Forum Discussion

jameswyper's avatar
jameswyper
Joining in
25 days ago

MXIN603 DMARC validation failed for emails from talktalk.net domain

Hi

I have a slightly non-standard email setup and I'm aware the answer to this question might be "no, tough" but here goes..

The email address we hand out to contacts is a forwarding service offered by my university.  They send emails to xxx@cantab.net and the university system forwards them to xxx@ntlworld.com . I set this up in the days when everyone got their email through their ISP so that if we change ISPs in future we don't need to tell everyone. 

This has worked just fine for over 20 years.  For the majority of email senders, it's still working fine - we are still receiving email.  However, emails from a family member who is with talktalk are getting bounced:

Reporting-MTA: dns; mta01.prd.rdg.aluminati.org
X-Postfix-Queue-ID: 9D2FB203AD
X-Postfix-Sender: rfc822; SRS0=+Yzj=TY=talktalk.net=redacted@srs.aluminati.net
Arrival-Date: Tue, 31 Dec 2024 12:08:36 +0000 (GMT)

Final-Recipient: rfc822; redacted@ntlworld.com
Original-Recipient: rfc822;redacted@cantab.net
Action: failed
Status: 5.2.0
Remote-MTA: dns; mxin5.virginmedia.com
Diagnostic-Code: smtp; 554 5.2.0 MXIN603 DMARC validation failed.
;id=Sb36t1CtC1YF2Sb36tatdE;sid=Sb36t1CtC1YF2;mta=mx11-prd-nl1-vmo;dt=2024-12-31T13:08:36+01:00;ipsrc=94.76.243.214;

I've asked them to send me a test email directly to xxx@ntlworld.com and that arrived OK.  This problem has only started in the last couple of weeks, so I guess something changed at either end (or possibly in the middle).

Although I've got some general technical knowledge email security isn't something I've got into before, so if someone can guide me through the process of diagnosing exactly what's gone wrong - and therefore which organisation I can bug to get a further change made to their systems in the hope of getting this working - I'd be grateful. 

The talktalk forums have a few posts complaining of DMARC rejections but nothing widespread.

Meanwhile I've advised the family member to use our ntlworld address directly for the time being. 

Thanks.

  • jpeg1's avatar
    jpeg1
    Alessandro Volta

    When you refer to 'our' ntlworld email address, is this address linked to a current Virginmedia broadband account in the same name?   I ask because VM is actively closing down email accounts that are not so linked. The problem you are having could be related to this. 

    • jameswyper's avatar
      jameswyper
      Joining in

      When you refer to 'our' ntlworld email address, is this address linked to a current Virginmedia broadband account in the same name?   I ask because VM is actively closing down email accounts that are not so linked.

      It is linked to an active Virgin Media broadband account.  I started off as an ntlworld customer in 2002 (hence the email address) and have kept with NTL/VM since then.  And, to repeat what I wrote at first, the problem is not that I can't access my email at all, or that no emails are getting through.  The problem is that a narrow subset of emails are getting bounced, i.e. only (AFAIK) those for which the following are both true
      1.  They are sent to my xxx@cantab.net account and forwarded by cantab.net to my ntlworld email
      2.  They originate from a talktalk.net email account

      I've looked into the forwarding service that cantab.net provide a little more and it turns out they also offer access via IMAP and POP3 (and an SMTP host) so one solution would be to dispense with VMs email service altogether.  I already use fetchmail to copy the VM/ntlworld email I receive down to a self-hosted IMAP server so it wouldn't be a drastic change.  But I'd still like to find out why this is happening and if it's fixable..

       

  • Roger_Gooner's avatar
    Roger_Gooner
    Alessandro Volta

    If you change ISP you won't able able to continue using their email! So, set up a new email account, e.g.Gmail, and forward to that account.

    • ravenstar68's avatar
      ravenstar68
      Very Insightful Person

      While the other two aren't wrong, they're not really addressing your issue.

      DMARC does not work in isolation. It uses SPF and/or DKIM tested against the domain in the From: address of a sent email.

      If mail passes either DKIM or SPF checks then DMARC passes.

      If mail fails both checks then DMARC fails.

      When you use mail forwarding SPF automatically fails as this checks that the mail server connecting to the receiving system - In this case Virgin Media's, is authorised to send mail for a particular domain.

      Therefore in order for a forwarded mail to pass DMARC, it must be authenticated successfully via DKIM, which means the body = and specified headers in the mail MUST NOT be altered.

      What you'd possibly need to check what is happening is for the same mail to be sent to both addresses, so you can compare the two received mails.

      I note that the forwarding service uses sender rewriting scheme in order to deal with SPF checks.  SRS never made it past the draft stage of the RFC's and really should not be in use anymore.

      I'd be interested in sending you a couple of test mails from my own domain so we can see if both pass or fail.

      If you are willing I'd like to send you a PM so I can get the addresses to send to.

      Note:  I'm not a Virgin Media employee - however the VIP status is a special status granted to users by Virgin Media, if they have been determined to be particularly helpful.

      • jameswyper's avatar
        jameswyper
        Joining in

        Thank you very much for the offer of help.  I've DM'd you.

        I've also, as a test, sent emails from another account I have (a yahoo.co.uk one), firstly directly, then secondly via the forwarding service.  I've put the headers of the emails on Google Drive - you should be able to access them with this link. They might tell you more about what's going on without you needing to send me further tests.

        https://drive.google.com/drive/folders/1zx_RRJ45cfEtYkLSXbODqZ5fF1ap0yET?usp=sharing

        I've also included the headers for the email that cantab.net received before forwarding it on in case that's useful (they have a webmail interface which I don't normally use but I filched it from that).