Sender authentication Part 4: Forward Confirmed Reverse DNS
Now that we have seen how email headers are inserted by the receiving machine upon receipt of an email, we need to go into a little bit on how mail servers convert IP addresses to host names and vice versa.
DNS stands for Domain Name System. It converts a host name to its IP address. Reverse DNS is the opposite, it converts an IP address to its host name. It does this by examining the IP's PTR record. From answers.com:
A PTR record or pointer record maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the
in-addr.arpadomain that corresponds to an IP address implements reverse DNS lookup for that address. For example (at the time of writing),
www.icann.nethas the IP address 126.96.36.199, but a PTR record maps
188.8.131.52.in-addr.arpato its canonical name,
The converse of a PTR record is the A record, which maps a hostname to its 32-bit IP address. So, A-records are used for DNS lookups, PTR records are used for reverse DNS lookups.
This brings us to Forward Confirmed Reverse DNS, or FCrDNS. An IP is said to have FCrDNS if it has a forward DNS (name -> IP) and reverse DNS (IP -> name) that match. First, an IP has a reverse DNS performed. This returns a list of hostnames associated with that IP (the list could 0, 1 or more entries). For each entry in that list (assume it is greater than or equal to 1), a regular DNS lookup is performed to see if the IP matchup matches the original IP address. So, for example:
IP = 2184.108.40.206
Reverse DNS = tzink-is-awesome.com, tzink-is-okay.com, tzink-is-not-that-great.com
A-record for tzink-is-awesome.com = 2220.127.116.11 -- no match
A-record for tzink-is-okay.com = 218.104.22.168 -- no match
A-record for tzink-is-not-that-great.com = 222.214.171.124 -- match!
Since we matched the IP address in one of the domain's A-records that was found in the PTR, we are said to have FCrDNS for the IP.
In spam filtering, if an IP has FCrDNS then we can be sure that the mail originated at the domain. Spammers cannot normally forge this if they are sending from zombie computers. Of course, if the ISP in question doesn't care about spammers then this form of authentication won't stop the mail. On the other hand, if the ISP doesn't care about spam filtering and a spam analyst figures this out, this IP can very quickly be placed on a blocklist and accept no further mail from them until they clean up their act.
You can see how DNS lookups can be useful in some circumstances. At the very least, if the connecting IP says HELO, has an rDNS that matches the HELO, then the mail did indeed originate from that domain. The DNS information can then be inserted into the received headers. If the mail is spammy, the ISP can be complained to. If the ISP ignores the spammee, they can be placed on a blacklist. After all, it's proof that the IP is sending spam that indeed is originating from that host.