Forward-confirmed reverse DNS
This article is a subtopic in a group of articles under Email system. We assume the reader understands the parent article, its terminology, and the roles of different agents in the system. The reader should also be familiar with the basics of Email authentication and with the article on Reverse DNS.
Forward-Confirmed reverse DNS (FCrDNS) is an email authentication method that uses the source IP address in a TCP connection to verify a domain name. A receiver does a Reverse DNS query on the IP address to learn the "IP name" assigned to that address by the network owner. If a normal forward DNS query on that name gives a matching IP address, then we have strong assurance that the network owner and the domain owner agree that the IP address and domain name are connected.
Limitations
FCrDNS says nothing about the authorization of an IP address to send email. There must be some external information, perhaps a "PTR term" in an SPF record, saying in effect "Trust our PTR records. We're not as sloppy as everyone else." Otherwise, a Pass result might only mean that a network provider set up PTR records for all addresses in his entire IP allocation, including dynamic addresses assigned to home computers. Often these network owners are large telecommunication companies, and not responsive to domain owners who want to use their own domain names in PTR records.
The FCrDNS method is one of the least reliable of the email authentication methods. It can provide robust authentication, but seldom does because of the confusion and miscommunication surrounding PTR records.[1] Few receivers rely on FCrDNS as having any value by itself. It is mostly used as a heuristic check along with other inputs to a statistical analysis by a spam filter.
How it works
See the email authentication example in Reverse DNS.
Notes
- ↑ For a thorough discussion of these problems, see the Internet Draft "Considerations for the use of DNS Reverse Mapping" by Senie and Sullivan (March 2008).