Introduction

Receiving mail servers perform a reverse DNS (PTR) lookup on the connecting mail server's IP address and compare the result with the HELO/EHLO hostname announced during the SMTP handshake. If they do not match, the receiving server may reject the email as potentially spoofed. This is a common issue after server migrations, IP changes, or when the PTR record was never properly configured.

Symptoms

  • Receiving mail server rejects email with 550 HELO hostname does not match PTR
  • Email headers show connection rejected at the HELO/EHLO stage
  • Email deliverability testing tools flag PTR mismatch
  • Some receivers accept the email while others reject it
  • Error message: 550 5.7.1 HELO hostname mail.example.com does not match PTR record mail.hosting-provider.com

Common Causes

  • PTR record set by the hosting provider and not updated after server migration
  • Mail server HELO hostname changed without updating the PTR record
  • Shared hosting PTR record pointing to the hosting provider's generic hostname
  • PTR record managed by the IP owner (ISP/hosting) and not the domain owner
  • Reverse DNS not configured at all for the mail server IP

Step-by-Step Fix

  1. 1.Check the current PTR record and HELO hostname: Identify the mismatch.
  2. 2.```bash
  3. 3.# Check PTR record
  4. 4.dig -x 123.45.67.89 +short
  5. 5.# Should return the mail server hostname

# Check HELO hostname (from mail server configuration) postconf myhostname # For Postfix # Or check Exim config grep "primary_hostname" /etc/exim/exim.conf ```

  1. 1.Update the HELO hostname to match the PTR record: Align the mail server config.
  2. 2.```bash
  3. 3.# For Postfix: set myhostname to match the PTR record
  4. 4.postconf -e "myhostname = mail.hosting-provider.com"
  5. 5.systemctl restart postfix

# OR: Request PTR record update to match the desired HELO hostname # Contact the hosting provider / IP owner ```

  1. 1.Request PTR record update from the IP owner: If you control the mail server hostname.
  2. 2.`
  3. 3.# Contact your hosting provider or ISP:
  4. 4.# Request PTR record for x.x.x.x to be set to mail.example.com
  5. 5.# Provide justification (mail server hostname)
  6. 6.# Most providers allow PTR updates through their control panel
  7. 7.`
  8. 8.Verify forward-confirmed reverse DNS: Ensure both directions match.
  9. 9.```bash
  10. 10.# Forward lookup (A record)
  11. 11.dig mail.example.com A +short
  12. 12.# Should return: 123.45.67.89

# Reverse lookup (PTR record) dig -x 123.45.67.89 +short # Should return: mail.example.com

# Both must match for FCrDNS ```

  1. 1.Test email delivery after the fix: Verify receiving servers accept email.
  2. 2.```bash
  3. 3.# Send a test email to a major provider
  4. 4.mail -s "Test" recipient@gmail.com < /dev/null
  5. 5.# Check the recipient's email headers for SPF/HELO results
  6. 6.`

Prevention

  • Configure PTR records at the same time as setting up the mail server
  • Ensure the mail server's HELO hostname matches the PTR record from day one
  • Document the mail server IP, hostname, and PTR record in a central registry
  • Test email deliverability to major providers (Gmail, Outlook, Yahoo) after setup
  • Monitor PTR record consistency after any server IP changes
  • Use FCrDNS (Forward-confirmed reverse DNS) validation in mail server configuration