Re: DMARC and AOL

Thu, 18 Dec 2014 18:25:39 -0800 

On Thu, December 18, 2014 19:19, Wietse Venema wrote:
> Wietse Venema:
>> James B. Byrne:
>> > <xxuse...@aol.com>: host mailin-02.mx.aol.com[152.163.0.99] said: 521
>> 5.2.1 :
>> >     (DMARC) This message failed DMARC Evaluation and is being refused due
>> to
>> >     provided DMARC Policy (in reply to end of DATA command)
>> > --->
>> >
>> > Has anyone have any idea what AOL might be complaining about WRT to our
>> DMARC
>> > policy?
>>
> When DNS lookup fails with a SOFT error (timeout etc.) would they
> mistakenly respond with a HARD reject? We have examples of Google
> doing that (email from the same host and the same sender will
> occasionally be rejected).
>
> I.e. from the same IP address.
>
> If your IPv4 or IPv6 address is not fixed, then mail may be rejected
> for several reasons.
>
> If the error is sporadic, you can use smtp_reply_filter to change
> this into a 4xx error.
>
> /etc/postfix/main.cf:
>     smtp_reply_filter = pcre:/etc/postfix/smtp_reply.pcre
>
> /etc/postfix/smtp_reply.pcre
>     /^5(\d+ )5(.+message failed DMARC Evaluation.+)/ replace 4${1}4${2}
>
>       Wietse
>

Well, we have 4 dns servers on two separate netblocks (216.x.y.c and
209.x.y.c) located in two different cities (Hamilton and Toronto) and using
two different upstream providers (Rodgers and Verizon).  If it is a DNS
timeout error then the problem has to be somewhere closer to the AOL end than
ours.

Our IP addresses are fixed, we run two C class netblocks.

It seems likely to be their error rather than ours. I have never encountered
the error before and I expect that if we were somehow at fault then we would
have encountered the problem before now.  But, this DMARC stuff is all new to
me and a configuration error at our end is always a possibility.

I am travelling tomorrow so I will look into the matter further sometime this
weekend.  The idea that it is a transient error being reported as hard failure
had never crossed my mind. That said, now that the idea is raised it seems to
me to be the case.  AOL employs DMARC in a fairly draconian manner and that
sort of reply to a dmarc record lookup failure would not surprise me in the
least.

Thank you for the help.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply via email to