Symantec Messaging Gateway (SMG) - Best Practices: New Deployments.

Article:TECH122730  |  Created: 2010-01-26  |  Updated: 2012-08-15  |  Article URL
Article Type
Technical Solution


You are planning to deploy a new architecture with Symantec Messaging Gateway (SMG) appliances and want to know the best practices.

Before deploying new mail gateways some steps are required in order to make the new environment a trusted source of mail.

Today due to the high number of spam , ISP's and companies have become very strict about accepting mail from new sources of mail.

Here this document we outline some steps that are necessary to make sure you meet the standards required by some ISP's and companies in general.


Physical Location

If you are going to deploy multiple SMG hosts Symantec suggests that all of them are placed within the same geographical location.

If SMG hosts must be deployed in different remote locations and communication issues occur between hosts (outdated statistics, timeouts, host status not available on the GUI ), it is suggested to have one Control Center on each location.

DNS Records

Make sure you have DNS records for the Symantec Messaging Gateway scanners, most ISP's and companies will rely on accurate information so make sure the hostnames in your DNS match the MTA hostname on the Symantec Messaging Gateway scanners.
Keep in mind that you might have different hostnames and MTA hostnames across Symantec Messaging Gateway appliances, the MTA hostname is the one used to validate the MX record and it can be easily changed.

You must have at least two MX records and then proper A and PTR record for each host that will handle email.

For more information about where to configure the MTA hostname (per SMG scanner host) please check this article:

Some outbound messages are not delivered to certain domains due to mismatched host name

To find out your domain's MX record you can run nslookup:
> nslookup -type=mx
Address: MX preference = 10, mail exchanger =

DNS records for each host
Each hostname must have proper A and PTR record in your DNS, to make sure you have proper entries you can use nslookup.

The following commands must return the same results for each host that you query:

> nslookup (this command will ask if we have an A record against the hostname


> nslookup (this command will ask if we have a PTR record against the IP address


NOTE: This means that host resolves to IP and the opposite is also true, the IP resolves back to

SPF records

Sender Policy Framework helps against email forgery and it is highly recommended to have DNS records for it.
For more information and details about how to set these records up, please check the following links:

Sender Policy Framework (SPF) Introduction

SPF - Record Syntax

SPF - Setup Wizard

Sender ID records

Sender ID Overview Page

Sender ID Framework SPF Record Wizard

NOTE: This technology is DNS based and it will help maintaining your sender reputation, we also support this technology with Symantec Messaging Gateway , found under the Spam -> Settings -> Sender Authentication TAB where we do the same check against other external domains.

Enable outbound spam scanning on Symantec Messaging Gateway

By default, Symantec Messaging Gateway will not enable antispam scanning for outbound traffic, however, there are some cases where this might help mitigate threats coming from your internal outside to the Internet that were unknown before.

To enable outbound spam scanning, please follow these steps:

  1. Login to the Control Center
  2. Navigate to Administration -> Users -> Groups
  3. On the right-hand side click on "Default"
  4. Navigate to the Spam TAB
  5. Check the box "Enable outbound email spam scanning for this group"
  6. Using the dropdown lists available, select the appropriate policies for Spam and Suspected Spam
    NOTE: These policies can be customized under the "Spam" tab of the product later if needed.
  7. Click Save

This setting can be enabled per group so if you want it is possible to enable it only for a set of addresses/users, for an example, please check this article to see how would you whitelist users if needed:
How to whitelist outbound traffic when you have email spam scanning enabled for outbound messages

Other Symantec Messaging Gateway (SMG) Best practice articles

Symantec Brightmail Gateway/Symantec Messaging Gateway and Cisco PIX firewalls

Symantec Messaging Gateway (SMG) - Best Practices: Spam Control

Symantec - IP Reputation Investigation

Technical References

Here you can find tools and guidelines that will help you solve issues around deployments.

Postmaster & SMTP Error Code Resources

Yahoo Mail SMTP Error Codes;_ylt=AgjG.HjzHefhFptnWLagInBvMiV4

AOL SMTP Error Messages

Windows Live & Hotmail Mail Troubleshooting (includes SMTP Error Codes)

Delivery status notifications in Exchange Server and in Small Business Server

DNS and Open Relay testing tools



Mail relay testing

Blacklist removal and bulk senders guidelines

Gmail - Bulk Senders Guidelines

AOL - Sender Best Practices and Whitelist guides

Yahoo - Mail Bulk Sender Form

NOTE: All the links provided here are just for reference, they might be changed/removed without warning and Symantec will not be responsible on that.



Legacy ID


Article URL

Terms of use for this information are found in Legal Notices