.5  # No MX needed here

Instead of MX records, implement proper SPF to authorize your DMZ server:

# Example SPF record (DNS TXT):
"v=spf1 ip4:203.0.113.5 include:_spf.example.com -all"

# Postfix main.cf configuration snippet:
smtpd_sender_restrictions = 
    permit_mynetworks
    reject_unauth_destination
    reject_unknown_sender_domain
    reject_unauth_pipelining
  • Some legacy systems may perform reverse MX lookups as part of spam scoring
  • Certain RBLs check sender domain consistency
  • DKIM signing should originate from the same domain as your Exchange server

Test your configuration with these tools:

# Command line verification:
dig MX example.com
dig TXT example.com
telnet smtp-dmz.example.com 25
swaks --to test@example.org --server smtp-dmz.example.com

When configuring an SMTP server like Postfix for outbound-only email, it's crucial to understand that MX (Mail Exchange) records primarily govern inbound email delivery. These DNS records specify which servers should receive emails for your domain. For outbound-only scenarios:


# Example DNS zone file snippet for reference
example.com.    IN  MX  10  mail-exchange.example.com.
smtp-dmz.example.com.    IN  A    203.0.113.45

Your DMZ Postfix server doesn't strictly need an MX record if it will never receive mail. However, these elements are essential:

  • Proper reverse DNS (PTR record) matching the forward A record
  • SPF record authorizing the server's IP
  • DKIM signing configuration (recommended)

This is more critical than MX records for sender reputation:


example.com.    IN  TXT  "v=spf1 ip4:203.0.113.45 include:_spf.google.com -all"

Your main.cfg should include these key parameters for outbound-only operation:


# Prevent Postfix from attempting to receive mail
inet_interfaces = loopback-only
local_recipient_maps =

Even without MX records, implement full email authentication:

  • DMARC policy (recommended starting with p=none)
  • Consistent HELO/EHLO identifiers
  • Proper TLS configuration

# Example Postfix TLS configuration
smtpd_tls_security_level = may
smtp_tls_security_level = encrypt

Watch for these issues in outbound-only configurations:

  • Mismatched PTR and forward DNS records
  • Missing SPF authorization for the sending IP
  • Incorrect Postfix relay restrictions

Even without MX records, monitor these metrics:

  • SMTP error codes from receiving servers
  • Spam complaint rates
  • Authentication pass/fail rates in headers