Does FCRDNS need the RDNS to be the same hostname than the first forward query?

allo asked:

Does forward confirmed reverse dns (fcrdns) only lookup ip to hostname and then hostname to ip or does it compare to the first hostname as well (especially in spam filtering)?

Let’s say i have these records:

  • A reverse.somedomain:
  • A mail.somedomain:
  • A mail.mailserverdomain:
  • MX somedomain: mail.somedomain
  • PTR reverse.somedomain

A MTA tries to verify the RDNS of the host and resolves mail.mailserverdomain to, then reverse to reverse.somedomain, and then forward reverse.somedomain to Will this be a valid FCRDNS or does the PTR record need to point to the MX name?

The question boils down to the question, if FCRNDS uses two or three queries. Either Forward, Backward, Forward, or just Forward, Backward.

My answer:

Actually neither.

FCRDNS stands for “Forward Confirmed Reverse DNS”.

How this works is that, first, the PTR record of the connecting IP address is looked up. If it hasn’t got a PTR record, then the check instantly fails. A mail server with this feature on will then reject the connection, such as this rejection taken from my own mail server:

Sep 18 02:48:10 grummle postfix/smtpd[16577]: NOQUEUE: reject: RCPT from unknown[]: 450 4.7.1 Client host rejected: cannot find your hostname, []; from=<> to=<> proto=ESMTP helo=<>

Because has no PTR record, the reverse DNS check fails.

The second step is to take the hostname that was returned, and look up its IP address. That IP address must match the IP address that made the connection to the server. This is what forward confirmed means. If it does not, then again we reject the connection. (So few make it this far that I don’t even have an example in the last week’s worth of logs.)

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.