What is a PTR record and why should I care?
True story, I heard this exact question from a client not too long ago. Through my trials and travails as an Exchange Engineer, DNS information is one of the very most confusing aspects of email systems that my clients have to deal with. Just figuring out how to use normal DNS records tends to lead to a strong desire to give up on the whole project, so attempting to discuss reverse records can cause many to throw up their hands and run screaming from the server room.
Alright, that only happened once, but wow was it fun to watch.
PTR, or reverse lookup, records are used to allow external servers and systems a way to find out what identity a server has based on its IP address. So, for example, we can look at the IP address information for Bing.com, Microsoft’s replacement for Live Search.
If I do an nslookup on bing.com, I get the following:
Name: bing.com
Address: 64.4.8.147
So it appears that 64.4.8.147 is the IP address for that URL. Now if I put the IP address into nslookup, my DNS server will attempt to backtrack to see what that server is identified as:
Name: origin.bay.ux.search.live.com
Address: 64.4.8.147
Not a perfect return, as I was looking for it to reply that the IP was assigned to a bing.com address, but knowing that Bing Search replaced Live Search, the results are clearly traceable.
You can read up on what PTR records do, and how to create them at this Wikipedia page.
Now that you have some idea of what PTR records are used for, we can discuss why you will want to make sure that all mail domains you have authority over are properly configured to use them.
These days, you can do a quick Bing (or Google) search and find dozens of software packages designed to allow you to send out email as if you were someone else. Sometimes there’s a legitimate reason to do this, such as if you manage email lists for multiple organizations through one mail domain. In many cases, these tools are used toward nefarious ends, allowing a hacker to send email that appears to be from a domain in order to scam or infect the recipient. Famous examples of this are phishing emails (see this Wikipedia page) where a scammer will send an email that appears to be from – say – a bank or other institution. Your end user receives the mail, and since it appears to be from a trusted source, they’ll click the link and possibly enter in private information, leaving your organization open to attack.
To combat this, many SMTP servers either natively support, or can be configured to support, PTR lookups before accepting email. This way, the header information can be examined to ensure that the email isn’t coming from a suspect source. The end users don’t see much difference, but email that is from unknown domains, or domains known to be fraudulent, can be rejected before ever getting to their mailboxes. Exchange 2003 and 2007 do not natively reject email based on a bad reverse DNS lookup, so left to their own devices; you don’t have to worry about blocking incoming mail by accident. This doesn’t mean you can ignore PTR records though. Since many other mail server systems can be configured to reject non-verifiable mail, and since there are a host of 3rd-party systems that work with Exchange Server that can do the same, failure to properly configure a PTR record can cause your outgoing email to get bounced because you cannot verify your identity. This means that you need to set up a PTR record for your Mail eXchanger (MX) records and your domain in general, or you risk having email returned as non-deliverable. Having no PTR record is just as bad as an incorrect configuration here, as a lack of a reverse DNS lookup will cause the same results as an incorrect reverse DNS lookup.
There is a great debate over if this is a good or bad thing. PTR responses could be forged, and so this is not a foolproof method of confirming identity. Also, if multiple organizations all use the same SMTP server (thing about that multi-list email server from before) then which one gets the PTR record assigned to it? If you have an email domain, then for now it is a good idea to ensure that PTR records are properly configured so you don’t run into the problem, but hopefully there will be better, more secure systems to rely on in future to confirm identity (such as the SMTP-AUTH proposed specification as part of E-SMTP).
To avoid blacklists, blocks and email black-holes, configure correct PTR records for your SMTP servers and domains. It is by no means a perfect system, but it is one that you will run into, so an ounce of prevention is definitely worth a pound of cure here.
Labels: Exchange 2000, Exchange 2003, Exchange 2007, Security, Settings