Today I had a customer complain that mail they send to AOL or Yahoo
addresses was being returned with:
451 Message temporarily deferred due to unresolvable RFC.5321 from
domain; see https://postmaster.yahooinc.com/error-codes
According to that page,
"- These errors indicate that the domain used to the right of the @ in
the MAIL FROM does not appear to be a real domain.
- We determine if the domain name exists by using an SOA query;
therefore, if multiple subdomains are used in MAIL FROM commands, then
besides setting up a DNS A or MX record (perhaps using a wildcard), then
SOA records must be set up as well."
This is surprising!
Aside from anything else, it implies that SOA records can be easily
added to solve this, similar to how you add MX or A records. But that is
usually not the case: SOA records can exist only at a DNS zone
delegation boundary, not at the level of any arbitrary hostname.
I know AOL/Yahoo folks are on here. IS it intentional to be this
restrictive, effectively introducing a new DNS requirement for mail
senders? If so, this is going to be a problem for many people.
To give a concrete example of the difficulty, we host mail and DNS for
"cityname.or.us". Our system generates a DNS zone file that originally
looked like:
$ORIGIN cityname.or.us
@ SOA ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
@ MX 0 mx.tigertech.net.
@ A 192.0.2.44
@ (SPF and DKIM records omitted for brevity)
This works for mail sent from "[email protected]".
After a while, the customer decided they also wanted to send mail from
addresses like "[email protected]". So we added the "ci" host to
the existing zone file:
$ORIGIN cityname.or.us
@ SOA ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
@ MX 0 mx.tigertech.net.
@ A 192.0.2.44
@ (SPF and DKIM records omitted for brevity)
ci MX 0 mx.tigertech.net.
ci A 192.0.2.44
ci (SPF and DKIM records omitted for brevity)
This also worked fine until recently. But now, messages sent from
"[email protected]" to AOL or Yahoo get deferred, and eventually
rejected, with the error above: AOL/Yahoo wants an SOA record to exist
for "ci.cityname.or.us".
This is new behavior; our logs show the first occurrence of this error
on April 19, and the first mention of it I can find on the Internet is
Steve Atkins' Word to the Wise in June:
<https://wordtothewise.com/2023/05/unresolvable-rfc-5321-domain-at-yahoo/>.
This is not trivial to fix from a DNS standpoint. You can't just add a
second SOA record to the zone; the only solution is to split it into two
separate zones, like this:
First zone:
$ORIGIN cityname.or.us
@ SOA ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
@ MX 0 mx.tigertech.net.
@ A 192.0.2.44
@ (SPF and DKIM records omitted for brevity)
Second zone:
$ORIGIN ci.cityname.or.us
@ SOA ns1.tigertech.net. a.tigertech.net. ( 1 2 3 4 5 )
@ MX 0 mx.tigertech.net.
@ A 192.0.2.44
@ (SPF and DKIM records omitted for brevity)
However, many automatic DNS management systems will not support
splitting a "domain name" into two zones in this manner.
--
Robert L Mathews
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
