Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


PTR Issue

Posted on 2011-10-15
Medium Priority
Last Modified: 2012-05-12
We are have a problem with RDNS PTR for the following. We have a server in the DMZ on a firewall appliance that serves as both a web server and an email server. When a client on the LAN sends an email using SMTP port 25, the PTR resolves to the primary WAN address and fails. PTR passes when using the email client but we do have need to send direct also. Any suggestions on how to resolve this problem? Here are the hypotheticals:
Server (in DMZ translated): (cannot be same ip as WAN)
A Records: www.xxx.com A
A Records: mail.xxx.com A
MX record: mail.xxx.com
TXT record: @ (None).xxx.com  v=spf1 a mx ptr -all
TXT record: mail.xxx.com  v=spf1 a ptr ?all
Question by:bellelect
  • 3
LVL 21

Expert Comment

ID: 36974146
I don't see any PTR records listed.  Do you mean the forward lookup (A record) is showing mail.xxx.com at and not  What are you running for your DNS server?

On a related note, your SPF records need some work.

TXT record: @ (None).xxx.com  v=spf1 a mx ptr -all
For xxx.com, best practice is to format it like "v=spf1 ip4: -all", but preferably ~all + DKIM signing.

TXT record: mail.xxx.com  v=spf1 a ptr ?all
An SPF record for mail.xxx.com is only necessary if you send mail from @mail.xxx.com.  Aside from that, "?all" means that any IP is allowed to send mail from mail.xxx.com, and should not be used.


Author Comment

ID: 36974261
No place to list PTR records on Network Solutions that is why we referneced it in the SPF. The forward A recond for mail.xxx.com is as it points to the server in the DMZ. We do not run our own DNS server.
We cannot format an ip4: as my understanding is that is for a network ip or range such as 192.x.x.x or 10.x.x.x. The hypothetical ip's i have used are static ip's provided by our service provider.
We do send mail from mail.xxx.com as it is our primary mail server.

Expert Comment

ID: 36974292
PTR records are something to be set on your service provider and not on your registrar ( Network solutions )side.

Thank you
LVL 21

Accepted Solution

Papertrip earned 2000 total points
ID: 36974297
You will need to contact your ISP to get a PTR record setup for that points to mail.xxx.com.

The ip4: mechanism is not restricted to private IP ranges, and rarely, if ever, is used with those private ranges.  SPF tells the receiving server which IP's are allowed to send mail for that domain.  Your SPF record contents only need to be the IP's of your sending server(s), and ~all or -all.

If the envelope-from address of your mails is user@xxx.com, then you need an SPF record for xxx.com like I explained in my first answer.  You only need an SPF record for mail.xxx.com is you send mails with a from address of user@mail.xxx.com.
LVL 21

Expert Comment

ID: 36974299
"v=spf1 ip4: -all"

Open in new window


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month12 days, 9 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question