Defaults.Exposed

Defaults.Exposed › Reports

What Is the SPF ptr Mechanism — and Why Is It Still in 950,631 Records? (2026)

Published 2026-07-03

Figures as of 2026-06-29 · methodology v7. Aggregate census across 261 million graded domains. All figures aggregate — never an individual business’s record. See how we grade.

ptr is an SPF mechanism that authorises senders by reverse-DNS lookup — and the SPF standard itself has said “do not use it” since 2014. 12 years on, 950,631 domains still publish it. That is roughly 1 in 146 of the 139 million SPF records on the internet carrying a mechanism the specification deprecated before some of those domains were registered.

What ptr was supposed to do

ptr says: “accept mail from any server whose reverse DNS resolves back to my domain.” It sounds elegant — no IP lists to maintain. In practice it requires the receiver to do a reverse lookup on the connecting IP, then forward-confirm every hostname that comes back. RFC 7208 (§5.5) deprecated it in plain words: the mechanism is “slow, is not as reliable as other mechanisms in cases of DNS errors, and places a large resource requirement on the .arpa name servers” — and instructs that it “SHOULD NOT be used.”

Why it’s still a trap in 2026

Three reasons a mechanism deprecated 12 years ago still matters:

Where it comes from

Almost nobody chooses ptr today. It arrives by inheritance: a setup guide written in 2009, a template copied from an old server config, a “working” record migrated intact through three hosting moves. That’s the pattern our census sees across every deprecated-but-present mechanism: old advice doesn’t die, it gets copy-pasted. The domains carrying ptr aren’t careless — they’re following instructions that were retired 12 years ago.

How to fix it — free, five minutes

  1. Find your SPF record (dig TXT yourdomain.com or check free).
  2. If it contains ptr, identify which servers were relying on it.
  3. Replace the ptr with the precise form: an ip4:/ip6: block for servers you control, or the include: your provider documents.
  4. While you’re in there, confirm the record ends in a real qualifier — see ~all vs -all.

Frequently asked questions

What does ptr mean in an SPF record? It authorises any server whose reverse DNS resolves into your domain. RFC 7208 §5.5 deprecated it in 2014 as slow and unreliable, and says it SHOULD NOT be used — yet 950,631 domains still publish it as of 2026-06-29.

Is the SPF ptr mechanism ever valid? It still parses, and some receivers still evaluate it — but the standard advises against it in all cases, some receivers ignore it, and it spends one of your ten DNS lookups. There is no modern configuration where ptr is the right answer.

What should I use instead of ptr? ip4:/ip6: blocks for servers you control, or your provider’s documented include:. Both are deterministic, fast, and reliable — everything ptr isn’t.

Does ptr count toward the SPF 10-lookup limit? Yes — every ptr costs at least one of the ten DNS lookups a receiver will perform before giving up with a PermError. On records already stacked with include: mechanisms, the dead mechanism can be the one that pushes you over.

Check your record for ghosts

A mechanism deprecated 12 years ago, still sitting in your DNS, is exactly the kind of thing nobody looks for. Looking takes half a minute.

Check your domain → · Fix SPF → · Two SPF records = none → · The SPF maturity model → · Aggregate data only. Data stored and processed in the EU.