8

I am using AWS SES to send out emails automatically through my application. I have configured the Identity management as following:

enter image description here

DKIM is setup correctly. I have no issues sending emails from my domain except for GMX and WEB.de emails where I receive the following error:

Action: failed
Final-Recipient: rfc822; xyz@web.de
(mxweb111) Nemesis ESMTP Service not available
554-No SMTP service
554-Reject due to policy restrictions

Looking at further documentation, it seems that emails coming from my domain are classified as Spam by their servers.

I have done research and found that I might need to configure Reverse-DNS but as it looks like, AWS SES does not support this?

What else can I do to make my emails get through WEB.de and GMX servers? Thank you.

DonMB
  • 2,550
  • 3
  • 28
  • 59
  • just wanted to let you know that we are currently looking into this because we have the same issue – Thomas Einwaller Nov 24 '20 at 14:08
  • @ThomasEinwaller any progress? I am still facing this issue. – DonMB Dec 08 '20 at 08:29
  • I don't think that rDNS is supported in AWS SES, even for [dedicated IP addresses](https://forums.aws.amazon.com/thread.jspa?threadID=283283), leaving one option: [Use your own IP address(es)](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/dedicated-ip-byo.html) and configure DNS as you please. – Tasos P. Dec 08 '20 at 08:40
  • This looks like overhead to me for a simple problem. I remember using SES in other projects and it was just working fine (without additional configuration). Maybe some little tweak I oversee here? – DonMB Dec 08 '20 at 11:20
  • I opened a support case with AWS and got extensive feedback, but I was not able to solve the problem by fixing the TXT/SPF entries and adding a custom MAIL FROM I also tried to contact info@web.de but did not get an answer – Thomas Einwaller Dec 09 '20 at 12:03
  • Currently also dealing with AWS support. So far no helpful answer. Contacting gmx/web is probably leading to nothing. – DonMB Dec 09 '20 at 13:41
  • 2
    I’m voting to close this question because Stack Overflow is for _programming_ questions. Email deliverability problems in general and subverting a recipient's policies in particular are off-topic here, and often dubious. See further https://meta.stackoverflow.com/questions/302903/off-topic-my-email-isnt-spam – tripleee Jan 12 '21 at 11:17
  • There is another solution to the problem. I'm having the exact same issue at the moment. The AWS-business support told me that they are working on it to solve it asap. For the meantime you could create another SES account in a different region and just swap your credentials. After the issue has been solved, you can go back to your previous SES account. (That's what the support recommended). So you are kind of using a backup SES account because different regions use different ip-addresses. – NKol Jan 30 '21 at 19:31

2 Answers2

8

I was in deep conversations with AWS SES support regarding this issue. This is the outcome:

I also would like to update you that SES internal team were able to confirm a deliverability issue with the recipient ISP and are actively working towards a resolution but we do not have an exact ETA at this time. Due to the nature of the shared IP pool, these types of blocks can happen periodically and we make every effort to resolve these issues as fast as possible. To prevent impact from these types of issues, it is always recommended to use dedicated ips for higher volume sending.

It means that the shared IP addresses used by AWS SES are blacklisted with GMX and WEB.de AWS SES wants to resolve this.

In the meantime, they recommend to use dedicated IP addresses to solve this issue. Please note that these IP addresses have to be "warmed up" in order to not cause trouble on the recipient end (e.g. spam folder issues). Unfortunately, my sending volume is not that high (yet) so I have my fingers crossed I can get those emails send out easily. Otherwise I have to find another solution or need to wait for AWS so solve the blacklist issue. I hope this helps anyone else.

Edit January 2021

I was able to send to GMX/WEB.de although my IP was only starting to warm up. Now after one month I am nearly at 100% with not many emails per day sendout volume.

DonMB
  • 2,550
  • 3
  • 28
  • 59
2

Several e-mail services operated by United Internet (at least GMX, Web.de) seem to have blocked Amazon SES IPs. Validity of DKIM, SPF, DMARC does not seem to have any impact on the block. I'm seeing these rejections in my logfiles as far back as 2020-10-05.

The alternative of using a the dedicated IP address has its own challenges. Managing and warming up new IP addresses for delivery can be very painful (e.g., Outlook.com was known to accept and then silently discard e-mails after IP changes).

I would suggest to write to mailsecurity@info.gmx.net or use their contact form https://postmaster.gmx.net/en/contact. I've received a response from them, although they didn't seem to fully grasp the issue. Maybe more contacts will help them see the importance of addressing this. Until then I am informing my users per banner of the issue (and recommending alternative e-mail services).

Amazon support has not been helpful for me. I've received one first-level response which indicated the responder had not understood the issue at all, but promised to forward it to SES support. Since then I haven't heard anything for a week.

Edit: since 2021-03-24, there are no more 554-Reject due to policy restrictions failures in my logs. Seems that either GMX or Amazon have done something to address this problem.

Andreas
  • 46
  • 3