Forward-confirmed reverse DNS

From Citizendium
Revision as of 13:13, 28 October 2009 by imported>David MacQuigg (first draft)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

This article is a subtopic in a group of articles under Email system. We assume the reader understands the parent article, its terminology, and the roles of different agents in the system. The reader should also be familiar with the basics of Email authentication and with the article on Reverse DNS.

Forward-Confirmed reverse DNS (FCrDNS) is an email authentication method that uses the source IP address in a TCP connection to verify a domain name. A receiver does a Reverse DNS query on the IP address to learn the "IP name" assigned to that address by the network owner. If a normal forward DNS query on that name gives a matching IP address, then we have strong assurance that the network owner and the domain owner agree that the IP address and domain name are connected.

Limitations

FCrDNS says nothing about the authorization of an IP address to send email. There must be some external information, perhaps a "PTR term" in an SPF record, saying in effect "Trust our PTR records. We're not as sloppy as everyone else." Otherwise, a Pass result might only mean that a network provider set up PTR records for all addresses in his entire IP block, including dynamic addresses assigned to home computers. Often these network owners are large telecommunication companies, and not responsive to domain owners who want to set up their own PTR records.

The FCrDNS method is one of the least reliable of the email authentication methods. It can provide robust authentication, but seldom does because of the confusion and miscommunication surrounding PTR records.[1] Few receivers rely on FCrDNS as having any value by itself. It is mostly used as a heuristic check along with other inputs to a statistical analysis by a spam filter.

How it works

See the email authentication example in Reverse DNS.

  1. For a thorough discussion of these problems, see the Internet Draft "Considerations for the use of DNS Reverse Mapping" by Senie and Sullivan (March 2008).