What is FCrDNS and why do we care
It’s been a light blogging month. We’ve been dancing around getting the final plans, financing, and contractors set up for the work we’re doing on the Dublin house and then heading off for our first actual vacation in almost 5 years. But, I wrote half of this answering a question on mailop, so I may as well polish and publish.
What is FCrDNS
FCrDNS stands for Full Circle reverse DNS or Forward-Confirmed reverse DNS. It means that if you do a DNS lookup on the domain in a reverse DNS lookup than that domain will point back to the original IP. The name actually comes from the fact that if you start with the IP address and go through the hostname, you get a full circle.
The reason FCrDNS is a thing is because any IP address owner can assign any domain to the rDNS of an IP address. They are in complete control and there are no technical checks that the hostname be a domain they own. Anyone could assign their IP a rDNS of angrygoose.google.com, or flowerchild.facebook.com or jupiter.spamhaus.com to their IPs. And, in fact, lots of spammers did just this, assigning domains to their IPs that they didn’t own.
Why do we care about FCrDNS?
Spammers lie, a lot. The did all sorts of things to avoid being blocked. Stealing legitimate domain names in their rDNS was one of those. They’d set up their IPs forging known domains as a way to try and get around some filters. Receiving systems figured this out pretty quickly. They started doing FCrDNS checks to verify that the person managing DNS for that IP space also manages DNS for the domain space. The underlying idea, is that if the IP points to a hostname and that hostname points back to the same IP, then everything is under control of the same entity.
FCrDNS is a method of deciding whether or not the IP address is legitimately being used by the domain in the rDNS entry. FCrDNS is a way to verify the identity of the connecting IP. If the rDNS doesn’t match, then it’s much more likely that the mail is coming from an illegitimate source.
What should have a FCrDNS?
Basically, any time you set up rDNS on an IP address it’s good practice to give the corresponding hostname an A record. For IP sending outgoing mail, this is one of those expected best practices. There’s an IP address with a rDNS of a single hostname and the hostname points back to the IP address. That IP uses the same hostname to introduce itself during the SMTP transaction. Certainly when I’m looking at IP addresses and domains and EHLO values I do check to see if everything matches.
But. Not every hostname has to have a single A/AAAA record. A single hostname can point to multiple IPs:
A single IP can also point to many different hostnames or no hostnames at all. In fact spot checks show me that none of the IP addresses in the example above actually have a rDNS set up.
;; QUESTION SECTION:
;18.104.22.168.in-addr.arpa. IN PTR
The ability of an IP to point to many hostnames and a hostname to point to many IPs complicates completing the circle. Anyone verifying FCrDNS on an IP with multiple PTR records needs to do multiple DNS lookups for the verification step. Lookups can quickly get out of hand if each of the domains in the PTR has multiple IPs then there’s even more DNS work.
These technical and practical realities are why we can only recommend that an IP sending mail have FCrDNS, we can’t require it. And, in fact, not all outgoing mail servers do have it.
FCrDNS is a hack to link an IP address to a domain. That’s all it’s there for. You set it up if you can, and should probably expend some effort to do so for dedicated outbound servers, particularly those sending bulk mail. But, no, your 5321.from domain doesn’t need to point to an IP simply so you can check this box