PTR Issue

We are have a problem with RDNS PTR for the following. We have a server in the DMZ on a firewall appliance that serves as both a web server and an email server. When a client on the LAN sends an email using SMTP port 25, the PTR resolves to the primary WAN address and fails. PTR passes when using the email client but we do have need to send direct also. Any suggestions on how to resolve this problem? Here are the hypotheticals:
WAN IP: 1.2.3.4
Server (in DMZ translated): 1.2.3.5 (cannot be same ip as WAN)
A Records: www.xxx.com A 1.2.3.5
A Records: mail.xxx.com A 1.2.3.5
MX record: mail.xxx.com
TXT record: @ (None).xxx.com  v=spf1 a mx ptr -all
TXT record: mail.xxx.com  v=spf1 a ptr ?all
bellelectAsked:
Who is Participating?
 
PapertripCommented:
You will need to contact your ISP to get a PTR record setup for 1.2.3.5 that points to mail.xxx.com.

The ip4: mechanism is not restricted to private IP ranges, and rarely, if ever, is used with those private ranges.  SPF tells the receiving server which IP's are allowed to send mail for that domain.  Your SPF record contents only need to be the IP's of your sending server(s), and ~all or -all.

If the envelope-from address of your mails is user@xxx.com, then you need an SPF record for xxx.com like I explained in my first answer.  You only need an SPF record for mail.xxx.com is you send mails with a from address of user@mail.xxx.com.
0
 
PapertripCommented:
I don't see any PTR records listed.  Do you mean the forward lookup (A record) is showing mail.xxx.com at 1.2.3.4 and not 1.2.3.5?  What are you running for your DNS server?

On a related note, your SPF records need some work.

TXT record: @ (None).xxx.com  v=spf1 a mx ptr -all
For xxx.com, best practice is to format it like "v=spf1 ip4:1.2.3.5 -all", but preferably ~all + DKIM signing.

TXT record: mail.xxx.com  v=spf1 a ptr ?all
An SPF record for mail.xxx.com is only necessary if you send mail from @mail.xxx.com.  Aside from that, "?all" means that any IP is allowed to send mail from mail.xxx.com, and should not be used.

0
 
bellelectAuthor Commented:
No place to list PTR records on Network Solutions that is why we referneced it in the SPF. The forward A recond for mail.xxx.com is 1.2.3.5 as it points to the server in the DMZ. We do not run our own DNS server.
We cannot format an ip4: as my understanding is that is for a network ip or range such as 192.x.x.x or 10.x.x.x. The hypothetical ip's i have used are static ip's provided by our service provider.
We do send mail from mail.xxx.com as it is our primary mail server.
0
 
amitnepalCommented:
PTR records are something to be set on your service provider and not on your registrar ( Network solutions )side.

Thank you
0
 
PapertripCommented:
"v=spf1 ip4:1.2.3.5 -all"

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.