dnsbind9

PTR record only; can I add a TXT record to it?

BLUF: Can I add a TXT record (SPF) for a PTR record with no other records for the domain in our DNS?

Sorry, I don't know how to put a good title to this. I've inherited a DNS server and in one of our zone files we have a mail subdomain defined for a customer of ours.

Zone file 103.102.101.in-addr.arpa.dns

74  IN  PTR  mail.example.com.
74  IN  TXT  "v=spf1 mx a ip4:101.102.103.74 ~all"

This client wants us to add an SPF record and as far as I know we have no other entries for this client in our DNS except for this one PTR record. I'm not really sure how this situation began as this was all set up before my arrival and no one else where I work has any technical background on this. I just don't want to waste their time and since I'm not sure how to ask this question concisely, Google search hasn't been very helpful so far.

Much appreciated for anyone that can chime in.

Solution

  • If you are routing the email for them then you know what the domain name is. Using that, use the DNS query tools to find out where the domain name is hosted and let them know they have to contact the domain name hosting company and have the SPF entry added. At the same time they should inquire if the hosting name server has DKIM DNS keys. If they do, ask them to also assign the DKIM and DMARC keys so that the domain can also block spoofed spam and attachments. Spoofed emails have been one of the biggest entry points for hackers and network takeovers using ransomware. SPF and DKIM / DMARC together with a check policy on the mail server is the standard in defence against this. Also be sure to use TLS or SSL via the SMTP to encrypt the emails for further protection. You can get a 1 year SSL cert from any of the SSL cert registrars for the domain on the web. I find ZeroSSL has the best prices. You will have to get who ever resisted the domain to help in confirming the SSL when registering it or access to the domain DNS to add a TXT record key that is supplied by the SSL registrar. Its not complicated but is very strict and you cant do it without access to either the email address that originally registered the domain or access to the domain hosting servers DNS to add the supplied TXT key for the domain.

    Good luck :)

    Go here for the tools you need. https://dnschecker.org/all-tools.php