Found the issue. As Wietse said, the resolver (bind) was bouncing emails from hosts that failed DNSSEC.
Some domains are using an old algorithm that is no longer accepted by the current DNSSEC default configuration. Three I have found are: comcast.net (algorithm 5), medicare.gov (algorithm 7), and usps.gov (algorithm 7). The current recommended algorithms are 14, 15, and 16 with 15 being preferred according to RFC 8624 sec. 3.1. John
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
