They also started using new IPs without PTR records to send out mail. Though so has Microsoft just recently. Both heavily frown upon that when receiving mail themselves. Do as we say...
Not only does Apple frown upon that, they just silently drop emails that are sent from a server without PTR records. Yes, that includes their own servers. Yes, sending email from iCloud to iCloud is silently dropped if they decide you get assigned an outgoing server without PTR. The absolute amateurism just blows my mind.
I hate getting a report telling me my work domain is blocked because it is missing a PTR record and we use Exchange Online. I can’t do anything about that!
Complain to your provider. You're paying for the service, right? They should run a properly configured mail exchange and part of that is having PTR records. If they can't manage that then it's time for a serious discussion about changing vendors.
Yep, whenever I start a new job I say "Don't worry, because iamverysmart, you don't need any Microsoft products!" I am then hailed as a genius, everyone claps, and I get a big fat raise.
The snarky „just don’t use Exchange, duh!“ doesn’t either. It’s a non-solution that armchair experts provide, who aren’t responsible for managing mailing for lots of people.
There are many environments where people don’t have a choice but to maintain what is in production.
Whether or not viable alternatives exist, those alternatives don’t magically change org structure, office politics, budget, current business priorities, etc.
Bottom line: many people managing exchange don’t have the luxury of evaluating this problem in terms of alternatives.
I don’t know any that come close in functionality, configurability, and maintainability. Exchange scales from a one-person handyman to Fortune 500 without a hitch, it comes with an office suite and cloud storage space, you find specialists for it on every corner, and it mostly just works. That’s pretty hard to beat, even if I’m personally more than unhappy to be so dependent on Microsoft, a US product, and closed-source software; there’s just not much I can do about it.
Thing is, I’ve been doing this since before Exchange Online, I know.
People used a few different groupware solutions, worked with bespoke IMAP installations on Linux servers, or (the vast majority) had on-premises Exchange servers running locally. It all required lots of tech wizardry, tinkering, duct tape and hope.
It was a long while before we had turn-key solutions, and you needed actually knowledgeable folks running your IT operations, and nothing was as fully integrated or cheaply available as Exchange Online.
a.k.a. i think you're missing the point. It's ok. You want knowledgeable people running your key infra. Outsourcing that to a company that doesn't respect privacy seems to be shooting oneself in the foot.
No, sorry, I think you're missing the point. There is one Hotmail, and a million businesses that need reliable email. I don’t want to outsource my key infra, but that’s the only viable option for most companies.
Getting email right requires lots of infra expertise, steady financial expenses, and time. Most companies just don’t have any of these available, and it makes zero economic sense as well if a product like Microsoft 365 exists.
It's incredibly entitled of some big cloud based operator to send mail from an SMTP source that doesn't have proper reverse DNS. Any normal independent small operator sending mail without proper reverse DNS will increase its likelihood of spam rank by a thousand percent. Or get flat out rejected at the SMTP negotiation process or relay attempt.
But things like icloud, office365, google workspace and similar are "too big to fail", right? They don't have to play by the same rules as the rest of us peons.
as referenced here, from the post on the 'mailop' mailing list
This is either an astonishing level of technical fuck-up from what has to be an entire work group of people with six figure salaries whose jobs are nothing but running email server infrastructure, so they must clearly know better, or a lack of regard for the internet community and accepted standards. I really cannot think of a third possible explanation for it.
To be clear for those people who don't run their own email servers: Having proper reverse DNS for the IP of your outbound SMTP sending server is one of the absolute bare minimum requirements for accepted mail flow, and is a standard that's probably 25 years old or older now. It significantly pre-dates SPF, DKIM, DMARC and all the rest. Proper RDNS is literally one of the first things you verify before you set up everything else.
A few years ago, when iCloud custom domains first launched, I found a bug where Apple would permanently cache the MX record. If an iCloud user had ever used a custom domain, future emails from iCloud to that domain would still get routed to their iCloud inbox—even if the domain’s MX record no longer pointed to Apple. They eventually fixed it, but didn’t think it deserved a bounty, which was a bit surprising.
I'm sure there's a ton of interesting surface area here.
So, Apple sends the wrong EHLO domain when trying to send emails out. This results in them dropping emails to their own users. Can't get past Apple's level 1 support. How can I get to someone that maintains their SMTP k8s cluster?
We usually ask around on the NANOG mailing list. Someone on that list usually already knows the contact method or a person at an ISP, datacenter or hyperscaler.
I lost faith in iCloud custom domains a few months ago, I was receiving the usual marketing emails etc fine, but actual person to person emails? Sometimes replies would come through, other times nothing.
I thought at first people were just ignoring me, but when a company reached out to me over SMS to respond to a complaint I had, they said their email reply had bounced so was contacting me on SMS instead
You’re really scaring me—I also had the impression people are ignoring me, and didn’t even consider their mail simply bounces… I’m so over migrating email again.
Is this new? I've been using icloud with a custom domain for about a year and just had my first failure today with an address that I've actively been talking to all week.
I switched from migadu to iCloud to increase my bus factor for the family. It's been interesting and a bit painful. For example I have a filter to forward emails from an 'bothofus' alias to my spouse's iCloud account at the same domain because there is no way to have a true alias --> mailbox1, mailbox2. Sometimes iCloud bounces these emails from sent from itself.
The bus factor (aka lottery factor,[1][2] truck factor,[3] or circus factor[4]) is a measurement of the risk resulting from information and capabilities not being shared among team members, derived from the phrase "in case they get hit by a bus".
> The "bus factor" is the minimum number of team members that have to suddenly disappear from a project before the project stalls due to lack of knowledgeable or competent personnel
There is a bias in technical knowledge. I used to be huge into self hosting but came to the realization that if I died tomorrow my NAS, domain, email and backups of our family photos would work until they don’t. An unpaid invoice, a cancelled credit card, a failed reboot or maybe the nastiest was plugged into a new network.
So in my case increasing the bus factor refers to: a regular usb drive hooked up to the nas that has an unencrypted ntfs drive with our photos and paperless archive; iCloud email that will stay up; Bitwarden hosted on their end.
Same reason I have a very health life insurance and disability policy.
p00-icloudmta-asmtp-us-central-1k-100-percent-10.p00-icloudmta-asmtp-vip.icloud-mail-production.svc.kube.us-central-1k.k8s.cloud.apple.com is one hell of a name, though.
i mean if if your never typing it which... i mean they never are its all automated most likely, why not have all the details they could ever need probably makes tracking issues and traceroutes etc much easier to deal with
iCloud Custom Domains & Mail are filled with bugs. My favourite one is that if my custom email I want to register has EVER been associated with an Apple account, it can never be used as a custom domain, unless that domain is set to catch all; it is impossible to add that specific address; it just errors without any specific message. The original account was fully deleted; going to the arduous process they set up that takes weeks to actually delete the account.
Customer support is worthless for actual technical problems as usual for Apple. Fun extra regarding customer support; if you arrange a support call in a language not native to your region, they honor that, but that information is lost if they escalate the call; the callback is always in the national language, despite explicit requests over the phone during the callback schedule
For what it's worth, I was able to add my custom domain to iCloud under this exact scenario without any issues. This was 3 years ago, so I don't know if anything has changed, and I didn't have the 'catch all' limitation either.
I had to give up trying to use iCloud for email. So many inbound emails would be silently dropped. I've also sent emails to @icloud.com addresses that the recipient never received.
The deliverability issues also apply to their Hide My Email feature. I frequently miss confirmation or verification emails after signing up with a @privaterelay.appleid.com address, so much so that I don't even bother with it anymore.
We send OTP codes for our login flow and iCloud is definitely a big source of delayed email complaints. Codes eventually arrive, but not before a support ticket is created. Instant on every other ISP.
This shows that email should die in a tyre fire and we all need to collectively move to something else… but we should have done this more than 10 years ago.
Email has SO many technical issues that if someone would have come out with email today, nobody would use it!
The ONLY thing going for it really is that it’s decentralised and has the network effect that almost everyone uses it. Bzzzt, I kid I kid!
Anyone under 25 will tell you they do NOT use emails and instead prefer instant message, and is email really decentralised? NO!! Try setting up your own relay and you’ll be dropped by any big service. Gmail+Outlook is basically a cartel with zero recourse!
Hmmm… could there even be a case of anti-trust given Gmail’s behaviour
I just means we take RFC 821 and RFC822, then everything build on top of that flaming tire fire and send it into an orbit directly into the sun, and replace it with new open protocols that weren’t designed when the internet was a trusted network but with layers and layers of crust stacked on top in order to mitigate its shortfall
(where "username" is my gmail user, and "example.com" is the domain of a consulting client from a decade ago that gave me [email protected])
The body of these weird messages says
Address not found
Your message wasn't delivered to [email protected] because the address couldn't be found, or is unable to receive mail.
550 5.1.1
The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces. For more information, go to https://support.google.com/mail/?p=NoSuchUser 6a1803df08f44-6ac070f1538sor47269616d6.5 - gsmtp
above an arbitrary supposedly-forwarded message like
---------- Forwarded message ----------
From: The New Yorker Daily <[email protected]>
To: [email protected]
Cc:
Bcc:
Date: Tue, 28 May 2024 16:31:02 -0400 (EDT)
Subject: The Secrets of the Stasi
----- Message truncated -----
@aequitas, Hi Johan, nice surpise! After wondering why I couldn't get enough of the movie Office Space, I quit the tech industry completely. Never felt better.
The biggest problem with huge corporations is that sometimes it's next to impossible to actually communicate with them. Does anyone have any good contacts at Apple?
I sent this more than two weeks ago:
Date: Wed, 12 Mar 2025 22:56:55 +0000 (UTC)
From: John Klos <*******@klos.com>
To: [email protected], [email protected], [email protected], d*******@apple.com
Subject: Issue with Apple's SMTP delivery
Hello,
I've had several issues reported about email delivery from Apple. The error they have in common is this:
Mar 12 21:38:17 daisy sm-mta[28249]: 52CLcCoi028249: ruleset=check_mail, arg1=<*******@me.com>, relay=p-west1-cluster6-host7-snip6-8.eps.apple.com [IPv6:2a01:b747:3003:204:0:0:0:47], reject=550 4.1.8 <*******@me.com>... Access denied. HELO does not resolve. (HELO p00-icloudmta-asmtp-us-west-1a-1.p00-icloudmta-asmtp-vip.icloud-mail-carry.svc.kube.us-west-1a.k8s.cloud.apple.com)
Looking in to this, the resolution of "p00-icloudmta-asmtp-us-west-1a-1.p00-icloudmta-asmtp-vip.icloud-mail-carry.svc.kube.us-west-1a.k8s.cloud.apple.com" results in this list of MX:
mx-in.g.apple.com
mx-in-mdn.apple.com
mx-in-hfd.apple.com
mx-in-ma.apple.com
mx-in-rn.apple.com
mx-in-vib.apple.com
mx-in-rno.apple.com
mx-in-sg.apple.com
All but two of these resolve to A records.
Two of those, though, resolve to more MX:
host mx-in-rno.apple.com
mx-in-rno.apple.com mail is handled by 10 mx-in.g.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-vib.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-rno.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-rn.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-hfd.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-sg.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-mdn.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-ma.apple.com.
host mx-in-mdn.apple.com
mx-in-mdn.apple.com mail is handled by 20 mx-in-mdn.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-sg.apple.com.
mx-in-mdn.apple.com mail is handled by 10 mx-in.g.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-vib.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-rn.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-hfd.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-ma.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-rno.apple.com.
This loop is a mistake and should be fixed.
Additionally, RFC 5321 section 2.3.5 says that the name given in an EHLO / HELO greeting should be an IP literal or a primary host name ("a domain name that resolves to an address RR"). The name given in the EHLO / HELO exchange does not resolve to an address RR; it only resolves to an MX. While this is technically incorrect, the looping MX is the real issue. However, if you're fixing the looping issue, you may want to consider fixing this issue at the same time.
Please look in to this, and please let me know if you have any questions or need any additional information.
Thank you,
John Klos
So you created a proxy to an endpoint to an email from iCloud and something in the chain had a misconfigured DNS with the domain “p00-icloudmta-asmtp-us-central-1k-100-percent-10.p00-icloudmta-asmtp-vip.icloud-mail-production.svc.kube.us-central-1k”. It might as well be an issue with mail-testers.com or icloud.com
It’s impossible to tell from the shared page because both services are about DNS caching.
When you own a 17 net or 12 net, I think it comes as a given on extra txt records not needed. Totally not fair, but reality, and someone’s allowing it on the filtering side.
Whether or not viable alternatives exist, those alternatives don’t magically change org structure, office politics, budget, current business priorities, etc.
Bottom line: many people managing exchange don’t have the luxury of evaluating this problem in terms of alternatives.
People used a few different groupware solutions, worked with bespoke IMAP installations on Linux servers, or (the vast majority) had on-premises Exchange servers running locally. It all required lots of tech wizardry, tinkering, duct tape and hope.
It was a long while before we had turn-key solutions, and you needed actually knowledgeable folks running your IT operations, and nothing was as fully integrated or cheaply available as Exchange Online.
a.k.a. i think you're missing the point. It's ok. You want knowledgeable people running your key infra. Outsourcing that to a company that doesn't respect privacy seems to be shooting oneself in the foot.
IIRC as they've been acquihired they had their own software stack back in 90's.
Getting email right requires lots of infra expertise, steady financial expenses, and time. Most companies just don’t have any of these available, and it makes zero economic sense as well if a product like Microsoft 365 exists.
Microsoft being annoying and frustrating and having so many issues is why I have a well paying job in IT.
But things like icloud, office365, google workspace and similar are "too big to fail", right? They don't have to play by the same rules as the rest of us peons.
as referenced here, from the post on the 'mailop' mailing list
https://news.ycombinator.com/item?id=43512353
This is either an astonishing level of technical fuck-up from what has to be an entire work group of people with six figure salaries whose jobs are nothing but running email server infrastructure, so they must clearly know better, or a lack of regard for the internet community and accepted standards. I really cannot think of a third possible explanation for it.
To be clear for those people who don't run their own email servers: Having proper reverse DNS for the IP of your outbound SMTP sending server is one of the absolute bare minimum requirements for accepted mail flow, and is a standard that's probably 25 years old or older now. It significantly pre-dates SPF, DKIM, DMARC and all the rest. Proper RDNS is literally one of the first things you verify before you set up everything else.
I'm sure there's a ton of interesting surface area here.
https://nanog.org/resources/nanog-mailing-lists/
https://www.linkedin.com/in/hserus/
By posting on Hacker News and making it to the front page. The same support strategy also works for all the other major providers
https://www.mail-archive.com/[email protected]/msg24300.html
with a later response indicating that Apple was aware:
https://www.mail-archive.com/[email protected]/msg24312.html
I thought at first people were just ignoring me, but when a company reached out to me over SMS to respond to a complaint I had, they said their email reply had bounced so was contacting me on SMS instead
Switched to fastmail at that point.
?
The bus factor (aka lottery factor,[1][2] truck factor,[3] or circus factor[4]) is a measurement of the risk resulting from information and capabilities not being shared among team members, derived from the phrase "in case they get hit by a bus".
IOW higher == better
So in my case increasing the bus factor refers to: a regular usb drive hooked up to the nas that has an unencrypted ntfs drive with our photos and paperless archive; iCloud email that will stay up; Bitwarden hosted on their end.
Same reason I have a very health life insurance and disability policy.
Did you try [email protected], [email protected], or [email protected] (not traditional, but given in their docs)?
Customer support is worthless for actual technical problems as usual for Apple. Fun extra regarding customer support; if you arrange a support call in a language not native to your region, they honor that, but that information is lost if they escalate the call; the callback is always in the national language, despite explicit requests over the phone during the callback schedule
The deliverability issues also apply to their Hide My Email feature. I frequently miss confirmation or verification emails after signing up with a @privaterelay.appleid.com address, so much so that I don't even bother with it anymore.
What's different?
Email has SO many technical issues that if someone would have come out with email today, nobody would use it!
The ONLY thing going for it really is that it’s decentralised and has the network effect that almost everyone uses it. Bzzzt, I kid I kid!
Anyone under 25 will tell you they do NOT use emails and instead prefer instant message, and is email really decentralised? NO!! Try setting up your own relay and you’ll be dropped by any big service. Gmail+Outlook is basically a cartel with zero recourse!
Hmmm… could there even be a case of anti-trust given Gmail’s behaviour
I just means we take RFC 821 and RFC822, then everything build on top of that flaming tire fire and send it into an orbit directly into the sun, and replace it with new open protocols that weren’t designed when the internet was a trusted network but with layers and layers of crust stacked on top in order to mitigate its shortfall
https://dns-lookup.jvns.ca/#p00-icloudmta-asmtp-us-central-1...
In my gmail inbox I periodically get very strange emails from [email protected], addressed to [email protected]
(where "username" is my gmail user, and "example.com" is the domain of a consulting client from a decade ago that gave me [email protected])
The body of these weird messages says
Address not found Your message wasn't delivered to [email protected] because the address couldn't be found, or is unable to receive mail.
550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces. For more information, go to https://support.google.com/mail/?p=NoSuchUser 6a1803df08f44-6ac070f1538sor47269616d6.5 - gsmtp
above an arbitrary supposedly-forwarded message like
---------- Forwarded message ---------- From: The New Yorker Daily <[email protected]> To: [email protected] Cc: Bcc: Date: Tue, 28 May 2024 16:31:02 -0400 (EDT) Subject: The Secrets of the Stasi ----- Message truncated -----
Except for my mail formatting but who cares..
https://www.mail-tester.com/test-t1pn1xl96
I sent this more than two weeks ago:
It’s impossible to tell from the shared page because both services are about DNS caching.