What is Reverse DNS (rDNS)- Reverse DNS Lookup
There are many ways to prevent spam, such as implementing SPF, DKIM, DMARC, and BIMI. But lesser-known forms of email authentication including reverse DNS (Domain Name System) are equally as important.
So, what is reverse DNS or an rDNS lookup?
Reverse DNS (rDNS) is essentially a reverse IP lookup. It is a type of email authentication that is used to match your mail server IP address to your hostname.
This post will cover:
- How does Reverse DNS work?
- What is the difference between forward DNS and reverse DNS?
- Why are Reverse DNS Lookups Important?
- How to Set Up Reverse DNS Record
- Step 1) Create Reverse DNS Zone
- Step 2) Create PTR Record
- How to do a Reverse DNS Lookup
- How to Fix a Reverse DNS Error
How does Reverse DNS work?
Reverse DNS is similar to the way a police officer examines your license to see if it matches your registration in order to verify that you are the car owner.
When you send an email, your recipients’ mail servers will perform reverse DNS lookups to check if your Sending IP address matches the domain name within the HELO command. This is also known as HELO to IP.
What is the difference between forward DNS and reverse DNS?
Reverse DNS works in the exact opposite manner as forward DNS (Domain Name System). Standard or “forward” DNS maps a domain name to an IP address whereas reverse DNS maps an IP address to a domain name.
Note: These are two separate lookups. If a forward DNS lookup points example.com to an IP address of 22.214.171.124, that does not mean that performing a reverse lookup of 126.96.36.199 will point back to example.com. That’s why it’s important to set up your reverse DNS record properly.
Why are Reverse DNS Lookups Important?
Reverse DNS entries are most valuable for outbound sending as they influence your email’s deliverability.
rDNS helps add credibility to the IP addresses sending emails and functions as an additional layer of email authentication. It allows you to separate legitimate mail servers from compromised email servers that are sending spam.
Several major mailbox providers such as Google, Microsoft, and Yahoo! will block messages coming from a mail server without valid reverse DNS resolution. Also, some SMTP servers are configured to reject emails when the reverse DNS query does not match the HELO.
However, keep in mind that mailbox providers find more importance in your overall IP address and domain reputation when deciding where your emails should be routed.
How to Set Up Reverse DNS Record
Before you are able to set up your rDNS records in your DNS system, there are a few things to keep in mind:
- Your sending IP needs a PTR record in your DNS that resolves to a valid hostname.
- Your hostname needs an A record in your DNS that matches your sending IP address.
What is PTR record?
PTR records are records for reverse DNS. PTR or pointer records are stored in a specific zone. The hostname for the zone has to be written as an “arpa” domain.
What is in-addr.arpa?
If you’re in charge of setting up your domain’s PTR record in your DNS, you’ll need to create a zone first. In-addr.arpa is used to create a reverse zone for your pointer record (PTR).
*Skip these setup steps if you don’t have access to your Authoritative Nameserver or your DNS configuration, most ISP (Internet Service Providers) will already have created generic PTR records for their clients.
When a reverse DNS lookup is performed, a valid record may be returned, but it’s won’t be a regular “A” record like “mail.yourdomain.com,” but rather a generic one generated by your ISP.
You can differentiate generic records from regular records by the fact that the host name ’11-22-33-444′ would actually be the IP address in reverse, and it would be punctuated with hyphens instead of using dots.
This is technically a valid PTR record because it points to a valid ‘A’ record, but it’s not suitable for reverse DNS lookups because of its generic nature. It is your responsibility to contact your ISP’s support a request that your IP addresses resolve to your domain.
Step 1) Create Reverse DNS Zone
The hostname for your rDNS zone will essentially be the first few sets of numbers in your given IP address. So if your IP address is 188.8.131.524 then:
- Remove the last set of numbers in your IP address (444).
- Reverse the remaining numbers (111.222.3 -> 3.222.111).
- Add “in-addr.arpa” to your reversed IP address (3.222.111.in-addr.arpa).
- Your completed reverse zone domain is 3.222.111.in-addr.arpa.
Step 2) Create PTR Record
- Add a new PTR record.
- Name it with the last set of numbers in your IP address. In our example, it would be 444.
- For the Canonical Hostname, enter the domain name you’d like the IP address to resolve to: mail.yourdomain.com
How to do a Reverse DNS Lookup
Run a FREE comprehensive GlockApps Spam Test to find out if your reverse DNS is configured properly. You’ll discover what domain your IP address maps to and other important insights to help you improve your email marketing program’s deliverability!
How to Fix a Reverse DNS Error
After you’ve set up your reverser DNS record and you run a reverse DNS lookup, you may run into an error such as Reverse DNS does not match SMTP banner.
Here is how to fix it:
Reverse DNS does not match SMTP banner
When you send an email, your mail server uses the HELO (EHLO) command to identify itself when connecting to another email server.
The SMTP Banner is the mail server’s response to the EHLO command.
It is the initial SMTP connection response that a messaging server receives after it connects to an Exchange server.
Default Exchange SMTP Banner:
220 EX1.example.com Microsoft ESMTP MAIL Service ready at Sun, 11 Jun 2017 13:22:31 -0400
Optimized SMTP Banner:
How to change the SMTP banner in Exchange 2013 or 2016
You will need to use PowerShell in order to change your SMTP Banner. If you have multiple receive connectors, you will have to do this on each.
- Open an Exchange Management Shell session
- Run this cmdlet to see the name of the receive connector(s) you have on the server
- Get-ReceiveConnector | ft [enter]
- Run this cmdlet to set the banner, enclosing the receive connector name in quotes if it contains spaces
- Set-ReceiveConnector -Identity “ConnectorName” -Banner “220 YourTextGoesHere” [enter]
- So if you wanted to set your banner to just give the minimum information necessary to work and pass anti-spam testing of banner grabs, do this
- Set-ReceiveConnector -Identity “ConnectorName” -Banner “220 server1.example.com” [enter]
- Repeat as necessary for any other connectors.
Cpanel SMTP Solution:
SMTP Banner Best Practices:
- Verify that the SMTP banner hostname matches that of the MX, A, and PTR records.
- Messaging Gateway accepts messages for: example.com, example.net, demo.org
- MX lookup for example.com returns mail.example.com
- MX lookup for example.net returns mail.example.com
- MX lookup for demo.org returns mail.example.com
- IP (A) lookup for mail.example.com returns 10.10.10.25 and the reverse (PTR) lookup for 10.10.10.25 returns mail.example.com
- SMTP banner returns “220 mail.example.com ESMTP Messaging Gateway”
It is important to go beyond just implementing SPF, DKIM, DMARC, and BIMI to secure your domain names from spammers.
Implementing reverse DNS will help ensure email servers block messages from other compromised email servers attempting to send malicious content.
A few things to take away from this article:
- Reverse DNS lookups are the opposite of a regular DNS request.
- rDNS zones are reversed numeric IP addresses with an appended “in-addr.arpa”.
- You’ll need access to your Authoritative Nameserver or your DNS configuration to make necessary changes. If you don’t have access, you will need to set it up with your domain hosting provider/ISP by sending their support a message stating that you’d like a PTR record set for your IP address that points to mail.yourdomain.com.
- Use GlockApps’ Spam Testing Tool to run reverse DNS lookups frequently.