DNS Sanity Check option
The DNS Sanity Check option provides an additional layer of protection against spam and helps ensure that inbound messages that might not have a destination to bounce to are not allowed in. The proper step to address this is to get the sender to properly format their messages (i.e. fix the sender's domain to have a proper A/MX record), but the specific reason this feature was implemented was to allow a way to have such messages be delivered.
Specifically, "Inbound sender DNS sanity checks" is a little used option that basically turns off the sender domain validity DNS checks we perform on Inbound email. We proceed to have 2 checks on this.
- Whether the sender domain has MX records, in other words, a check whether the email is bounceable and able to be returned to a sender should it be necessary later. (Our MTA structure states that the request will get rejected if the MAIL FROM domain has 1) no DNS A or MX record, or 2) a malformed MX record such as a record with a zero-length MX hostname.) All addresses used on an email should be valid in this sense, and if you turn this test off, suddenly you become an easier target for spam/etc. because spammers do not have to use real domains. If spammers are forced to use real domains, those domains can protect themselves using SPF and specify from where their email should originate. This said, our spam engines do a great job of detecting spam based on the content, and we don't believe removing this check will measurably increase the amount of spam a customer receive.
- Whether the sender domain doesn't contain MX records pointing to private or reserved IP ranges like 10.0.0.0/8, 127.0.0.0/8 etc. If the email "creator" designs a recipient address that will get bounced, and configures the sender domain MX possibly under his control with an IP address of an internal network resource, the email can be made to flow outside of its intended course (or sit stuck in an internal queue and not be able to go anywhere)