forward and reverse DNS (was: Please, talk me down.)

Jimmy Hess mysidia at
Tue Oct 23 04:17:22 UTC 2012

On 10/22/12, Joe Abley <jabley at> wrote:
> I will further note that just because dnsop can't agree on something doesn't
> mean that it's not worth agreeing on.
Some of the IETF WGs' members  wouldn't be able to agree what color
the sky appears to be on a clear sunny day.

But it is common  MTAs, to be configured to perform a  check for
Forward-Confirmed DNS, similar to the iprev authentication mechanism
mentioned in RFC5451, except this is mandatory,  and they refuse

Many popular anti-spam solutions are implementing this out of the box,
 and common MTAs provide documentation recommending configurations

that implement constraints such as these:

1. If a 'HELO' or 'EHLO' message is received, and there is no
argument, the SMTP server will respond with a 5xx reject,  even though
it is technically allowed to have a HELO/EHLO without a hostnamr
parameter specified.

2. If a 'HELO'  or  'EHLO'  message is received;  the SMTP server
will begin a forward DNS lookup on the hostname presented in the
HELO/EHLO,  and a Reverse DNS lookup on the connecting IP;   it may
initiate an outgoing  connection to port 113 auth  (Ident)  on the
connecting IP,  in order to ask for a username to insert in message

a. If the forward DNS check on the HELO name, or the PTR query on the
connecting IP fails to get a response.  HELO fails with a 4xx reject.

b. If either result in a NXDOMAIN response,  HELO fails with a 5xx reject.

c. If both succeed, a forward DNS lookup is started for the name found
in the PTR response,  and a 4xx reject upon lookup failure,  or   5xx
reject  upon  a NXDOMAIN response,  or forward lookup response not
matching the IP address of the client.

o The  "SMTP reject"  might  instead trigger a tarpitting mechanism.
Some implementations currently accept the HELO and delay the SMTP
reject by default until a later stage,  such as RCPT TO,   and/or
cache  the reject decision,  to reduce the
impact of multiple connection attempts.

3.  If a 'RCPT TO' message is received,  a 5xx smtp error is sent,
unless a  'MAIL FROM' message has already been received and accepted,
and the mailbox is a known local mailbox.

4. If a 'MAIL FROM' message is received, a 5xx smtp error is sent,
unless a 'HELO'  or 'EHLO' message has already been received and
accepted.    If the address referenced is  not <>,   then  A  DNS
request is sent for forward lookup of the domain in the MAIL FROM,
and SPF query/policy test on the envelope from address.       If there
is a SPF soft fail, a 4xx reject;    SPF hard fail, or the domain does
not exist, a  SMTP 5xx reject.

> Joe

More information about the NANOG mailing list