Multiple A records and reverse DNS

Thomas Schulz schulz at adi.com
Tue Mar 22 15:28:03 UTC 2016 

> Tom, when your mail server establishes a connection to another host, the 
> receiving host will likely automatically check the PTR record of the IP 
> address your server used as it's source address. This PTR record should 
> have a corresponding A record that points to the same IP address that 
> was looked up in the PTR record. This is sometimes referred to as a 
> "verified" hostname. Without this, receiving mail servers may sometimes 
> log your rDNS as unknown, which can look spammy to subsequent spam 
> filters. You can have any number of other A records that point to your 
> server, they are irrelevant to PTR verification.
> 
> Example:
> 
> Your reverse zone:
> 1.1.1.1.in-addr.arpa.    IN    PTR    mail.adi.com.
> 
> Your adi.com zone:
> mail.adi.com.    IN    A    1.1.1.1
> smtp.adi.com.    IN    A    1.1.1.1
> www.adi.com.    IN    A    1.1.1.1
> foo.adi.com.    IN    CNAME    www.adi.com.
> 
> All the matters to PTR verification is that 1.1.1.1 has a PTR record and 
> that PTR record exists as an A or CNAME that eventually points back to 
> 1.1.1.1
> 
> As others have pointed out, this is best common practice for outgoing 
> mail servers aka mail relays; However, I generally recommend having 
> valid PTR records and having matching forward records for any servers. 
> Maybe it's just me, but most of my server's send email - even MX servers 
> (they do create NDR notices from time to time).
> 
> --Blake

That is mostly how I thought it worked. What I had in mind more
specifically was:

adi.com zone:
mackerel.adi.com.  IN  A  75.100.245.141
mackerel.adi.com.  IN  A  96.85.104.76

reverse zones:
141.245.100.75.in-addr.arpa.  IN  PTR  mackerel.adi.com
76.104.85.96.in-addr.arpa.    (not yet set up)

With mail going out on only 75.100.245.141 but receiving mail on both.
But receiving mail on both was more work than I had expected, so I am
not going to set that up. When reverse for 96.85.104.76 is finally set
up I will just do a late night switch over.

> 
> Thomas Schulz wrote on 3/17/2016 8:53 AM:
> > This is not a BIND question but I hope people here will know the answer.
> > We are switching service providers and I understand that many email SPAM
> > prevention systems insist on the reverse DNS matching the forward DNS.
> > If I have two A records for our mail server and the reverse record matches
> > one of them, will that be good enough. Or will the fact that the other A
> > record does not match cause trouble.

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the bind-users mailing list