spamassassin rdns reversedns

Question

Spamassasin gives the following flag on my emails:

*

0.8 RDNS_NONE Delivered to internal network by a host with no rDNS

"This test checks to see if there is a reverse DNS entry for the last untrusted relay. Note that this may be done by interpreting information in the relevant Received header - if reverse DNS checks are not performed by the first trusted relay, or if they are not recorded in the Received header, this test will be triggered (regardless of the actual rDNS status)."

*

The only ip I can see on my emails are 94.143.11.2 -> which you can reverse dns to trophymanager.com. Google and hotmail have no problems with this - but Spamassassin gives it a flag - what am I missing here?

Answer 1

not sure about spamassassin, but many mail filters / MTAs (postfix for example) only accept the rDNS entry if it's Forward-confirmed. In your case, the forward confirmation does not work:

dig -x 94.143.11.2 +short
man01.trophymanager.com.

but man01.trophymanager.com does not have an A record.

Create an DNS record :

man01.trophymanager.com A 94.143.11.2

and Spamassassin probably won't complain anymore.

Answer 2

If your hosting account comes with an IP address, you might be able to change this within the dashboard of your hosting account, or open a ticket with your host if you're not sure.

That solved my "SMTP Reverse DNS Mismatch" error on https://mxtoolbox.com

However, mxtoolbox.com still complains "Reverse DNS is not a valid Hostname" the explanation from them is:

Your Reverse DNS Record (PTR) is not a valid host name. According to email sending best practices, a PTR Record should be a valid host name. If the PTR Record is not a valid hostname, there is a likelihood that you will experience email delivery issues with anti-spam services.

I looked up my registrar -- Namecheap says:

A PTR (pointer) record maps an IP address to the domain name. It’s often called a "reverse DNS entry" because it converts an IP address to a name.

PTR records are mostly used as a security and anti-spam measure, to verify that a mail server address is allowed to send an email to a particular hostname. The reverse DNS entry checks if a server name is indeed associated with an IP address from where the connection was initiated.

In order to set up a reverse DNS entry that will connect an IP address to your domain (e.g., 127.0.0.1 should be mapped to yourdomain.com), you will need to contact your IP address provider to create a PTR record for the IP address.

It's possible I just need to wait a day, because when I updated the reverse DNS with my host there was a message saying "please wait 6-12 hours." If I remember, I'll come back and write an update.

Answer 3

The OP asks about this issue, but the other answers don't address that:

-0.8 RDNS_NONE Delivered to internal network by a host with no rDNS

This is caused by reverse lookups of 127.0.0.1 returning localhost, commonly caused by redirecting mail in-and-out-of localhost for spam/virus filtering (like through amavis). It will create headers like this with rDNS showing incorrectly for as localhost for 127.0.0.1:

Received: from smtp.example.com (**localhost** [127.0.0.1])
    by smtp.example.com (Postfix) with ESMTPA id A5F13FEF
    for <example@example.com>; Wed, 26 May 2021 17:07:02 -0700 (PDT)

Note that I added *'s around **localhost** above to highlight the issue. By updating /etc/hosts file and placing your hostname before the word localhost it will be be placed correctly in your logs:

So you want this:

~]$ cat /etc/hosts
127.0.0.1   smtp.example.com localhost localhost.localdomain 
::1         smtp.example.com localhost localhost.localdomain

not this:

~]$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain smtp.example.com
::1         localhost localhost.localdomain smtp.example.com

and definitely not this:

~]$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain
::1         localhost localhost.localdomain

... or you can configure rDNS for 127.0.0.1 but that seems silly...just what hostname should a centralized rDNS server with? Indeed, it can't ;)