2

I'm a little confused about the setup of a PTR record for reverse dns lookup.

We are hosted at Rackspace and we have a front end webserver and behind that an appserver. Users don't access the Appserver directly, they go through the webserver.

Webserver: www.domain.com 190.1.2.3
Appserver: app.domain.com 170.2.3.4

The appserver sends out all the email with from address suck as no-reply@domain.com

So, how do I set up the PTR / reverse dns configuration? I was thinking that it should be as follows:

Reverse dns record on Appserver:

170.2.3.4 = app.domain.com

DNS

A *.domain.com 190.1.2.3 
A app.domain.com 170.2.3.4
TXT app.domain.com "v=spf1 ip4:170.2.3.4 ~all"
TXT domain.com "v=spf1 ip4:170.2.3.4 ~all"

Would this be the correct way to set that up?

Marc
  • 123
  • 2
  • All other considerations aside, don't bother with an SPF record that end in `~all`; it's completely pointless, and may be actively harmful. See [my answer to our canonical question on the subject](http://serverfault.com/questions/369460/what-are-spf-records-and-how-do-i-configure-them/369478#369478) for more details on why you should only publish records that end in `-all`. – MadHatter Aug 26 '14 at 06:44
  • Ok, that's relevant info. So -all is basically the way to go if you're sending mail from an appserver and the appserver sends mail for your domain and there is another mailserver that sends the regular mail that users in the domain use to communicate (in our case google smtp)? – Marc Aug 26 '14 at 11:45
  • `-all` is the way to go for **all** SPF records. It's just that the more complex your mail setup is, the more trouble you will have to take to list all the valid senders for your domain. In some cases seen on SF, it's not possible within the DNS lookup limits of the protocol; for such people (who've usually allowed large numbers of third-party-hosted services to send email badged from them), SPF is unsuitable, and they simply can't use it. – MadHatter Aug 26 '14 at 12:31

1 Answers1

2

Short Answer:

YES! You are correct in your proposed setup.

Long Answer:

While you are correct regarding the rDNS for the appserver, as well as regarding the forward zone - you might also wish to consider creating a PTR for the webserver, even though it doesn't send any mail. But won't really hurt anything if you don't do it.

Also, if the only hostname served by the webserver is www, you might want to simply create the A record for www instead of as a wildcard.

Furthermore, if there is any possibility of users attempting to visit your bare domain, you should create an A record for your bare domain as well. You can always have your webserver create an HTTP redirect to www in that situation.

Joe Sniderman
  • 2,749
  • 1
  • 21
  • 26
  • If the webserver is allowed to send mails in SPF, a compromised web application is considered as a valid sender by all receiving servers. I propose to only allow the intended mailserver to be allowed to send mails (not only in SPF, also in the firewall etc). – sebix Aug 25 '14 at 18:53