Do not send e-mail to me!

Introduction to FCrDNS

Introduction to FCrDNS

Forward-confirmed reverse DNS (FCrDNS) is an rDNS configuration that defines strong relationship between IP and domain. FCrDNS implementation depends on a joint action between the IP administrator and the domain administrator. When FCrDNS is valid, there is a guarantee that the domain owner has responsibility for the use of IP.

 

How to check FCrDNS for IPv4

 

To check the FCrDNS, you must query the rDNS. As an example, rDNS for “209.85.218.43” is “mail-oi0-f43.google.com”. Using the rDNS found, query A record:

ubuntu:~$ dig A mail-oi0-f43.google.com +noall +answer
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> A mail-oi0-f43.google.com +noall +answer
;; global options: +cmd
mail-oi0-f43.google.com. 42 IN A 209.85.218.43

If the result is exactly the same IP, as in this example, then the FCrDNS will be valid.

 

How to check FCrDNS for IPv6

 

To check the FCrDNS, you must query the rDNS. As an example, rDNS for “2607:f8b0:400c:c05::22f” is “mail-vk0-x22f.google.com”. Using the rDNS found, query AAAA record:

ubuntu:~$ dig AAAA mail-vk0-x22f.google.com +noall +answer
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> AAAA mail-vk0-x22f.google.com +noall +answer
;; global options: +cmd
mail-vk0-x22f.google.com. 60 IN AAAA 2607:f8b0:400c:c05::22f

If the result is exactly the same IP, as in this example, then the FCrDNS will be valid.

 

 

Importance of FCrDNS for email servers

 

FCrDNS warrants that the domain owner agrees to be using that particular IP. This condition is very important for e-mail service when you need to apply whitelist rule for a wide range of IPs used by a specific domain. If FCrDNS validation is not checked by the service, it may experience spoofing attacks.

 

How to configure FCrDNS on your email server

 

Once your ISP has correctly configured rDNS, go to the DNS manager of the respective domain and declare the same IP as host. It is possible that the ISP requests the IP declaration as host before setting up rDNS . Each IP version uses a different type of record, so an IPv4 must be registered as A and an IPv6 must be registered as AAAA.

 

External links

https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS

Leandro Carlos Rodrigues

Bacharel em Ciência da Computação pela FEI