Reverse DNS checking: Is it safe to use?

Posted on 04 December 2009 at 07:06

Every time I do a setup with a customer, the question always comes up: Should we use Reverse DNS checking or not when configuring connection-level blocking security measures?

What is reverse DNS lookup?

Here’s a snippet taken from Wikipedia’s description:

“Reverse DNS lookups for IPv4 addresses use a reverse IN-ADDR entry in the special domain In this domain an IPv4 address is represented as a sequence of bytes in reverse order, encoded as decimal numbers and separated by dots (full stop) with the second level domain suffix”

For example, an address (A) record for points to the IP address In pointer records of the reverse database, this IP address is stored as the domain name pointing back to its designated host name”

So, when a DNS server tries to resolve your IP address, it looks up your IP in reverse notation with the suffix to find the associated host name.

What an MTA usually does then is to see if they match in both directions: ->
should also match the other way around: ->

This is called the “Forward Confirmed Reverse DNS.”

So, should we use it?

In 1996, RFC 1912 stipulated that every host should have a reverse PTR record.  Section 2.1 of this RFC states: “Make sure your PTR and
A records match.  For every IP address, there should be a matching PTR record in the domain.”

In other words, all your public-facing machines should have a reverse PTR record, including your MTA.

This being said, not every admin followed suit when the RFC came out, nor for several years after its publication.  Furthermore, in the early years of using anti-spam tools, using reverse DNS lookups was usually a bad idea due to the number of MTAs that didn’t have a PTR record.

These days, however, it has become much safer to use the reverse lookup as an anti-spam measure because if you DO NOT have a PTR record of your own, you will inevitably run into delivery problems – even to very large ISPs and Mail hosting companies – who DO check reverse DNS.

So, if the large mail providers are using it, there shouldn’t be any reason why you can’t.

As a precaution though, if you’re worried about what might get rejected at the connection level, most anti-spam gateways can quarantine messages whose source is missing a proper reverse DNS entry.

One Response to “Reverse DNS checking: Is it safe to use?”


    This is the right site for anybody who wishes to understand this topic.

    You understand so much its almost tough to argue
    with you (not that I actually will need to…HaHa).
    You certainly put a new spin on a subject which has been discussed for a long time.

    Excellent stuff, just wonderful!


Leave a Reply


Questions? Call us.

Speak with Security Expert Engineers to learn more about how Vircom can help your Business IT Security.


Request a demo.

Schedule a demo to talk to a Security Expert Engineer about your specific needs.

Request a demo

Start a free trial.

Test drive the full Vircom experience, free for 30-days. Get started today!

Start a trial

Free Trial Free Email Security Grader