Since we have SPF, DKIM, and DMARC to verify e-mails, is there a way to disable the reverse DNS (rDNS) lookup security check on Hestia/EXIM?
I have a related post, but this one is more specific to Exim.
Why should you want to disable it? Reverse DNS is a must have for email communication.
Hi Raphael,
In this topic: Office 365 - Set up or fix your domain's PTR record, I’ve outlined the issues I’m facing with reverse DNS lookup. Additionally, through my research, I discovered that the reverse DNS lookup security check is outdated, especially considering the more modern and effective email verification mechanisms available today.
If you need to perform any checks, I can provide you with the actual domains I’m using.
Please provide your search results, where the rdns check is outdated. As far as I know, its still a common and needed check.
1 Like
As far as I know, there is no RFC that requires a mail server to have a PTR record for the sending IP. However, in the real world, if you don’t have one, there’s a high chance your messages will be rejected or marked as spam.
Just an example in Google’s email sender guidelines:
IP addresses
Important: The sending IP address must match the IP address of the hostname specified in the Pointer (PTR) record.
The public IP address of a sending SMTP server must have a corresponding PTR record that resolves to a hostname. This is called a reverse DNS lookup. The same hostname must also have an A (for IPv4) or AAAA (for IPv6) record that resolves to the same public IP address used by the sending server. This is called a forward DNS lookup.
Set up valid reverse DNS records of your sending server IP addresses that point to your domain. Check for a PTR record with the Google Admin Toolbox Dig tool.
Important: The sending IP address must match the IP address of the hostname specified in the Pointer (PTR) record.
More info:
If there is a way in Exim to remove just the PTR check, I don’t know how to do that, but you could:
1.- If you have a list of domains that you want to allow, you can create the accept senders directive in ACL acl_check_rcpt:
accept senders = *@example.net : *@example.com : *@whatevever.example.org
In context:
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept senders = *@example.net : *@example.com : *@whatevever.example.org
require verify = sender
accept hosts = +relay_from_hosts
control = submission
2.- I don’t recommend this but you could try to comment out the directive require verify = sender in the same ACL acl_check_rcpt:
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
# require verify = sender
accept hosts = +relay_from_hosts
control = submission
If you have made changes to /etc/exim4/exim4.conf.template configuration file, remember to restart Exim:
systemctl restart exim4
Hi Raphael,
I really appreciate your help. Unfortunately, I couldn’t locate the original source where I found that information.
Upon further research, I discovered that many email servers still use reverse DNS, even though it’s not a formal requirement.
That said, here are a few reasons why reverse DNS might be considered outdated:
- rDNS Doesn’t Guarantee Email Authenticity
- Easy to Spoof or Misconfigure
- No Protection Against Domain Spoofing
- Modern Email Authentication Standards Are More Reliable
- rDNS Doesn’t Validate Email Content or Intent
- Spam Filters Have Evolved
- rDNS Alone Can’t Prevent Abuse
Honestly, I’m not sure what the correct approach would be, or why Microsoft 365 is failing to validate against reverse DNS.
Thank you so much sahsanu!
I will check if “accept senders” can help on this case.
1 Like
accept senders did work! Thank you!
1 Like
HI,
Your opinion based on something you read on the internet is incorrect. There are thousands of pages misleading others. Spammers post such nasty things intentionally and mislead admins, who are’nt aware of many things.
The rDNS is very important to capture spammers trying to send emails from their private and dynamic IP addresses. These dynamic IP addresses cannot have any rDNS. Thus, at the time of receiving, Exim can check the rDNS and proceed with further detection and checks, if the query is positive or deny if negative.
I am using this since a few decades now. Earlier, I used this with Qmail with Spamdyke. After changing to Vesta, I needed to change to Exim and that remained.
If there is something not working with rDNS resolution with Microsoft 3665, then you should work on that issue and get it work rather than renouncing such an important feature.
1 Like