How to resolve 'HELO/EHLO outbound.qs.icloud.com is not matching your DNS configuration' error in iCloud Mail?

Heinz Hegnauer wrote:

Same here, after working 10 days any mentioned solution didn't work. It's time for Apple to investigate!

I hate this type of issue where no-one will acknowledge there's a problem. For now I've had to go to iCloud on the web, select mail, then pin that tab to Safari browser so that it's always available in a single click.

Similar here. I switched off 'Limit IP Address Tracking' and emails worked for a day.

Then went back to email Mail Delivery error. All to Virgin email addresses.

I don't have broadband. All on hotspot.

My attempts only helped for a short time. In my opinion, this is due to an inconsistency in the DNS servers at Apple. The receiving server is responding correctly, they are trying to prevent spam.

Once again there is no help and no response from Apple.

@peterkurt - This is nothing to do with your DNS settings. I would love to see the headers on the successful mail, to see what the difference is though.

This is down to how Apple’s outbound mail system is set up.

As a real world example we’ll use my server.

When it talks to an inbound server it anounces itself with an EHLO command

EHLO mail.timothy*****.co.uk

if you do a DNS lookup for that FQDN you’ll see it’s IP addresses

mail@mail:~$ nslookup mail.timothydutton.co.uk

Server: 213.186.33.99

Address: 213.186.33.*****

Non-authoritative answer:

Name: mail.timothy*****.co.uk

Address: 51.68.***.***

Name: mail.timothy*****.co.uk

Address: 2001:41d0:801:****::****

If you do a reverse lookup on the server IP’s

;; ANSWER SECTION:

229.196.**.**.in-addr.arpa. 86400 IN PTR mail.timothy*****.co.uk.

As you can see, everything matches up.

When it doesn’t, mail providers can reject the mail. Whoever’s responsible for the mail system needs to be looking into this and fixing their setup.

Tim

[Edited by Moderator]

mikebhm wrote:

Thanks @Ravenstar68

Is that explanation consistent with the fact that sending by webmail from iCloud.com avoids the problem?

Yes.

Apple operates immense pools of servers.

One mail server or one web server is not going to handle a billion-ish iCloud users.

This for many reasons. The sheer load of users for one, and the need to have services be available when a major network link or a server pool, or an entire data center, fails.

Now within what are likely various different pools of mail servers, and different pools of DNS servers, the different servers will have different confogurations, some of which will be intentional configuration differences, and some can be stale caches or data corruptions.

Which outbound mail server is used can be based on the current load across the mail servers and trying to use less-loaded servers, servers selected based on geographic or network or data center locality, or other factors.

Many, many, many servers, organized into multiple pools, across multiple data centers.

How the EHLO works and the trigger here has been posted in a reply or two in this thread, as well.

TL;DR: yes, this is entirely consistent (mis)behavior in a complex system such as mail services at Apple’s scale. You’re using a different mail server from whichever server or servers or pool or pools have the mail or DNS misconfiguration or corruption, or getting a different receiving server from the server where the misconfiguration ormcorruption exists in the receiving mail server or its DNS.

That’s very good to hear. I surmise that there was something in the recent 15.4.1 update which caused this problem, and rebooting the router caused it to re initialise to work with the change.

Bad news. Next day it stopped working. Haven't tried rebooting router again.

In Mobile Data Options, turning off 'Limit IP Address Tracking' worked for me.

I guess Virgin want to track your IP address for some reason.

Anwort auf eine Userfrage: Ja, bei mir ist das so. Ziggo lehnt ab.

Problem solved for me without changing anything on my environment. Magic...until when??

Same here 👏

Lots of people are struggling with this issue at the moment. There doesn't seem to be a quick fix.

This discussion on Reddit gives some details: https://www.reddit.com/r/sysadmin/comments/1k3wa6c/icloud_mail_rejected_by_dutch_isp_ziggo_ehlo/

I am experiencing this problem with anyone who has a Virgin email address especially the "blueyonder" addresses. I also find that sending from my iPhone is fine but not from the mail client on my laptop.

It looks like I solved my problem.

On de site https://easydmarc.com/tools/spf-lookup I tested my spf and dmarc records. There was an issue with both records. So I deleted them all in my DNS and I created on the site easydmarc.com new records (same as before) and copied them to my dns, with no "" !

I made 2 spf's and 2 dmarc. 1 rule with hostname mydomain and 1 without a hostname (_dmarc and _dmarc.mydomain.com).

The next tests on easydmarc.com where now OK.

So after 1 hour whaiting i tested my e-mail again on dmarctester.com and now all was OK

Why the problem was solved by deleting the dns records and make them new, I have no clue, but it worked for me.

Or maybe Apple also did something with the spf records?

Now I sent a tesmail to a ziggo.nl adress and hope it is not comming back this time. Fingers crossed..