EmailDiscussions.com - View Single Post - Bounce Back Email: Fault of Sending ISP or Receiving Hosting Co?

puffchumpy · 13 Mar 2022, 12:08 AM

tldr; Disabling DNS-SEC for the email domain "fixed" the comcast.net can't send issue.

I had the same problem receiving emails sent by comcast.net email users at my personal email server. Being a Comcast Xfinity internet subscriber I created an email account to test sending emails. They all failed with the same generic "smtp" error reporting by the comcast.net sending server. Same as the case for this discussion thread. Running tcpdump on my mail server I could see that comcast.net never attempted to connect to my mail server. This thread pointed out various DNS issues could be a likely cause.

In one of many experiments I disabled the DNS-SEC setting provided by my domain registers DNS service. Then all the queued emails flooded in.

I believe the DNS-SEC setting and signed DNS results provided by my domain register's DNS service were correct. I don't know why comcast.net would not send outbound email to domains using DNS-SEC, but I have 2 theories.
1) Potentially the additional effort to check the DNS-SEC cryptographic signatures is too much effort causing a timeout. Only a problem for Comcast.net and no one else?
2) Comcast.net might assume that a domain using DNS-SEC has DANE( RFC 7672) configured via an additional TLSA dns record. My email domain was not setup with a TLSA DNS record. This might have failed an outbound security check on the comcast.net servers. DANE seems to an optional feature, not sure my comcast.net servers would require it if dns-sec is active.

This is an old thread but has great information about comcast.net failing to deliver outbound emails. Adding my findings here as the information in the thread helped me realize that DNS could be part of the problem. And to help other that have similar issues with comcast.net outbound email delivery.

13 Mar 2022, 12:08 AM	#76
puffchumpy Junior Member Join Date: Mar 2022 Posts: 1	tldr; Disabling DNS-SEC for the email domain "fixed" the comcast.net can't send issue. I had the same problem receiving emails sent by comcast.net email users at my personal email server. Being a Comcast Xfinity internet subscriber I created an email account to test sending emails. They all failed with the same generic "smtp" error reporting by the comcast.net sending server. Same as the case for this discussion thread. Running tcpdump on my mail server I could see that comcast.net never attempted to connect to my mail server. This thread pointed out various DNS issues could be a likely cause. In one of many experiments I disabled the DNS-SEC setting provided by my domain registers DNS service. Then all the queued emails flooded in. I believe the DNS-SEC setting and signed DNS results provided by my domain register's DNS service were correct. I don't know why comcast.net would not send outbound email to domains using DNS-SEC, but I have 2 theories. 1) Potentially the additional effort to check the DNS-SEC cryptographic signatures is too much effort causing a timeout. Only a problem for Comcast.net and no one else? 2) Comcast.net might assume that a domain using DNS-SEC has DANE( RFC 7672) configured via an additional TLSA dns record. My email domain was not setup with a TLSA DNS record. This might have failed an outbound security check on the comcast.net servers. DANE seems to an optional feature, not sure my comcast.net servers would require it if dns-sec is active. This is an old thread but has great information about comcast.net failing to deliver outbound emails. Adding my findings here as the information in the thread helped me realize that DNS could be part of the problem. And to help other that have similar issues with comcast.net outbound email delivery.