Reverse DNS checking: Is it safe to use?

Every time I do a setup with a customer, the question always comes up: Should we use Reverse DNS checking or not when configuring connection-level blocking security measures?

What is reverse DNS lookup?

Here’s a snippet taken from Wikipedia’s description:

‘Reverse DNS lookups for IPv4 addresses use a reverse IN-ADDR entry in the special domain in-addr.arpa. In this domain an IPv4 address is represented as a sequence of bytes in reverse order, encoded as decimal numbers and separated by dots (full stop) with the second level domain suffix .in-addr.arpa.’

For example, an address (A) record for mail.example.com points to the IP address 192.0.2.5. In pointer records of the reverse database, this IP address is stored as the domain name 5.2.0.192.in-addr.arpa pointing back to its designated host name mail.example.com.’

So, when a DNS server tries to resolve your IP address, it looks up your IP in reverse notation with the suffix .in-addr.arpa to find the associated host name.

What an MTA usually does then is to see if they match in both directions:

mail.example.com -> 192.0.2.5
should also match the other way around:
192.0.2.5 -> mail.example.com

This is called the ‘Forward Confirmed Reverse DNS.’

So, should we use it?

In 1996, RFC 1912 stipulated that every host should have a reverse PTR record.  Section 2.1 of this RFC states: ‘Make sure your PTR and
A records match.  For every IP address, there should be a matching PTR record in the in-addr.arpa domain.’

In other words, all your public-facing machines should have a reverse PTR record, including your MTA.

This being said, not every admin followed suit when the RFC came out, nor for several years after its publication.  Furthermore, in the early years of using anti-spam tools, using reverse DNS lookups was usually a bad idea due to the number of MTAs that didn’t have a PTR record.

These days, however, it has become much safer to use the reverse lookup as an anti-spam measure because if you DO NOT have a PTR record of your own, you will inevitably run into delivery problems – even to very large ISPs and Mail hosting companies – who DO check reverse DNS.

So, if the large mail providers are using it, there shouldn’t be any reason why you can’t.

As a precaution though, if you’re worried about what might get rejected at the connection level, most anti-spam gateways can quarantine messages whose source is missing a proper reverse DNS entry.