Skip to main content
Understanding PTR DNS Resource Records

Understanding PTR DNS Resource Records

DeploymentTechnical Guidance

What is a PTR Record?

A PTR (Pointer) record, also known as a Reverse DNS record, maps an IP address to a domain name; essentially, it’s the opposite of what an A record does in DNS. While A records are used to translate domain names to IP addresses, PTR records are used to verify that an IP address indeed corresponds to a domain name. This is a common verification step for receivers and part of many checks to determine the legitimacy of a connection’s origin, such as email servers.

Why Does it Matter?

PTR records hold significance for a myriad of reasons across various aspects of internet communication and network management. They facilitate smoother network operations, aid in troubleshooting, and enhance the trustworthiness of servers. However, for the purpose of this article, we will focus on their role in email security and delivery where their impact can be profound.

Focusing on Email Security
In the realm of email communications, PTR records are used to establish a more secure and reliable email delivery system that helps identify what infrastructure is truly sending emails.

  1. Anti-spam Measures: Many email servers and spam filtering systems perform reverse DNS lookups as part of their vetting process for incoming emails. A PTR record that successfully maps an IP address to a legitimate domain name is one of many indicators that the email is not spam. In the absence of a valid PTR record, emails are at a higher risk of being flagged as spam or even rejected outright.

  2. Reputation Building: The presence of a PTR record is considered a requirement of a well-configured email server. ISPs and email services assess the reputations of sending servers as part of their filtering criteria. A PTR record contributes positively to this reputation, signaling that the sender is operating within best practices for email delivery.

  3. Authentication and Verification: In the broader scope of email authentication mechanisms like SPF, DKIM, and DMARC, PTR records add an additional layer of verification. While not directly part of these protocols, the verification of the sending server’s IP through PTR records complements these authentication methods, creating a more secure email ecosystem.

In the Context of Email Security
The deployment of PTR records plays a strategic role in fortifying email security. It serves as a preliminary checkpoint for receiving mail servers to authenticate the source of incoming emails. This initial layer of scrutiny helps to preemptively filter out emails from dubious or unverified sources, thus reducing the incidences of phishing attacks, email spoofing, and malware distribution that plague the email ecosystem.

In an era where email threats are increasingly sophisticated, maintaining high standards for email delivery and security by following established best practices is paramount. One such best practice is ensuring the verifiability of the sender’s domain; proper PTR configuration will ensure that a Forward-Confirmed reverse DNS lookup (FCrDNS) check passes.

How does a Forward-Confirmed reverse DNS lookup work?

FCrDNS is a process that verifies an IP address against a domain name and vice versa. It involves the following two steps:

  1. A reverse DNS lookup is performed to find the domain name associated with an IP address using the PTR record.

  2. A forward DNS lookup is then conducted on the resulting domain name to see if it resolves back to the original IP address.

If both lookups match, the FCrDNS verification is successful, indicating that the IP address and domain name are legitimately associated. This process is used to authenticate connections, particularly in email communications.

Forward-Confirmed reverse DNS lookup

When do I need to configure my own PTR record?

The necessity of configuring PTR records depends on the nature of an organization’s IP allocation and the services they use. For organizations with a simple email ecosystem consisting of a hosted email service provider such as Microsoft 365 and Google Workspace, this is a step they will likely never have to take. As the complexity of an email ecosystem increases, more considerations need to be made regarding how PTR records are supported.

Directly Allocated IP to an Organization
When an organization possesses its own IP range, typically allocated by their internet service provider (ISP), it holds the autonomy and responsibility to manage DNS records, including PTR records. This control is pivotal for entities that manage their email servers, as a correctly configured PTR record is a signal of legitimacy to other mail servers and can significantly impact email deliverability.

In such scenarios, the organization’s IT department or a designated managed service provider (MSP) must ensure that each outbound mail server has a corresponding PTR record. This record should resolve to a verifiable domain name, closely associated with the sending entity, to facilitate trust during email exchanges. The process involves coordinating with the ISP that routes the organization’s internet traffic, as they often control the reverse DNS zone where PTR records are set.

Hosted Services Allowing Custom PTR Labeling
Many cloud and hosting services recognize the importance of PTR records for their clients’ email deliverability and offer the capability to customize these records. This flexibility allows organizations to maintain consistency between their domain names and the IP addresses used by the hosted services, which helps with maintaining a healthy deliverability rate. However, the process to set up custom PTR records varies by provider and may require navigating the hosting service’s management console or submitting a support request.

To take full advantage of this feature, it’s essential for organizations to understand their provider’s procedure for PTR record customization. This feature may not be discussed during the onboarding process of such services, and it should be part of a checklist when setting up services that will send emails on behalf of the organization’s domains.

Hosted Services with Preconfigured, Non-Customizable PTRs
Services like Microsoft 365 operate on a massive scale to manage email infrastructure for countless organizations. Due to this scale and the managed nature of these services, customers are typically not permitted to customize PTR records. Instead, these services ensure that their IP ranges have appropriately configured PTR records that reflect their managed domains.

While the lack of customization may seem like a limitation, it reflects the service provider’s commitment to managing a secure and reputable email environment for all its users. These preconfigured PTR records are part of the provider’s broader strategy to maintain high deliverability rates and protect against spam and phishing. For organizations using such services, it’s important to understand that their email deliverability and reputation are, in part, in the hands of their provider. Therefore, selecting a reputable and reliable email service provider becomes an obviously important step.

How PTR Records Relate to Google and Yahoo Sender Requirements

Starting February 1, 2024, Google and Yahoo began enforcing requirements that emphasize the importance of email authentication practices, including the proper use of PTR records. Ensuring your PTR records are correctly configured is clearly outlined as a requirement when sending to Google and Yahoo inboxes. All email-sending infrastructures are expected to pass a FCrDNS. This means it becomes crucial for an email administrator to have a comprehensive list of all sending email systems and whether or not they have properly configured PTR records that meet the above requirements.

This guide will provide you with guidance on sender requirements regardless of the size or complexity of your email infrastructure.

Using DMARC data to investigate PTR records

A DMARC aggregate report contains data about who is sending emails on behalf of your domain. These reports organize such senders by the IP addresses who sent the emails. Depending on your XML processor of choice, you may be able to quickly obtain information on whether or not a server has a properly configured PTR record. The dmarcian Detail Viewer helps in making this determination by performing the lookup for you and sorting senders by server names obtained from the PTR record published in DNS. Below is an example of a Google IP and its associated PTR record.

detail viewer PTR record

Should a PTR record not exist, it would appear as the following in the image below.

detail viewer nx

With the Detail’s Viewer’s comprehensive filters, it becomes easy to search for any sending servers that have a missing PTR record. Simply enter the value “nxdomain” in the PTR/Server Name search filter field to produce a list of such senders.

detail viewer filter

PTR records play a critical role in internet communications, especially in validating email servers and enhancing email deliverability. Proper configuration and management of PTR records, in accordance with your hosting situation and in alignment with major email service providers’ requirements, are essential steps in securing your email communications and protecting your domain’s reputation. As email security standards evolve, staying informed and copliant with these practices is crucial for any organization’s success in the digital space.

We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.

Want to continue the conversation? Head over to the dmarcian Forum.