When troubleshooting email delivery problems (particularly DKIM/DMARC failures) on Google Cloud Platform, properly configured reverse DNS (PTR records) is crucial. Unlike traditional hosting where you control both forward and reverse DNS, GCP requires specific procedures due to their shared infrastructure model.
Before proceeding, ensure you have:
- Owner/Editor permissions in GCP project
- Static external IP assigned to your instance
- Registered domain with DNS management access
- Valid forward DNS (A record) already configured
Here's how to set up reverse DNS mapping for IP 104.196.97.11 to ns1.example.com:
1. Reserve a Static External IP
gcloud compute addresses create my-rdns-ip \
--region=us-central1 \
--project=my-project-id2. Assign the IP to Your Instance
gcloud compute instances add-access-config instance-name \
--address=104.196.97.11 \
--zone=us-central1-a3. Create the PTR Record Request
Using gcloud CLI:
gcloud compute addresses update my-rdns-ip \
--reverse-dns-name="ns1.example.com." \
--globalOr via GCP Console:
- Navigate to VPC network > External IP addresses
- Click the reserved IP address
- Under "Reverse DNS", click Edit
- Enter the FQDN (include trailing dot)
- Click Save
After GCP approves your request (typically within 48 hours), verify with:
dig -x 104.196.97.11 +short
# Should return: ns1.example.com.For comprehensive email setup, ensure matching records:
dig ns1.example.com +short
# Should return: 104.196.97.11Approval Delays: GCP manually verifies PTR requests to prevent abuse. Business/Workspace accounts get priority.
DKIM Still Failing: Ensure your SPF record includes:
v=spf1 include:_spf.google.com ip4:104.196.97.11 ~all
PTR Propagation: Some mail servers perform secondary verification. Use tools like:
host 104.196.97.11
nslookup 104.196.97.11For multiple instances, use Terraform:
resource "google_compute_address" "mail_servers" {
count = 3
name = "mail-server-${count.index}"
address_type = "EXTERNAL"
region = "us-central1"
lifecycle {
prevent_destroy = true
}
}
resource "google_compute_managed_ssl_certificate" "ptr_records" {
count = 3
name = "ptr-record-${count.index}"
managed {
domains = ["mail${count.index}.example.com."]
}
}When setting up email servers or other network services on Google Cloud Platform (GCP) Compute Engine, proper reverse DNS (PTR) configuration becomes critical. Many developers encounter authentication failures with protocols like DKIM, SPF, and DMARC when the PTR record doesn't match their forward DNS.
By default, GCP assigns reverse DNS in the format [IP_REVERSED].bc.googleusercontent.com. For example, 104.196.97.11 becomes:
11.97.196.104.bc.googleusercontent.com
This automatic configuration often causes email delivery issues since most mail servers verify that:
- The PTR record exists
- It matches your domain's forward DNS (A/AAAA record)
- The forward DNS matches your HELO/EHLO identifier
Here's how to properly set up reverse DNS for your Compute Engine instance:
1. Reserve a Static IP Address
gcloud compute addresses create my-static-ip \
--region=us-central1
2. Assign the IP to Your Instance
gcloud compute instances add-access-config example-instance \
--access-config-name="External NAT" \
--address=104.196.97.11
3. Set the PTR Record
gcloud compute instances update example-instance \
--ptr-records ns1.example.com. \
--ptr-record-set-id=104.196.97.11
After configuration, verify with these commands:
# Forward DNS lookup host ns1.example.com # Reverse DNS lookup host 104.196.97.11 # Extended verification dig -x 104.196.97.11 +short
- Permission Denied: Ensure you have
compute.addresses.setMetadataIAM permission - Propagation Delay: Allow 5-10 minutes for DNS changes to take effect
- Email Validation: Test with
telnet mail.server.com 25and check HELO response
- Always use dedicated static IPs for mail servers
- Match your PTR with your mail server's FQDN
- Maintain consistent forward and reverse DNS records
- Monitor your IP's reputation with tools like MXToolbox