Back to Community Threads
Add Spam Score for FCrDNS with CNAME
Idea shared by kevind - 8/11/2025 at 11:46 AM
Proposed
Receiving a lot of spam today and noticed a particular issue. It's not getting scored by Reverse DNS - Forward Confirm Fail, even though it fails at MultiRBL.org.  Example:
Received: from blazaq.weehdcph.com (demo.srm-deals.x5.ru [85.118.130.83]) by "MyGateway" with SMTP;
   Mon, 11 Aug 2025 12:17:31 -0400
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: 6
Plugging the IP 85.118.130.83 into MultiRBL.org finds a Reverse DNS entry.  But it shows "No record found" for Forward Confirm. This test does work in other situations. Have spammers find a way to get around this check?

Suggest that SmarterMail add a check for CNAME in FCrDNS and allow us to score it.
Thanks!
Maybe I already did full analysis and posted about this 7 months ago:

Not sure if it's the identical issue with CNAME, but still not working. I'm on a 2024 build. Has it been fixed in a newer build???
Continue to see this issue. Spam isn't getting scored by the FCrDNS check.

Got a message today that I won Omaha Steaks. First 2 lines of header:
When I lookup the IP above, it fails FCrDNS. However, SmarterMail isn't scoring it, even though Reverse DNS with Forward Confirm is enabled.

Can we get this fixed?
Still seeing this issue. Got another email today from Omaha Steaks... 
Return-Path: <2kz73efaevhcky7gnfdzwo8vw@spechamoto.com>
Received: from spechamoto.com (static.polyglotclub.com [74.63.233.26])
	by xxxxxxxxxx with SMTP; Mon, 25 Aug 2025 12:59:49 -0400
When I plug "static.polyglotclub.com" into a DNS Lookup tool like MXToolbox, it comes back with a CNAME, not an IP.  For anyone not familiar, here's how it's supposed to work according to Google AI:

An email reverse DNS lookup uses the sending email server's IP address to find the associated domain name via a PTR record. A forward confirm for that lookup, known as Forward Confirmed Reverse DNS (FCrDNS), then verifies that the domain name found via the reverse lookup correctly points back to the original IP address using a standard A record. This two-way verification helps to prevent email spoofing by ensuring that the sending IP and the domain name are legitimately linked, improving email deliverability.

You can also confirm this misbehavior, by plugging 74.63.233.26 into a blacklist tool like MultiRBL.

Please fix SmarterMail so it scores the Forward Confirm Fail for senders not using a standard IP.  This will help everyone with reducing spam!
Derek Curtis Replied
8/25/2025 at 12:06 PM
Employee Post
Hey, Kevin

So, I have to ask: you DO have "Enable Forward Confirm" toggled on, right? I'm seeing what you're saying based on the IPs you've provided, and I've seen similar things from my testing but I didn't have that toggled on. 
Derek Curtis
CCO
SmarterTools Inc.
Derek, thanks for the reply. Yes, we have all 3 toggled on, just like in your image. The only difference is that our weights are higher. So it is working for many messages.

But for reverse DNS names that don't use a standard A record, it doesn't work. For example, this IP fails Forward Confirm, but SmarterMail doesn't score it: https://multirbl.valli.org/lookup/74.63.233.26.html 
The IP has reverse DNS to "static.polyglotclub.com" but when you forward confirm that name, there are no A or AAAA records. It should fail and score points, but it doesn't.

Here's another example of an IP that fails Forward Confirm, but doesn't get assigned any points: https://multirbl.valli.org/lookup/162.251.121.149.html

Hopefully you can fix this to stop more spam!
Hi Derek, does that reply above make sense?
Getting more spam today that we won Omaha Steaks. Reverse DNS fails on various spam-checking websites, but not in SmarterMail. Here's a snippet from header...
Return-Path: <dVAvYDIZst@rohan.varfassingsblogda.com>
Received: from rohan.varfassingsblogda.com (aareportinganywhere.tdev.accenture.com [91.228.12.43])
X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, Null Sender: 0...
Derek Curtis Replied
8/27/2025 at 9:25 AM
Employee Post
It does, yeah. Congrats on winning the Omaha Steaks :). 

As an aside, it does look like a fix is in place, and it's made it through QC. So should be in our next public release.
Derek Curtis
CCO
SmarterTools Inc.
Derek Curtis Replied
8/28/2025 at 9:11 AM
Employee Post
After some discussion with the devs, here's what I was told:

Forward Confirmed rDNS (FCrDNS) checks are technically considered legacy by many in the industry. Modern sender validation instead relies on standards such as SPF, DKIM, and DMARC, which provide stronger and more reliable verification.

The older RFC that prohibited using a CNAME in reverse DNS (RFC 1912) is classified as a legacy best practice document, not an active standard. More recent RFCs don’t clearly forbid the use of CNAMEs in rDNS, which is why SmarterMail doesn’t fail those cases outright.

Functionally, SmarterMail still performs the forward-confirm check, but if the reverse entry resolves through a CNAME, it passes as long as the resolution completes successfully.

That said, flagging forward-confirm failures even when CNAMES are present might help catch some spam. The reality, however, is that spammers could avoid this by switching to A/AAAA records.

For now, SmarterMail’s approach is consistent with current RFC guidance and best practices, but we’ll continue evaluating whether additional scoring logic would meaningfully reduce spam without introducing false positives.
Derek Curtis
CCO
SmarterTools Inc.
Hi Derek,

Changed this to an Idea hoping SmarterTool will reconsider. This would be a nice addition to help score spam. Just received messages promoting a CVS Medicare scam that would have failed this check.

The messages came from 45.14.114.10, and when you check this IP at MultiRBL, it Fails FCrDNS as forward confirm uses CNAME.  It would be really nice to score this 10 points as legit senders use IP, not CNAME. This could be a simple enhancement to Reverse DNS dialog:

Forward Confirm CNAME weight = [xx] points.

Thanks!
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Key Feature and Version Milestones in SmarterMailSmarterMail
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management
500 Error After Upgrading to the Latest BuildSmarterMail > Troubleshooting