How FCrDNS affects email deliverability & security

Forward Confirmed Reverse DNS (FCrDNS) is a technical DNS configuration that shows the relationship between an IP address and a hostname.

FCrDNS allows you to prove that your IP address is using a sending domain that you own; this allows a form of authentication that some mailbox providers use in their spam filter methodology and if set up correctly will help the deliverability and security of your email. 

Improving security

The objective of FCrDNS is to reduce the amount of incoming spam that is processed by a mail server. This check happens as soon as a connection is made to your SMTP server before any other header information is received. As a result, the SMTP server can reject mail early on and not waste processing time or resources.

Misconceptions regarding where should FCrDNS be setup

When setting up FCrDNS on an IP address that is sending out mail, it is best practice to set up the hostname with an A record in your DNS. When an IP address is set up this way, the IP has a reverse DNS resolution of a single hostname. The hostname reversed points back to the IP address. That IP now uses the same hostname to introduce itself during SMTP transactions.

Not every hostname needs to be set up with A/AAAA records; a single hostname can point to multiple IP addresses. Vice versa, a single IP can also point to a different hostname or to nothing at all. 

The above example shows an IP being pointed to multiple PTR records, a setup we do not recommend because anyone verifying such an IP will need to do multiple DNS lookups for verification, requiring more computing power and time. Our recommendation is that only one IP sending mail should have FCrDNS. However, please note that this is not a definitive setup as not all outgoing mail servers have it configured.

Do all Cloud Providers support FCrDNS?

Some cloud email sending services don’t support FCrDNS. For example, Office 365 is a shared environment that provides email services and sends from a variety of different IPs. When emails are sent via Office 365 SMTP, FCrDNS can’t be implemented. However, if you have a static IP that you own to send email, FCrDNS can be configured. 

FCrDNS, SPF and DKIM and DMARC

It is important to strengthen your email authentication infrastructure by implementing SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). These three protocols work together and have been identified as best practice to secure your email domain.

But, what does each one of these protocols do and how do they enhance FCrDNS?

  • SPF allows you to publish a list of IP addresses that are authorized to send email on your behalf 
  • DKIM is a digital signature that travels with your emails, which is then validated by the receiving server as your legitimate signature
  • DMARC uses the results of SPF and DKIM to tell the receiving server if they should either put the email in the end user’s inbox, put it in the spam folder or reject the email

DMARC, DKIM and SPF combine to give you extra security and deliverability by:

  1. Allowing the receiving server to verify ownership, letting them reverse look up your sending IP to your domain
  2. Allowing the receiving server to validate that the sending IP is authorized
  3. Providing extra authentication via DKIM and ensuring your email keeps their authentication information even if that email is forwarded by an intermediate service like a distribution list
  4. Telling the receiving server if they should accept or reject an email based on your DMARC pass/fail results and your DMARC policy

Demystify your DMARC, DKIM, SPF, FCrDNS and TLS setup by using our free Investigate tool today!

PUBLISHED BY

Murtazah Shah

14 Jul. 2020

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Red Sift Recognized on Deloitte’s EMEA Fast 500™ List

Francesca Rünger-Field

We’re thrilled to share that Red Sift has been included in Deloitte’s 2023 EMEA Fast 500 list. This recognition stems from 389% revenue growth over three years, $54 million in Series B funding, acquiring ASM innovator Hardenize, and introducing the Red Sift Pulse Platform. Read the press release here. About the award The Deloitte Technology Fast…

Read more
Brand Protection

The vital role of cybersecurity for Nonprofits: A deep dive 

Sean Costigan

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the…

Read more
News

Red Sift brings DMARC data to the SOC with new Cisco XDR…

Rebecca Warren

Today, we’re thrilled to announce that we’re extending our partnership by joining the Cisco Security Technical Alliance and integrating Red Sift OnDMARC with Cisco XDR. This integration builds on the Domain Protection partnership we announced in November 2023 to bring visibility of business email compromise into the SOC (security operations center). At release, Red…

Read more
Certificates

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more