Mail PTR Records

Matt Kettler mkettler at evi-inc.com
Mon Mar 3 22:01:14 GMT 2008 

Peter Farrow wrote:
> Matt Kettler wrote:
>> mikea wrote:
>>> On Mon, Mar 03, 2008 at 01:15:21PM -0600, Nathan Olson wrote:
>>>> It's not RFC-compliant.
>>>
>>> As has been mentioned elsethread, a number of techniques which are 
>>> increasingly necessary for survival are not RFC-compliant.
>>> Many RFCs were written when the Internet was kinder, gentler, and MUCH
>>> less dangerous than it is now. They have not changed, though the 'Net
>>> certainly has. Blind adherence to them in the face of evidence that 
>>> that adherence opens windows of vulnerability is not necessarily dood
>>> or wise.
>>
>> Well, that alone isn't a good reason to blindly toss RFC's aside. Some 
>> requirements of the RFCs are there for damn good reasons.
>>
>> However, in this case I suspect the activity isn't even a violation of 
>> an RFC, and not having a PTR record clearly violates their 
>> recommendations (albeit not their requirements).
>>
>> In general, it's really easy to claim something isn't complaint with 
>> the RFCs without any evidence to support it. We should all take such 
>> suggestions (including those generated by me) as unsubstantiated 
>> opinions until proven otherwise..
>>
>>
>>
>>
>>
> http://tools.ietf.org/html/rfc1912
> 
> Its an RFC to have a matching forward and revserse DNS lookup, so not 
> having one or a mismatched one is a violation of RFC1912

Note: it's against RFC 1912's recommendations. That RFC, as quoted below, 
doesn't require you to have PTR records. 1912 is an informational RFC, so it's 
not possible to violate it. It doesn't define any standards, so there are no 
standards in it to be broken.

However, it is the best argument that blocking based on lack of PTR is 
legitimate. It certainly takes a lot of wind out of the sails of anyone claiming 
such activity is non-compliant without being able to point to where a RFC 
prohibits it.

I reference the very same RFC in Message-ID: <47CC577D.7000207 at evi-inc.com>. 
Please read that post as well (it's really easy to reply to one post in a thread 
without reading the whole thread).



> 
> To quote, verbatim,
> 
> "Every Internet-reachable host should have a name. The consequences of 
> this are becoming more and more obvious. Many services available on the 
> Internet will not talk to you if you aren't correctly registered in the 
> DNS. Make sure your PTR and A records match. For every IP address, there 
> should be a matching PTR record in the in-addr.arpa domain."
> 
> So you can legitimately bounce the email if the sending host has bad 
> forward/reverse DNS...

Agreed, this would imply that.

More information about the MailScanner mailing list