Symantec Messaging Gateway offers the option, to check the chain of Reverse DNS -> Forward DNS entries of the connection IP.
Unfortunately SMG is not able to handle PTR-queries, where more than one line is returned. It randomly picks one entry and does the corresponding forward check; so there is a good chance that connections are blocked, where there are more than one enties within the PTR record.
This should be corrected respectively there should be an option, up to how many PTR entries SMG should consider as a max-value.
Example:
connection IP: 1.2.3.4
PTR-query returns: a.mydomain.test AND b.mydomain.test
On Monday SMG does A-query for "a.mydomain.test" returns 1.2.3.4 -> mail is accepted (further inspections)
On Tuesday SMG does A-query for "b.mydomain.test" returns 1.2.3.5 -> mail is rejected.
There is even no option to put affected IPs on a Whitelist (Whitelist is only valid concerning further inspections; it is not queried at this state of the connection.
I'm speeking of the option:
Reject connections where the reverse DNS record exists for the connecting IP address, bu tthe 'A' record of the resulting domain does not match the connecting IP address