FCrDNS (Forward-Confirmed Reverse DNS) is one of the most commonly overlooked email deliverability requirements. Every major ISP — Gmail, Microsoft, Yahoo, and hundreds of smaller providers — uses FCrDNS as a basic spam filtering signal. A mail server without a properly configured PTR record that forward-confirms back to the same IP will see elevated spam folder placement and outright rejection from ISPs that treat missing FCrDNS as a hard requirement. For Microsoft's May 2025 bulk sender enforcement, FCrDNS became explicitly mandatory.

FCrDNS
Forward-confirmed reverse DNS — PTR must match A record
PTR
reverse DNS — maps IP address back to hostname
Yahoo
requires FCrDNS for all sending IPs — will reject without it
dig -x
command to check PTR record for your sending IP

ISP Enforcement of PTR / FCrDNS for Inbound Email (2025)

95%Yahoo82%Comcast71%Microsoft45%Gmail60%iCloud88%Orange

What FCrDNS Is and Why ISPs Care

FCrDNS consists of two DNS lookups that must agree:

  1. Reverse DNS (PTR): Looking up the hostname associated with an IP address (e.g., 203.0.113.10 → mail.yourdomain.com)
  2. Forward DNS (A/AAAA): Looking up the IP address associated with that hostname (e.g., mail.yourdomain.com → 203.0.113.10)

FCrDNS passes only if both lookups agree: the IP resolves to the hostname, and the hostname resolves back to the same IP. This bidirectional verification provides meaningful identity signal — it demonstrates that whoever controls the sending IP also controls the DNS zone for the associated hostname. Spammers using compromised or rented servers often don't control DNS, making FCrDNS an effective filter.

How PTR Records Work

PTR records live in a special in-addr.arpa. DNS zone (for IPv4) or ip6.arpa. zone (for IPv6). The zone is controlled by whoever owns the IP address block — typically your data centre, cloud provider, or ISP — not by you as a customer.

FCrDNS verification — checking PTR and A record consistency
# Step 1: Check PTR record for sending IP 203.0.113.42
$ dig -x 203.0.113.42 +short
mail.yourcompany.com.

# Step 2: Check A record for that hostname
$ dig A mail.yourcompany.com +short
203.0.113.42

# FCrDNS PASSES: IP resolves to hostname, hostname resolves back to same IP.

# Failing example:
$ dig -x 198.51.100.7 +short
7.100.51.198.in-addr.arpa.  ← no PTR record
# or:
ec2-198-51-100-7.compute-1.amazonaws.com.  ← generic cloud PTR
# Yahoo will reject mail from this IP.
# The PTR record for 203.0.113.10 lives at:
10.113.0.203.in-addr.arpa. PTR mail.yourdomain.com.

# Check your current PTR record:
dig -x 203.0.113.10
# Returns: 10.113.0.203.in-addr.arpa. 300 IN PTR mail.yourdomain.com.

# Then verify the forward lookup:
dig A mail.yourdomain.com
# Must return: mail.yourdomain.com. 300 IN A 203.0.113.10

# Both must match for FCrDNS to pass

Setting Up PTR Records on Different Platforms

Dedicated server (data centre): Contact your data centre or hosting provider. Most provide a control panel where you can set the PTR (reverse DNS) for your IP. The process: log into your server management panel → find "Reverse DNS" or "PTR Record" settings → enter the hostname (mail.yourdomain.com) → save. Changes propagate within 1–24 hours.

AWS EC2: Elastic IP addresses support reverse DNS through the AWS Console. Navigate to EC2 → Elastic IPs → select your IP → Actions → Update Reverse DNS. You can only set the PTR to a hostname that forward-resolves to that IP.

Google Cloud (GCP): For static external IP addresses: VPC Network → External IP addresses → select IP → Edit → set DNS PTR record.

DigitalOcean: The PTR is set as the Droplet name. Rename your Droplet to the hostname you want (mail.yourdomain.com) and the PTR automatically updates. Alternatively, some DO regions allow setting PTR via the networking settings.

Azure: For public IP addresses: Public IP → Configuration → Reverse FQDN → enter hostname.

# After setting the PTR, verify both directions:
# 1. PTR lookup
dig -x YOUR_IP +short
# Should return: mail.yourdomain.com.

# 2. Forward lookup  
dig A mail.yourdomain.com +short
# Should return: YOUR_IP

# 3. FCrDNS test (online tools)
# - mxtoolbox.com/ReverseLookup.aspx
# - Check "PTR" in MXToolbox's MX Lookup output

Testing FCrDNS Configuration

# Quick command-line test
IP="203.0.113.10"
HOSTNAME=$(dig -x $IP +short | sed 's/\.$//')
FWDIP=$(dig A $HOSTNAME +short)

if [ "$IP" = "$FWDIP" ]; then
    echo "FCrDNS OK: $IP → $HOSTNAME → $FWDIP"
else
    echo "FCrDNS FAIL: $IP → $HOSTNAME → $FWDIP (mismatch)"
fi
# Common PTR/FCrDNS rejection messages in mail logs:
"550 PermFail - Host not found or poorly configured. PTR lookup failed"
"550 Mail not accepted from IPs without a reverse DNS record"
"550 5.7.1 [x.x.x.x] Messages with no rDNS will not be accepted"
"421 Service unavailable; Client host [x.x.x.x] has no PTR record"

# The fix sequence:
# 1. Confirm PTR is missing:
dig -x YOUR_IP
# If returns NXDOMAIN (no answer) - PTR is missing

# 2. Set PTR with your provider (see section above)

# 3. After 1-4 hours, verify:
dig -x YOUR_IP  # Should return hostname
dig A HOSTNAME  # Should return your IP