Understanding Pointer (PTR) DNS Records and Reverse DNS (rDNS) Lookups
What is a PTR Record and how does it improve Email Security?
We’re all pretty familiar with the basic concept of the Domain Name System and Domain Name Servers (DNS), which is to translate human-memorable words into the long sequences of numbers that computer networks use. The standard “A” record that designates a fully qualified domain name (FQDN) is the most common one we see every day, such as the “www” in “www.upstreamsecurity.net,” but did you know there is an opposite form of it?
A PTR (Pointer) record is a type of DNS entry for Reverse DNS lookups.
Unlike the standard A record, which maps a fully qualified domain name to an IP address, a PTR record does the reverse - it links an IP address back to a fully qualified domain name. This process is known as a Reverse DNS lookup and is essential for verifying the ownership or legitimacy of an IP address, especially in the context of email and network security.
A record: Domain name → IP address
PTR record: IP address → Domain name
Okay, so these PTR records exist. But why do they exist? What makes them so important?
PTR records play a critical role in several areas, including:
Email Security and Reputation Management
Many email servers and email filters use reverse DNS lookups to check if the sending IP address maps to a legitimate domain. If a PTR record is missing or misconfigured, emails from that server are more likely to be flagged as spam or rejected. Having a valid PTR record is considered a best practice for email servers and email filters for this reason. It signals that the sender follows industry standards, improving deliverability and trust with ISPs and other mail providers. Consistent and correctly configured PTR records help build a positive reputation for a mail server, improving the chances of sent emails reaching inboxes.
Network Troubleshooting
PTR records help administrators track the origin of network traffic, as logs often contain only IP addresses. Reverse lookups make these logs more human-readable. Ever had to read through those Wireshark logs and run subsequent WHOIS lookups to figure out the source of those packets? Reverse DNS is there to help resolve things for us!
Web of Trust Validation
PTR records for public IP addresses are special in that the Internet Service Providers (ISPs) are the entities that generally maintain them, since they are most commonly the owner of the IP address block being used (exceptions do exist for companies that outright own their own IP addresses, rather than lease them, but the authentication precept still holds true in that DNS access is needed), meaning that anyone using a PTR record has contacted their ISP for such a record to be deployed, rather than some fly-by-night spammer who changes the hostname of their server rapidly to engineer new attacks, particularly impersonation attacks. ISP trust and validation of the server being emplaced at each IP address having a matching hostname to that of the PTR record greatly improves the “known” validity of that sender, adding an extra layer of security in mail source verification checks.
Understanding Forward-Confirmed Reverse DNS
What is Forward-Confirmed Reverse DNS (FCrDNS)?
Forward-Confirmed Reverse DNS is a two-step verification process in which a Reverse DNS lookup is first performed on an IP address to obtain its associated domain name, followed by a Forward DNS lookup on that domain name to confirm it resolves back to the original IP address. Having these aligned is considered a basic means of preventing spam from malicious senders who are trying to impersonate a different domain. Essentially all email servers and filters will perform this as part of their fundamental identity checks.
Step 1: Reverse Lookup
The receiving mail server uses the PTR record to translate the sender’s IP address into a fully qualified domain name.
Step 2: Forward Lookup
The receiving mail server then checks if that fully qualified domain name resolves back to the original IP address using A record.
If both steps match, the association is confirmed, providing fair evidence that the IP and domain are legitimately linked and that the sender is most likely who they say they are. Follow-on email security checks come after this process, such as Sender Policy Framework (SPF) verification, but the basic FCrDNS checks are among the most immediate ones upon receiving a message.
Recent policy changes by major email providers like Google and Yahoo have made correct PTR record configuration even more critical. As of February 2024, these companies require all email-sending systems to pass FCrDNS checks. It is now a baseline requirement to ensure all sending IPs have valid PTR records in order to deliver to Gmail and Yahoo inboxes.
When Should a PTR Record be Configured?
The need to configure PTR records depends largely on how email infrastructure is managed and the type of services in use. Different scenarios require different approaches to PTR record management.
Self-Managed Mail Servers: Organizations that control their own IP range, typically allocated by an internet service provider, are responsible for setting up PTR records. These can be done via public DNS servers or by contacting the ISP and having them list the PTR records on the organization’s behalf (most commonly when the IP addresses are leased). Proper configuration in this context is essential for reliable email delivery and maintaining a positive sender reputation.
Cloud or Hosting Providers: Many hosting platforms offer the ability to customize PTR records. This feature allows organizations to align their domain names with the IP addresses used for sending mail, supporting consistent branding and improved deliverability. The process for configuring these records varies by provider and may involve using a management console or submitting a support request.
Managed Email Services (Microsoft 365, Google Workspace, etc): Large-scale email service providers handle PTR records on behalf of organizations. While customization is unavailable, these email service providers ensure proper configuration to support high deliverability rates.
DNS records can be complex; the fine support folks here at UpStream Security know this and ensure all of our servers have appropriate and matching PTR records to validate our deliverability.
If you have questions about what your records need to be set to to work with UpStream or want to use advanced filtering options like SPF, let us know and we can help guide you through it.