Spam not scored by rDNS Forward Confirm

Problem reported by kevind - 8/11/2025 at 11:46 AM

Not A Problem

Receiving a lot of spam today and noticed a particular issue. It's not getting scored by Reverse DNS - Forward Confirm Fail, even though it fails at MultiRBL.org. Example:

Plugging the IP 85.118.130.83 into MultiRBL.org finds a Reverse DNS entry. But it shows "No record found" for Forward Confirm. This test does work in other situations. Have spammers find a way to get around this check? Thanks!

8 Replies

Reply to Thread

kevind Replied

8/11/2025 at 11:56 AM

Maybe I already did full analysis and posted about this 7 months ago:

https://portal.smartertools.com/community/a96718/fcrdns-shouldnt-allow-cname.aspx

Not sure if it's the identical issue with CNAME, but still not working. I'm on a 2024 build. Has it been fixed in a newer build???

kevind Replied

8/18/2025 at 11:17 AM

Continue to see this issue. Spam isn't getting scored by the FCrDNS check.

Got a message today that I won Omaha Steaks. First 2 lines of header:

Return-Path: <HchWeQJASP@kunde.inglepoint.com>
Received: from kunde.inglepoint.com (officeiot.lge.com [162.251.121.148])

When I lookup the IP above, it fails FCrDNS. However, SmarterMail isn't scoring it, even though Reverse DNS with Forward Confirm is enabled.

Can we get this fixed?

kevind Replied

8/25/2025 at 10:36 AM

Still seeing this issue. Got another email today from Omaha Steaks...

Return-Path: <2kz73efaevhcky7gnfdzwo8vw@spechamoto.com>
Received: from spechamoto.com (static.polyglotclub.com [74.63.233.26])
	by xxxxxxxxxx with SMTP; Mon, 25 Aug 2025 12:59:49 -0400

When I plug "static.polyglotclub.com" into a DNS Lookup tool like MXToolbox, it comes back with a CNAME, not an IP. For anyone not familiar, here's how it's supposed to work according to Google AI:

An email reverse DNS lookup uses the sending email server's IP address to find the associated domain name via a PTR record. A forward confirm for that lookup, known as Forward Confirmed Reverse DNS (FCrDNS), then verifies that the domain name found via the reverse lookup correctly points back to the original IP address using a standard A record. This two-way verification helps to prevent email spoofing by ensuring that the sending IP and the domain name are legitimately linked, improving email deliverability.

You can also confirm this misbehavior, by plugging 74.63.233.26 into a blacklist tool like MultiRBL.

Please fix SmarterMail so it scores the Forward Confirm Fail for senders not using a standard IP. This will help everyone with reducing spam!

Derek Curtis Replied

8/25/2025 at 12:06 PM

Employee Post

Hey, Kevin

So, I have to ask: you DO have "Enable Forward Confirm" toggled on, right? I'm seeing what you're saying based on the IPs you've provided, and I've seen similar things from my testing but I didn't have that toggled on.

Derek Curtis COO SmarterTools Inc. www.smartertools.com

kevind Replied

8/25/2025 at 7:32 PM

Derek, thanks for the reply. Yes, we have all 3 toggled on, just like in your image. The only difference is that our weights are higher. So it is working for many messages.

But for reverse DNS names that don't use a standard A record, it doesn't work. For example, this IP fails Forward Confirm, but SmarterMail doesn't score it: https://multirbl.valli.org/lookup/74.63.233.26.html

The IP has reverse DNS to "static.polyglotclub.com" but when you forward confirm that name, there are no A or AAAA records. It should fail and score points, but it doesn't.

Here's another example of an IP that fails Forward Confirm, but doesn't get assigned any points: https://multirbl.valli.org/lookup/162.251.121.149.html

Hopefully you can fix this to stop more spam!

kevind Replied

8/27/2025 at 8:59 AM

Hi Derek, does that reply above make sense?

Getting more spam today that we won Omaha Steaks. Reverse DNS fails on various spam-checking websites, but not in SmarterMail. Here's a snippet from header...

Return-Path: <dVAvYDIZst@rohan.varfassingsblogda.com>
Received: from rohan.varfassingsblogda.com (aareportinganywhere.tdev.accenture.com [91.228.12.43])
X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, Null Sender: 0...

Derek Curtis Replied

8/27/2025 at 9:25 AM

Employee Post

It does, yeah. Congrats on winning the Omaha Steaks :).

~~As an aside, it does look like a fix is in place, and it's made it through QC. So should be in our next public release.~~

Derek Curtis COO SmarterTools Inc. www.smartertools.com

Derek Curtis Replied

8/28/2025 at 9:11 AM

Employee Post

After some discussion with the devs, here's what I was told:

Forward Confirmed rDNS (FCrDNS) checks are technically considered legacy by many in the industry. Modern sender validation instead relies on standards such as SPF, DKIM, and DMARC, which provide stronger and more reliable verification.

The older RFC that prohibited using a CNAME in reverse DNS (RFC 1912) is classified as a legacy best practice document, not an active standard. More recent RFCs don’t clearly forbid the use of CNAMEs in rDNS, which is why SmarterMail doesn’t fail those cases outright.

Functionally, SmarterMail still performs the forward-confirm check, but if the reverse entry resolves through a CNAME, it passes as long as the resolution completes successfully.

That said, flagging forward-confirm failures even when CNAMES are present might help catch some spam. The reality, however, is that spammers could avoid this by switching to A/AAAA records.

For now, SmarterMail’s approach is consistent with current RFC guidance and best practices, but we’ll continue evaluating whether additional scoring logic would meaningfully reduce spam without introducing false positives.

Derek Curtis COO SmarterTools Inc. www.smartertools.com

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text