I'm in the middle of implementing Forward Confirmed Reverse DNS for my SMTP server. After reading around a bit, I found that it is best to do the lookup on the IP found at the other end of the SMTP connection (not in the mail header, because that IP is spoofed more easily). Once I have the hostname, I can compare it to the 'from' email domain in the header and determine if the email is valid.
However, I was thinking about it further and realized that this might not be the IP I want to do a lookup against. If the email message had to travel through several SMTP servers on the way to mine, wouldn't the IP on the other end of the SMTP connection reverse DNS back to the domain of the 'last hop' SMTP server, and not the domain of the 'from' email address?
And if the above is true, how do I know what IP is correct to do a lookup on?
Thanks, -Ben
FCrDNS confirms only that the sending server has correctly configured DNS. I.e., you get an incoming connection from 1.2.3.4, you look up 1.2.3.4 to get whatever.example.com, then you look up whatever.example.com. If that results in 1.2.3.4, then the test passes.
You don't want to do this check against the domain name that's actually inside the mail header. If a server hosts email for a hundred domains, then your described technique will fail at least 99 of them because the reverse check can only ever return one host name. You can't assume that legit mail for example.com will only ever come from a server hosted on an example.com domain name.
What you probably want to do instead of this check is to implement
SPF
.Edit: You can do a proper FCrDNS check in addition to SPF, but I find that it's more trouble than it's worth, as there are tons of misconfigured servers out there. You'll likely spend much of your time tracking down false positives.