Forward DNS vs. Reverse DNS: Understanding the Difference
Most people are familiar with forward DNS: you type mail.example.com into a browser, DNS resolves it to an IP address like 93.184.216.34, and the connection is made. This is the A record — a name-to-address mapping. Reverse DNS works in the opposite direction: given an IP address, it returns the associated hostname. This mapping is stored in a PTR (Pointer) record.
Forward DNS (A Record)
IP Address
Reverse DNS (PTR Record)
Forward DNS is managed by whoever controls the domain (you, your DNS provider). Reverse DNS is managed by whoever controls the IP address — typically your hosting provider or ISP. This distinction is critically important and the source of much confusion when setting up mail servers.
What Exactly Is a PTR Record?
A PTR record is a DNS record type that maps an IP address to a hostname. The name "PTR" stands for "pointer" because it points from an address back to a name. PTR records live in a special reverse DNS zone under the .in-addr.arpa domain for IPv4 and .ip6.arpa for IPv6.
For the IP address 93.184.216.34, the reverse DNS lookup queries for 34.216.184.93.in-addr.arpa — note the octets are reversed. This reversal matches the DNS hierarchy: the most significant part (the network) comes last in DNS, just as .com comes after the domain name.
$ dig +short mail.example.com A
93.184.216.34
# Reverse DNS lookup (PTR record)
$ dig +short -x 93.184.216.34
mail.example.com.
# Same thing, explicit PTR query
$ dig +short 34.216.184.93.in-addr.arpa PTR
mail.example.com.
Why Email Servers Absolutely Require PTR Records
PTR records are optional for web servers, but they are effectively mandatory for mail servers. Here is why: when your mail server connects to Gmail, Outlook, or any well-configured mail server to deliver an email, the receiving server immediately performs a reverse DNS lookup on your connecting IP address. If it cannot find a valid PTR record, or if the PTR record does not match your server's identity, the email is likely to be rejected or flagged as spam.
The SMTP HELO/EHLO Verification Chain
When your mail server connects to a recipient's server, the SMTP conversation begins with a HELO or EHLO command where your server announces its identity. The receiving server then verifies this identity through multiple checks.
EHLO mail.example.commail.example.com (or a related hostname)This bidirectional verification — called Forward-Confirmed Reverse DNS (FCrDNS) — is one of the oldest and most fundamental anti-spam mechanisms. It works because spammers typically use compromised machines or cloud instances with generic PTR records (like ec2-52-14-123-45.us-east-2.compute.amazonaws.com) that do not match any legitimate mail domain.
How Different Providers Handle PTR Records
Setting up a PTR record is different from setting up an A record because you do not control the reverse DNS zone — your IP address owner does. Here is how to set it up with common providers.
| Provider | How to Set PTR | Propagation Time |
|---|---|---|
| Hetzner | Robot Panel → Server → IPs → Edit Reverse DNS | Minutes |
| DigitalOcean | Set droplet hostname to desired PTR, or use API | Minutes |
| AWS (EC2/Lightsail) | Submit request via AWS Support (Elastic IP required) | 1-3 business days |
| Google Cloud | Set instance hostname, PTR auto-configured | Minutes |
| OVH | Manager → IP → Reverse DNS → Modify | Minutes to hours |
| Vultr | Control Panel → Server → IPv4 → Reverse DNS | Minutes |
| Linode/Akamai | Cloud Manager → Linodes → Network → Edit rDNS | Minutes |
Verifying Your PTR Configuration
After setting up your PTR record, you need to verify that everything works correctly. Here are multiple verification methods.
Using dig
$ dig +short -x 93.184.216.34
mail.example.com.
# Forward lookup — should return the same IP
$ dig +short mail.example.com A
93.184.216.34
# Full PTR record with authority info
$ dig -x 93.184.216.34 +noall +answer +authority
34.216.184.93.in-addr.arpa. 3600 IN PTR mail.example.com.
Using nslookup
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
34.216.184.93.in-addr.arpa name = mail.example.com.
Using host (simplest)
34.216.184.93.in-addr.arpa domain name pointer mail.example.com.
PTR for IPv6
If your server has an IPv6 address, you need a PTR record for that too. IPv6 reverse DNS uses the .ip6.arpa zone, and each hex digit of the expanded IPv6 address becomes a separate label.
# Reverse zone entry:
4.3.3.7.0.7.3.0.e.2.a.8.0.0.0.0.0.0.0.0.3.a.5.8.8.b.d.0.1.0.0.2.ip6.arpa.
$ dig +short -x 2001:db8:85a3::8a2e:370:7334
mail.example.com.
The in-addr.arpa Zone Explained
The in-addr.arpa zone is a special DNS namespace reserved for reverse lookups. It is managed hierarchically: IANA delegates large blocks to Regional Internet Registries (RIRs), who delegate to ISPs and hosting providers, who may further delegate to customers.
For a /24 network block (e.g., 93.184.216.0/24), the reverse zone is 216.184.93.in-addr.arpa. The owner of that IP block manages this zone. For individual IP addresses within a larger block, you typically request PTR records through your provider's control panel — you do not manage the zone file yourself.
| IP Block | Reverse Zone | Managed By |
|---|---|---|
| 93.0.0.0/8 | 93.in-addr.arpa | RIPE NCC (Regional Registry) |
| 93.184.0.0/16 | 184.93.in-addr.arpa | ISP / Hosting Provider |
| 93.184.216.0/24 | 216.184.93.in-addr.arpa | Server Owner / End Customer |
| 93.184.216.34 | 34.216.184.93.in-addr.arpa | Individual PTR Record |
Common PTR Problems and How to Fix Them
Problem 1: PTR Mismatch with HELO Hostname
The most common issue. Your mail server sends EHLO mail.example.com but the PTR record for your IP returns server1.hostingprovider.com. Gmail rejects with error 5.7.25.
Wrong Configuration
PTR: server1.provider.com
HELO: mail.example.com
Result: Mismatch - Rejected
Correct Configuration
PTR: mail.example.com
HELO: mail.example.com
Result: Match - Accepted
Fix: Either change the PTR record at your hosting provider to match your HELO hostname, or change your Postfix myhostname to match the existing PTR record. The PTR approach is preferred because you want your mail identified by your domain, not your provider's.
$ sudo postconf -e "myhostname = mail.example.com"
$ sudo postconf -e "mydomain = example.com"
$ sudo systemctl reload postfix
Problem 2: Missing PTR Record
The IP address has no PTR record at all. The reverse lookup returns NXDOMAIN (non-existent domain). This happens with newly provisioned servers or cloud instances where PTR was never configured.
Fix: Set the PTR record through your hosting provider's control panel. Ensure the forward A record exists first.
Problem 3: Generic PTR Record
Many cloud providers assign automatic PTR records like ec2-52-14-123-45.us-east-2.compute.amazonaws.com or vps12345.provider.com. While technically a valid PTR, this screams "shared hosting" or "disposable server" to receiving mail servers and severely damages your sender reputation.
Fix: Change the PTR to your actual mail hostname. On AWS, this requires an Elastic IP and a support request. On most other providers, it is a simple control panel change.
Problem 4: Multiple PTR Records
An IP address can technically have multiple PTR records, but this is strongly discouraged for mail servers. RFC 2181 allows it, but RFC 7208 (SPF) and most receiving mail servers only check the first PTR result. Multiple PTR records create unpredictable behavior.
Fix: Keep exactly one PTR record per IP address. If you host multiple domains on one IP, the PTR should point to your primary mail hostname (e.g., mail.primarydomain.com), not any individual domain.
PTR and Its Relationship with SPF, DKIM, and DMARC
PTR, SPF, DKIM, and DMARC work together as layers of email authentication. Each serves a different purpose, but they must be aligned for maximum deliverability.
| Record | What It Verifies | Where It Lives | Who Sets It |
|---|---|---|---|
| PTR | IP maps to a legitimate hostname | Reverse DNS zone (in-addr.arpa) | IP owner (hosting provider) |
| SPF | IP is authorized to send for domain | Domain's DNS (TXT record) | Domain owner |
| DKIM | Email content has not been tampered with | Domain's DNS (TXT record) | Domain owner |
| DMARC | SPF/DKIM alignment with From domain | Domain's DNS (TXT record) | Domain owner |
The critical point is that PTR is an infrastructure-level check (verifying the server itself), while SPF/DKIM/DMARC are domain-level checks (verifying the email's identity). You need all four for reliable email delivery in 2026. Missing any one of them will cause issues with major providers.
Checking Blacklists
Even with correct PTR, SPF, DKIM, and DMARC, your emails may be rejected if your IP address is on a blacklist (also called a blocklist or DNSBL). Blacklists are maintained by organizations that track IPs known to send spam.
$ dig +short 34.216.184.93.zen.spamhaus.org
(empty = not listed, 127.0.0.x = listed)
# Check multiple DNSBLs at once
$ for bl in zen.spamhaus.org bl.spamcop.net \
b.barracudacentral.org dnsbl.sorbs.net; do
echo -n "$bl: "
dig +short 34.216.184.93.$bl
done
zen.spamhaus.org:
bl.spamcop.net:
b.barracudacentral.org:
dnsbl.sorbs.net:
You can also use MXToolbox's Blacklist Check which checks over 100 blacklists simultaneously. If your IP is listed, follow the delisting procedure for each specific blacklist — most have automated delisting after you resolve the underlying issue.
Real-World Troubleshooting Scenarios
Scenario 1: Gmail Rejects with 550 5.7.25
550-5.7.25 The IP address sending this message does not have a
PTR record setup, or the corresponding forward DNS entry does
not point to the sending IP.
# Diagnosis steps:
$ dig +short -x $(curl -4 -s ifconfig.me)
(should return your mail hostname)
$ postconf myhostname
myhostname = mail.example.com
# Verify forward-confirmed reverse DNS:
$ PTR=$(dig +short -x 93.184.216.34)
$ dig +short $PTR A
93.184.216.34 ← Must match original IP
Scenario 2: Emails Go to Spam Despite Valid PTR
PTR is correct, but emails still land in spam. This usually means another authentication layer is failing.
- Check SPF:
dig +short example.com TXT | grep spf— must include your IP - Check DKIM: Send a test email to [email protected] and read the report
- Check DMARC:
dig +short _dmarc.example.com TXT— should havep=quarantineorp=reject - Check blacklists: Use MXToolbox or the dig method above
- Check mail content: Avoid spam trigger words, ensure unsubscribe link exists
- Check sending volume: New IPs need warm-up (start with low volume)
Scenario 3: Multiple Domains, One IP
You have five domains on one server and want to send email from all of them. PTR only allows one hostname per IP. The solution: set PTR to your primary mail hostname (e.g., mail.primarydomain.com), match HELO to this hostname, and rely on SPF + DKIM for per-domain authentication.
Automated PTR Verification Script
Here is a practical script that verifies your entire email authentication stack in one run.
DOMAIN="example.com"
IP="93.184.216.34"
# 1. Check PTR
PTR=$(dig +short -x $IP)
echo "PTR: $PTR"
# 2. Verify FCrDNS
FCRIP=$(dig +short $PTR A)
[ "$FCRIP" = "$IP" ] && echo "FCrDNS: PASS" || echo "FCrDNS: FAIL"
# 3. Check MX
echo "MX: $(dig +short $DOMAIN MX)"
# 4. Check SPF
echo "SPF: $(dig +short $DOMAIN TXT | grep spf)"
# 5. Check DKIM
echo "DKIM: $(dig +short default._domainkey.$DOMAIN TXT | head -1)"
# 6. Check DMARC
echo "DMARC: $(dig +short _dmarc.$DOMAIN TXT)"
How Panelica Handles PTR and Mail DNS
Panelica's email system automatically configures the hostname used in SMTP HELO to match your PTR record. When you set up email on a domain, the mail DNS automation ensures SPF, DKIM, DMARC, and PTR all align correctly. The built-in Cloudflare integration can automatically create MX, SPF, DKIM, and DMARC records — you only need to set the PTR record at your hosting provider since it requires IP-level control.
The email configuration panel shows you the exact PTR hostname you need to set, and the DNS health check verifies all four authentication layers are properly configured before you start sending.
dig -x, and ensure it aligns with your SPF, DKIM, and DMARC configuration.