If anyone from DHL reads here you should contact your DNS admins and notify them that your DNS is quite borked due to DNSSec/NSEC3 issues.
Although dhl.com (and possibly other dhl domains) have A and MX in their zone, the NSEC3 bitmap specifies that those records do **not** exist. This makes sending and recieving mail over systems that use a dnssec aware resolver very hard > dig dhl.com csync +dnssec > [...] > vmju3ruqo27fmbmpqssljed0v7p8acn7.dhl.com. 212 IN NSEC3 1 0 1 61864B3195B9DDA8 VMJU3RUQO27FMBMPQSSLJED0V7P8ACN8 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY this NSEC3 record states that the zone does not have any other RR type than the mentioned ones. So no MX and/or A which makes it very hard to use dhl.com as sender domain for mail and sending the mail to a MTA which uses a dnssec aware resolver and expect the mail to be accepted :-) We currently added NTA to our powerdns resolvers for DHL domains to allow mail from dhl.com to reach our customers. So defacto disabled DNSSec for DHL related domains. That cannot be in the interest of DHL It seems that not all authorative NS for DHL are affected. So it's a bit of a lottery wheter mail is accepted or on. @DHL fix your DNS or do not use DNSSec or especially not NSEC3. Which has only a bit of a security benefit but makes debugging issues way harder. Have a good one and happy mailing _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
