North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: is reverse dns required? (policy question)

  • From: Steven Champeon
  • Date: Wed Dec 01 13:20:36 2004

on Wed, Dec 01, 2004 at 11:27:54AM -0600, Robert Hayden wrote:
> Besides, if customers "need" it to make their mail work, choosing not to 
> do it will be a good indication to your customers that another provider 
> might be more supportive.
> Basic non-custom reverse DNS on everything is a "good thing" to put in 
> place regardless.

Just a quick note: it's not a BCP yet, but it's also considered
/extremely/ friendly by mail admins and others, if you use a naming
convention for your rDNS that is easily placed into access.db and other
"right-anchored" string matching mechanisms. e.g., if you have a
dynamically assigned DSL range, and want to assign rDNS to it based on
the IP,

is a lot easier to block via rudimentary mechanisms than

which requires regular expression support due to the way sendmail deals
with periods in hostnames, etc. In the former example, I can just block
all mail from ''. In the latter, I need to check the rDNS
against a group of regular expressions for /every connection/ which is
extremely slow, if effective.

So, once you decide to provide rDNS across the board, and provide custom
(or "non-generic") rDNS for statically assigned addresses, please also make
sure that the naming convention you choose is consistent, friendly to
antispam systems, and indicative of the assignment type and/or technology
in use, to allow for more fine-tuned policy implementations.

Some good actors with sensible naming conventions: all their dynamic hosts are in static are in, dynamic in static are in, dynamic in or or

Many others use 'dsl' or 'adsl' or 'cable' etc. as a "subdomain", which
is helpful but often doesn't distinguish between static and dynamic at
all; others use geographic locations which don't indicate anything useful
from an antispam policy perspective. 

FWIW, 40% or more of the inbound spam mail here comes from hosts with a
generic rDNS naming convention (even after DNSBLs and other obvious
forgery checks such as hosts using my domain(s)/IP(s) in HELO/EHLO). We
simply quarantine any mail from hosts without rDNS at all, and reject
all mail from non-whitelisted generic hosts.

join us!       join us! v: +1(919)834-2552 f: +1(919)834-2554 w:
join us!    join us!