How to Configure PTR Records for Multiple Domains on a Shared IP Address: A Guide to FCrDNS Compliance


3 views

When hosting multiple domains on a single IP address (e.g., 10.20.30.40), configuring proper reverse DNS (PTR records) becomes crucial for email deliverability. The fundamental issue arises because:

cats.com:
A @     --> 10.20.30.40
A mail  --> 10.20.30.40
MX @    --> mail

dogs.com:
A @     --> 10.20.30.40
A mail  --> 10.20.30.40
MX @    --> mail

Forward-Confirmed Reverse DNS (FCrDNS) requires that:

  1. A PTR lookup of the IP returns a hostname
  2. An A lookup of that hostname returns the original IP

This creates a circular verification that many mail servers require to prevent spam.

Most hosting providers only allow one PTR record per IP. If we set:

40.30.20.10.in-addr.arpa. IN PTR cats.com

Then FCrDNS checks for dogs.com will fail because:

dig -x 10.20.30.40 → returns cats.com
dig dogs.com → returns 10.20.30.40 (mismatch)

Option 1: Use a Generic Hostname

Many providers assign a generic hostname like:

40.30.20.10.in-addr.arpa. IN PTR server123.yourhost.com

Then configure:

server123.yourhost.com. IN A 10.20.30.40

This satisfies FCrDNS for all domains while being technically accurate.

Option 2: Dedicated IP for Mail Servers

For critical mail servers, consider:

mail.cats.com. IN A 10.20.30.41
mail.dogs.com. IN A 10.20.30.42

With corresponding PTR records:

41.30.20.10.in-addr.arpa. IN PTR mail.cats.com
42.30.20.10.in-addr.arpa. IN PTR mail.dogs.com

Here's a complete BIND zone file example for the generic approach:

$ORIGIN 30.20.10.in-addr.arpa.
40      IN PTR server123.yourhost.com.

$ORIGIN yourhost.com.
server123 IN A 10.20.30.40

$ORIGIN cats.com.
@       IN A 10.20.30.40
mail    IN A 10.20.30.40
@       IN MX 10 mail

$ORIGIN dogs.com.
@       IN A 10.20.30.40
mail    IN A 10.20.30.40
@       IN MX 10 mail

Verify with these commands:

dig +short -x 10.20.30.40
dig +short server123.yourhost.com
dig +short cats.com
dig +short dogs.com

All should consistently return 10.20.30.40 or the correct hostname.

When hosting multiple domains on a single IP address (10.20.30.40 in our example), we encounter a fundamental DNS constraint: an IP address can only have one PTR record. This becomes particularly problematic for email delivery since many mail servers perform Forward-Confirmed Reverse DNS (FCrDNS) checks.

# Example DNS configuration
cats.com:
  A      @     10.20.30.40
  A      mail  10.20.30.40
  MX     @     mail

dogs.com:
  A      @     10.20.30.40
  A      mail  10.20.30.40
  MX     @     mail

FCrDNS verification works by:

  1. Looking up the PTR record for the connecting IP (10.20.30.40)
  2. Taking the returned hostname (e.g., mail.cats.com)
  3. Verifying that hostname resolves back to the original IP

With multiple domains sharing an IP, this creates a situation where only one domain can pass FCrDNS validation unless we implement special handling.

Option 1: Use a Neutral Hostname

The most common approach is to use a generic hostname that isn't tied to any specific domain:

# In your reverse DNS zone (30.20.10.in-addr.arpa)
40  IN  PTR  mail.sharedhost.example.com.

# Then create matching A record
mail.sharedhost.example.com.  IN  A  10.20.30.40

This satisfies FCrDNS requirements while remaining domain-neutral.

When implementing this solution:

  • Ensure your PTR and A records match exactly (including trailing dots)
  • TTL values should be reasonable (14400 seconds is common)
  • The hostname should be meaningful to receiving mail servers

Verify your setup using these commands:

# Check PTR record
dig -x 10.20.30.40 +short

# Verify forward resolution
dig mail.sharedhost.example.com +short

Both commands should return consistent results pointing to your IP address.