APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed
RSS Feeds RSS Feeds











(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
->
-> Basic DNS: PTR records and why you care (Why you need a ptr record to send mail to aol.com and others);


Basic DNS: PTR records and why you care

Learn why you need a PTR record if you run an internal mail server.




You may have come to this because you've been told that you need a PTR record to avoid rejections from sites like AOL and others.

You may have thought that you can add your own PTR record. You usually cannot.

A PTR record (sometimes called a "host PTR record") is what lets someone do a "reverse" DNS lookup - that is, they have your IP address and want to know what your host/domain is. At any Unix/Linux command line, you can use "dig -x" to do a reverse lookup:

bash-2.05a$ dig -x 64.226.42.29

; <<>> DiG 9.2.1 <<>> -x 64.226.42.29
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, 
id: 38101 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, 
AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;29.42.226.64.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
29.42.226.64.in-addr.arpa. 1762 IN      PTR     pcunix.com.

;; Query time: 49 msec
;; SERVER: 10.1.36.238#53(10.1.36.238)
;; WHEN: Fri Jul  2 11:03:29 2004
;; MSG SIZE  rcvd: 67

If you are totally confused by DNS, I recommend Take Control of Your Domain Names, a $10.00 PDF E-Book that demystifies all of this.

Not every IP address has a corresponding PTR record. In fact, if you took a random sampling of addresses your firewall blocked because they were up to no good, you'd probably find most have no PTR record - a dig -x gets you no information. That's also apt to be true for mail spammers, or their PTR doesn't match up: if you do a dig -x on their IP you get a result, but if you look up that result you might not get the same IP you started with.

That's why PTR records have become important. Originally, PTR records were just intended as a convenience, and perhaps as a way to be neat and complete. There still are no requirements that you have a PTR record or that it be accurate, but because of the abuse of the internet by spammers, certain conventions have grown up. For example, you may not be able to send email to some sites if you don't have a valid PTR record, or if your pointer is "generic":

dig -x 65.96.9.234

; <<>> DiG 9.2.1 <<>> -x 65.96.9.234
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55565
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;234.9.96.65.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:
234.9.96.65.in-addr.arpa. 3570  IN      PTR     h00c0f06bacf1.ne.client2.attbi.com.

;; Query time: 2 msec
;; SERVER: 10.1.36.238#53(10.1.36.238)
;; WHEN: Fri Jul  2 11:12:45 2004
;; MSG SIZE  rcvd: 90
 

Typically, the reason you get refused is because the "generic" pointer doesn't have an MX (mail exchange record):

This is technically inaccurate if your inbound and outbound servers are different. It's the outbound (the one that is connecting to other machines) - that needs the reverse lookup. For most small businesses, these are the same. It's perhaps more accurate to say (as a commenter did below) the PTR record should match the SMTP response on port 25 when the receiving server sends back a verification check.. However, it is usually only necessary that the record exist and not contain "in-addr.arpa". See the comments below.

 dig h00c0f06bacf1.ne.client2.attbi.com MX

; <<>> DiG 9.2.1 <<>> h00c0f06bacf1.ne.client2.attbi.com MX
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32826
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;h00c0f06bacf1.ne.client2.attbi.com. IN MX

;; Query time: 292 msec
;; SERVER: 10.1.36.238#53(10.1.36.238)
;; WHEN: Fri Jul  2 11:14:01 2004
;; MSG SIZE  rcvd: 52
 

How do you get a PTR record? You might think that this is done by your domain registrar - after all, they point your domain to an IP address. Or you might think whoever handles your DNS would do this. But the PTR record isn't up to them, it's up to the ISP that "owns" the IP block it came from. They are the ones who need to create the PTR record. In some cases, that may be the same folks who handle your DNS, but the point is that it is not necessarily so: you may have no control over this whatsoever. See RFC 2317 and Avoid RFC 2317 style delegation of 'in-addr.arpa.' also.

If you don't have a PTR record, and can't get one (for example because you have a dynamic address), you will want to send outgoing email through a server that does. Your INCOMING server doesn't need a PTR record - you can use a dynamically assigned IP address for a mail server as long as you have some way of updating your MX record when your IP changes. And it isn't that you can't send SMTP mail out from such a server (although some ISP's do block outgoing SMTP to any but their own server); it's just that some recipients may block you because you don't have that PTR record or because it doesn't match up wth an MX record for you.

Usually, you'll use your ISP's SMTP server as your "delegate" server - that can be done at your internal mail server or at the client machines ("Outgoing SMTP Server"). However, assuming that you aren't blocked for outgoing SMTP, you can use any server that "likes" you - that is, any server that will allow your IP address to relay mail through it. That's probably going to be another server under your control, or someone who knows you - there are few servers left that will let just anyone use them as a mail relay.

There are two other DNS records that can be helpful in getting your mail through: Caller-ID and SPF. These are records you can add to your own dNS and they help prevent people masquerading as your mail server. Servers that check these records (not all do) know when it really is your server that sent the mail; it is therefore less likely to be refused. See Kerio Spam Control: Caller-ID and SPF for more details.




If this page was useful to you, please help others find it:  





26 comments




More Articles by - Find me on Google+



Click here to add your comments
- no registration needed!




Thu Sep 8 15:28:47 2005: 1067   TonyLawrence

gravatar
Thanks for the correction on the link; I wish people were smart enough to add redirects when the decide they need to shuffle things around, but it seems like nobody cares..





Thu Oct 9 03:55:54 2008: 4632   anonymous


"Typically, the reason you get refused is because the "generic" pointer doesn't have an MX (mail exchange record):"

This statement is incorrect. It's a very common practice to use separate inbound and outbound servers in an email environment. Verifying a PTR record against an MX record would result in a large amount of false positives. Whether this was a common practice or not in 2004 is questionable; however, having been in the spam filtering industry for the past 3 years, I have NEVER come across a case where the MX record was in fact being compared to the PTR record. This is a very common misconception (hence, the reason for my comment today).

AOL's website states the following:

* AOL does require that all connecting Mail Transfer Agents have established reverse DNS, regardless of whether it matches the domain.
* Reverse DNS must be in the form of a fully-qualified domain name. Reverse DNS containing in-addr.arpa are not acceptable, as these are merely placeholders for a valid PTR record. Reverse DNS consisting of IP addresses are also not acceptable, as they do not correctly establish the relationship between domain and IP address.
* Reverse DNS that may be similar to dynamic IP space (containing pool, dhcp, dyn, etc.) may be treated as suspect. Therefore should be changed to reflect a fully-qualified domain name with standard MTA reverse DNS.

Source: http://postmaster.info.aol.com/info/rdns.html


Hope this helps someone in the future. :)



Thu Oct 9 11:47:33 2008: 4634   TonyLawrence

gravatar
OK, I see your point. Most of the people that have this problem are small, and run ONE server, so for them it's simpler to explain it this way. Your comment will serve to correct for the few cases where separate servers are used.



Fri Feb 13 16:51:36 2009: 5407   TonyLawrence

gravatar
Testing converting this to static page for better performance. Just about ready..



Tue Jun 16 10:11:07 2009: 6505   anonymous
http://ideasplantation.co.uk
gravatar
The problem is more common that people realise because they dismiss emails not getting through as "email problems" not as an issue to be fixed.
Our client had this problem and it was easily resolved.
http://ideasplantation.co.uk



Sun Oct 4 14:52:44 2009: 7061   anonymous

gravatar


You can use this site to find PTR or any other records http://www.magic-net.nl/dns-and-ip-tools.php(link dead, sorry)



Sun Oct 4 14:55:43 2009: 7062   TonyLawrence

gravatar
Um, ok, but why on earth would I use a web browser when I can do a "dig -x" ??






Sun Oct 4 16:40:02 2009: 7066   BigDumbDInosaur
http://bcstechnology.net
gravatar
Um, ok, but why on earth would I use a web browser when I can do a "dig -x" ??

Because you are a clueless Windows user who knows nothing about dig and all those other fine *Nix commands that help with network troubleshooting, and thinks that everything in the computing universe revolves around Internet Exploder.



Fri Nov 13 12:33:43 2009: 7542   anonymous

gravatar
Um, ok, but why on earth would I use a web browser when I can do a "dig -x" ??

I just accepted a new position and needed to check some records immediately. As there were no linux boxes around from my predecessor, it can be handy to have web sites to do quick lookups.



Fri Nov 13 12:44:57 2009: 7543   TonyLawrence

gravatar
You'll need to fix that problem :-)



Sun Nov 22 04:31:26 2009: 7599   anonymous

gravatar
If there are no Linux boxes lying around, I would highly suggest setting up a VirtualBox on your laptop with your favorite Linux distro. Very handy.



Sun Nov 22 08:08:54 2009: 7600   Miraenda

gravatar
Actually, from my understanding (and the AOL guidelines do not conflict with this) and based on my own experience from years of dealing with providers like hotmail and yahoo for a webhost, the PTR record should match the SMTP response on port 25 when the receiving server sends back a verification check. The MX record match doesn't happen, but a verification response does happen (called sender verify) by most email servers.

You can see a server's SMTP response by doing:

telnet IP# 25

Where IP# is the IP for the server in question. Basically, you will get a response that tells the server's hostname, which is what the PTR record should match. I really believe that this explains the situation far more clearly than what was stated, and it is the actual case of how it works.



Sun Nov 22 12:46:59 2009: 7601   TonyLawrence

gravatar
I shouldn't have implied that this has to match what a "dig wharever.com mx" returns. For most small systems, that IS the same host, but of course it doesn't have to be,

Your "the PTR record should match the SMTP response on port 25 when the receiving server sends back a verification check." is a better way to put it, thanks.



Tue Jan 11 01:21:00 2011: 9224   Andy

gravatar


I need expert help regarding SMTP...anyone, please!

I'm trying to understand the safest way to use SMTP. I am about to purchase a virtual server package, on which I will set up PHPlist (free open source mailing program), so we have the freedom to send unlimited newsletters (...10,000 per day at least, which requires a VPS).

Here's my current setup with YMLP's software. I have a website - let's call it, MyHostedDomain.com. I send newsletters with the From / Reply To address as [email protected], which isn't being hosting by me but I have access to the email account.

Can I do this with PHPList? i.e. send messages using [email protected] as the visible address, but having it all go through my VPS SMTP? I cannot authenticate it, right? Is this a bad practice? Is my only hope to use an address with a domain on the VPS, i.e. [email protected]?



Tue Jan 11 02:17:18 2011: 9225   TonyLawrence

gravatar


I know nothing about PhpList. Never heard of it, sorry.



Tue Jan 11 16:38:02 2011: 9226   BigDumbDinosaur
http://bcstechnology.net
gravatar


I'm trying to understand the safest way to use SMTP. I am about to purchase a virtual server package, on which I will set up PHPlist (free open source mailing program), so we have the freedom to send unlimited newsletters (...10,000 per day at least, which requires a VPS).

Sounds like the ultimate spammer setup. <Grin> Please advise the DNS of this server so I can immediately add it to the anti-spam table on my server.



Tue Jan 11 18:06:58 2011: 9227   Andy

gravatar


"BigDumbDinosaur", are you just being sarcastic? This emailing is nothing suspicious at all. It's for non-profit newsletters, with confirm opt-in subscribing. It's the furthest thing possible from spam. We have a long-standing good reputation and I want to make sure it stays this way, that's all. I see nobody has an answer here, though.



Tue Jan 11 18:23:33 2011: 9228   TonyLawrence

gravatar


There is no absolute answer. You can't control other folks mail servers and the folks getting your mail mostly cannot either. You will get blocked now and then even if you do everything right.



Mon Jan 24 18:48:28 2011: 9251   Vince

gravatar


Andy,

I would think that it is not recommended to send email from a server that does not host the email address that the mail is claiming to come from. I would setup an email address on a domain that the server hosts, but set the Reply-To to the address of where its supposed to go.

I would also see about the mailings going out on a staggered schedule. Sending 10,000 messages a day means at least 420 messages per hour, and depending on the size of the message and responses from various mail servers, could extend those messages sitting in a queue for well over an hour. I've seen AOL and Yahoo throttle messages to so many per day from a single source.

I would contact various large email account holders like MSN, AOL and Yahoo and let them know that you are a source of bulk mail, as well as sign up for any alert programs they may offer.



Fri Apr 8 11:40:48 2011: 9438   dan
http://freenameservers.blogspot.com/
gravatar


It would probobly be worth mentioning that windows users can use NSLookup from the command line rather than dig -x



Fri Apr 8 11:47:02 2011: 9439   TonyLawrence

gravatar


It would probobly be worth mentioning that windows users can use NSLookup from the command line rather than dig -x


I'd rather put it that the poor Windows users often HAVE to use the crappy tools Microsoft provides.



Mon May 2 18:10:36 2011: 9475   ba72jfd

gravatar


I have an issue and am seeking some advice.

Our company moved our email to Google Apps just over a year ago. Our ERP system has an outbound email feature that will not do any authentication. I setup an SMTP server for outbound email only but now am getting rejections from AOL mostly but others too. Since I don't have a PTR record do you think that is the issue? Does AOL require the SMTP port to be open because I do not allow any inbound emails only outbound.

Thanks in advance.



Mon May 2 18:57:46 2011: 9476   TonyLawrence

gravatar


In a word, yes. You need this for AOL.



Mon May 2 18:59:42 2011: 9477   TonyLawrence

gravatar


And no, AOL isn't coming back to you for anything. They look that up in DNS.



Mon May 2 20:15:58 2011: 9478   BigDumbDinosaur
http://bcstechnology.net
gravatar


I setup an SMTP server for outbound email only but now am getting rejections from AOL mostly but others too. Since I don't have a PTR record do you think that is the issue? Does AOL require the SMTP port to be open because I do not allow any inbound emails only outbound.

As Tony explained, this is now a hard and fast AOL requirement, and undoubtably will become standard for most public E-mail sites. Many other mail servers (including mine) enforce this requirement in an effort to stop spammers from hiding behind anonymous IP addresses.

Ideally, your server's PTR record should exactly map back to the FQDN of the server. However, most servers relax this requirement, since the IP addresses of hosting sites' servers won't necessarily map back to the FQDN, which would prevent a lot of outbound mail from being sent.

Speaking of things that block mail, some sites will bounce messages that don't have a valid subject, and in some cases (mine being one of them), will expurgate messages with certain types of attachments, such as Microsoft Office files, the latter which have been known to transport viruses. On my server, the attachment is stripped and tossed into a junk subdirectory, and replaced with a warning message that the attachment has been stripped. As we don't use any Microsoft "productivity" software here, we have no reason to accept MS Office attachments. We encourage others to use plain text or PDF if the document contains graphics, different fonts, etc.

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments


If you want a picture to show with your comment, go get a Gravatar

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

pavatar.jpg

This post tagged:

       - Basics
       - DNS
       - Mail
       - Networking
       - Popular



















My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!


book graphic unix and linux troubleshooting guide



Buy Kerio from a dealer
who knows tech:
I sell and support

Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals



Click and enter your name and phone number to call me about Kerio® products right now (Flash required)