How does rDNS mapping confirm sender identity?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
When an email arrives, the receiving server looks up the sending IP address and asks: "What hostname does this IP claim to be?" That lookup is reverse DNS (rDNS). What comes back is a PTR record, something like mail.deepcurrent.io. But one name isn't enough. The server then does a forward lookup on that hostname to see if it resolves back to the same IP. If it does, you've got forward-confirmed reverse DNS (FCrDNS).
That two-way confirmation is the actual identity signal. The PTR says "this IP calls itself mail.deepcurrent.io." The A record says "mail.deepcurrent.io points back to this IP." Consistency between both suggests deliberate, intentional configuration. Someone who owns that IP took the time to set it up properly.
What rDNS actually proves is fairly specific. It tells you the IP owner configured a real mail server name and invested effort in the infrastructure. A random compromised machine or a botnet node almost never has clean, matching rDNS. Spammers spinning up throwaway IPs usually don't bother (or can't, because rDNS requires the IP owner to configure it at the hosting provider level).
What rDNS does NOT prove is equally worth knowing. It doesn't confirm the sender is authorized to send from the domain in the From header. That's what SPF and DKIM handle. A spoofed hostname can look legitimate at the rDNS level while failing every other authentication check. Think of rDNS as infrastructure identity, not authorization.
The red flags to watch for in real evaluation:
- No PTR record at all. A sending IP with no rDNS is a hard signal that something is misconfigured or deliberately hidden. Many receiving servers will reject or heavily penalize mail from IPs with no PTR.
- Generic or auto-generated hostnames. Something like
ip-203-0-113-5.ec2.internalorstatic.55.22.10.in-addr.arpasuggests no deliberate mail server setup. It's not necessarily spam, but it's a weaker identity signal than a purpose-named hostname. - Hostname that doesn't forward-confirm. PTR says
mail.lighthouse-post.combut the A record for that hostname points somewhere else entirely. This mismatch fails FCrDNS and is a classic spoofing pattern. - Hostname domain doesn't match the sending domain. A message from
captain@deepcurrent.ioarriving from an IP whose PTR resolves tomail.sketchy-relay.netis worth scrutinizing. It's not automatically fraudulent (shared infrastructure exists), but the mismatch warrants checking SPF and DKIM carefully.
In practice, rDNS is one signal in a stack. ISPs combine it with SPF pass or fail, DKIM signature validity, domain reputation, and historical sending behavior before making a trust decision. A clean FCrDNS alone won't save a sender with terrible engagement rates. But a missing or broken PTR can tip the scales toward rejection even when everything else is in order.
If you want to see exactly how your sending IP looks to a receiving server, the email header analyzer at RME will show you the rDNS result alongside every other authentication check in one place.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.