dnswatchdog.iodocs
Issues

SPF Uses Deprecated PTR Mechanism

The SPF record uses the deprecated ptr mechanism which is unreliable and slow.

Severity: Warning

What is SPF?

SPF (Sender Policy Framework) is an email authentication system where domain owners publish a DNS TXT record listing authorized mail servers. Receiving servers check this record to verify the sender is legitimate.

What is the PTR mechanism?

The ptr mechanism in an SPF record tells the receiving mail server to perform a reverse DNS lookup on the sending server's IP address, then verify that the resulting hostname belongs to the domain in question. For example:

v=spf1 ptr:example.com -all

This says: "If the sending IP's reverse DNS resolves to a hostname under example.com, and that hostname resolves back to the same IP, then it's authorized."

Why this is a problem

RFC 7208 (the SPF specification) explicitly recommends against using the ptr mechanism because:

  • It's slow — it requires multiple DNS lookups (reverse lookup, then forward confirmation) for every email received
  • It's unreliable — many servers don't have properly configured reverse DNS
  • It puts load on third-party DNS servers
  • Some mail receivers may skip or ignore it entirely
  • It counts toward the 10 DNS lookup limit

What you should do

  • Replace ptr: mechanisms with explicit ip4: or ip6: ranges for your mail servers
  • Alternatively, use a: or include: mechanisms to reference your sending infrastructure
  • If you're unsure which IPs your mail servers use, check your mail server configuration or ask your email provider
  • After updating, test email delivery to confirm everything works correctly

Overly Permissive SPF Policy

The SPF record ends with +all, allowing any server to send email on behalf of this domain.

SPF Missing Catch-All Policy

The SPF record does not contain a terminal all mechanism.

On this page

What is SPF?What is the PTR mechanism?Why this is a problemWhat you should do