I have created a new domain and added all the usual DNS entries like MX, A, CNAME and TXT etc. needed for my local mail server setup.
All working fine but, sending mails to Gmail or hot mail are failing saying PTR record not found.
I am new to this and unable to figure out how to create one. When reading some documents, they mentioned that I need to create DNS zones and add PTR entry there. Does that mean, I need to create a new domain with in my DeSEC account?
Could you please let me know with instructions on how to create DNS zone and PTR records. Below are example details of my setup:
It need to bee resolve to mail.abcd.dedyn.io (respectively your smtp HELO message).
You must discuss this topic with the owner of the IP address. Usually your Internet service provider (if we’re talking about a mailserver at your home) or your server provider. If it at your home: Please note that most of these IP addresses are already on various blacklists.
This is a VPS with a public IP that I self-hosted alias service (simple login) using the dedyn.io subdomain domain.
Based on a few docs I read, I need to create a PTR DNS entry for 789.567.345.123.in-addr.arpa. but not sure how to do it (is it in the same domain I have like abcd.dedyn.io or I need to create a completely new domain)
Many if not most mail servers require the reverse lookup of the sending IP to match the hostname (as communicated in the SMTP HELO/EHLO message) of the sending server for unauthenticated senders. This is an anti-spam measure. If the reverse lookup does not match, mails are either rejected out of hand, or their spam score increases which may lead to rejection as well.
The domain where you need to create this PTR record is not your mail domain. It’s is a subdomain of in-addr.arpa. (for IPv4) or ip6.arpa. (for IPv6). As @markus already explained, you need to have the owner of that subdomain create the reverse entry.
For example if your provider owns the IPv4 block 123/8 and they give your server the static IP 123.234.123.25/32 then your provider can affect changes to the subdomain 123.in-addr.arpa and thus set a PTR record on 25.123.234.123.in-addr.arpa. to point to your mail server hostname.
Note however that this will only make sense for static IPs. No sane provider will update PTR records when your dynamic IP changes. And a stale PTR record is as good as none at all.
Basically setting up a mail server on a dynamic IP does not work! (You could set up such a mail server to only relay mail via an authenticated connection to a real mail server, but that would be a special case.) And the inability to set up the reverse lookup is just one of several reasons. E.g. IP ranges used for dynamic IPs generally have a very low reputation which means that they trigger anti-spam measures at the recipient.
Also there is nothing deSEC can do to help you here. They do not own or manage the subdomain needed for the reverse lookup.
Is there any situation in which desec can actually manage a PTR record. Or differently put: Why is it possible to add a PTR record to the DNS block here at desec?
@wmader PTR records for reverse DNS lookups are a small subset of all PTR records. Your questions imply that you equate “PTR record” with “PTR record for reverse DNS lookups” which is incorrect.
Taking your question literally, yes. deSEC name servers allow setting PTR record types.
PTR records for reverse lookups are a special case though. Not because of any restrictions deSEC places on them but because the owners of the required subdomains correspond to the owners of the IP ranges. So you normally don’t own these subdomains.
If you manage to delegate the appropriate subdomain of in-addr.arpa. (IPv4) or ip6.arpa. (IPv6) to deSEC, then you can add PTR records to suit your needs. But only the owner of that subdomain is able to do that. So your choices are:
Get ownership of the required subdomain. Then delegate it to use deSEC name servers. Then set your PTR records for the reverse DNS lookups.
Get the current owner of the subdomain to set the PTR records for you.
I think you probably meant to ask something different. But to answer the asked question: Because PTR records are not special in any way and deSEC name servers allow most valid record types.
