1

I've got hMailServer set up on my server, which bulks-mails a newsletter to an opt-in subscriber base. I have set up DKIM signing, a SPF record explicitly giving my server permission to send email on behalf of my domain, and even a reverse DNS record. My senderscore.org rating is 97. And my mail is delivered happily to all my subscribers, except for the ones with Yahoo or Rocketmail addresses. Every email I send to these addresses gets rejected with the following message:

Remote server replied: 421 4.7.0 [TSS04] Messages from 23.102.x.x temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html

This message is 100% false and misleading. Nobody has complained about mails from this server, because for the past week I have stopped sending to any Yahoo/Rocketmail addresses. And there's nothing temporary about it: this situation has been the same for about two weeks now. Every day or two I send a single probe mail to see if they've removed my server from their blacklist, but alas! Same bounce message. And there is literally nobody to talk to at Yahoo; they don't have any kind of customer service, let alone tech support.

So I figured I'd sign up for DMARC notifications, to see what Yahoo is getting upset about. Here's my most recent report:

<?xml version="1.0"?>    
<feedback>    
  <report_metadata>    
    <org_name>Yahoo! Inc.</org_name>    
    <email>postmaster@dmarc.yahoo.com</email>    
    <report_id>1562461153.62437</report_id>    
    <date_range>    
      <begin>1562371200</begin>    
      <end>1562457599</end>    
    </date_range>    
  </report_metadata>    
  <policy_published>    
    <domain>mydomain.com</domain>    
    <adkim>r</adkim>    
    <aspf>r</aspf>    
    <p>none</p>    
    <pct>100</pct>    
  </policy_published>    
  <record>    
    <row>    
      <source_ip>197.96.187.217</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>mydomain.com</domain>    
        <result>softfail</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>197.97.112.17</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>mydomain.com</domain>    
        <result>softfail</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>209.85.208.178</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>gmail.com</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>209.85.208.41</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>gmail.com</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>209.85.208.43</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>gmail.com</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>209.85.208.47</source_ip>    
      <count>4</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>gmail.com</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>209.85.208.49</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>gmail.com</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>209.85.208.53</source_ip>    
      <count>2</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>gmail.com</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>209.85.208.54</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>gmail.com</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>209.85.215.171</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>gmail.com</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>54.202.181.118</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>mydomain.com</domain>    
        <result>softfail</result>    
      </spf>    
    </auth_results>    
  </record>    
  <record>    
    <row>    
      <source_ip>62.4.22.164</source_ip>    
      <count>1</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>pass</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>mydomain.com</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>mydomain.com</domain>    
        <result>softfail</result>    
      </spf>    
    </auth_results>    
  </record>    
</feedback>

The first thing I will draw your attention to is that there is no mention at all of my server's IP (23.102.x.x). I have no idea what these other servers (e.g. 197.97.112.17) are, or why they would be causing my server to be blacklisted. What is the meaning of this report? How can I get Yahoo to stop bouncing my mails?

UPDATE: fortunately, some teeny tiny little domain somewhere sent back a rejection message, telling me that I don't have a reverse DNS record. And there I thought I did! Turns out I followed the wrong advice from an Azure support agent, who told me to set up my own DNS zone for x.102.23.in-addr.arpa, and then to add a record there for the last quartet representing my server's IP address. In hindsight, I realized that obviously that doesn't make sense, because then I would effectively be controlling the PTR records for 255 other possible servers. So I reopened my support ticket with Azure, asking them to set up the PTR record. If that works, I'll post this as an answer.

UPDATE 2: I got support from Azure, and they helped me set up the reverse DNS record. So now when I run the following from a Linux prompt, I get the result as expected:

$ host 23.102.x.x

x.x.102.23.in-addr.arpa domain name pointer mail.mydomain.com

Unfortunately, Yahoo is still rejecting mails from my server. I have signed up for their feedback loop, and not received a single mail from them. But all my mails to yahoo address still bounce back with the same false and misleading error message. Is there anything else to be done?

Community
  • 1
Shaul Behr
  • 243
  • 1
  • 5
  • 13
  • What are your actual IP address, domain, SPF & DMARC records? – sebix Jul 07 '19 at 17:35
  • 1
    You'll have to wait for the (negative) DNS TTL to expire before your changed DNS records are available everywhere. – Michael Hampton Jul 25 '19 at 07:08
  • @MichaelHampton is that TTL a global standard, or does it depend on the recipient? Any idea how long that TTL is? – Shaul Behr Jul 25 '19 at 09:11
  • It's defined in your SOA record. Since you didn't specify what your domain is, you'll have to look up your own SOA record. – Michael Hampton Jul 25 '19 at 16:57
  • 1
    @MichaelHampton The TTL of my SOA record is 3600. Refresh = 3600, Retry = 300, Expire = 2419200. So by now, they really should have refreshed...but apparently they haven't. At this writing, yahoo is *still* rejecting my mails. – Shaul Behr Jul 26 '19 at 09:16

2 Answers2

2

It is not unusual to find a number of freemail providers in your DMARC report.

For example, people receiving mail from you at their google address may choose to forward your mail to yahoo, leading yahoo to report those receipts back to you. The report actually includes a clue - saying SPF check passed for gmail.com. If the report did not include that information, you could still guess based on the whois information for the IP address - it is allocated to Google.

The "Nobody has complained" part makes me suspect that you have not setup a feedback loop with yahoo - they will only tell you about complaints after you sign your mail and explicitly opt in. You would know this if you had fully read the help pages referred to in the error message, so chances are Yahoo is deferring your message based on some other item in their "best practices" list. So this is your best bet at resolving the problem - verifying you have understood & implemented every single item on that list.

anx
  • 8,963
  • 5
  • 24
  • 48
  • You were right; I had done everything on their "best practices" list, other than signing up for the feedback loop. So I signed up for the feedback loop, and I have not heard from them since. But they are *still* blocking mails from my server. :-( Any other ideas? – Shaul Behr Jul 18 '19 at 09:51
  • Please see updates to my question – Shaul Behr Jul 25 '19 at 06:39
1

So, the happy ending to my story is that a couple weeks after setting up my reverse PTR record correctly (with help from Azure support), Yahoo started getting the message. It wasn't instantaneous, mind you; it started with a handful of subscribers reporting that their email service had resumed. But still, the bulk of mails were rejected. Then slowly, slowly, the percentage of successful deliveries increased, until after a transition period of about two days, the bounces stopped altogether.

In summary, the answer was to set up the reverse DNS record...and wait.

Shaul Behr
  • 243
  • 1
  • 5
  • 13