Menu
Reply
  • 5
  • 0
  • 1
zanewilson
Tuning in
374 Views
Message 1 of 3
Flag for a moderator

Re: Emails are being blocked with MXIN611 From header check failed

Hi,

I am seeing the same issue with our emails going to @virgin.net. This has just started happening a few weeks ago.

Our "From" domain is cherrycroft.pro - which has been in use for 6.5 years. The .pro TLD is not new, it's been around since 2004 and is restricted to "professional" organisations ie those with "professional" qualifications like doctors, engineers, lawyers etc (and of course spammers, though I've not seen much in the way of spam purposing to come from .pro addresses).

Messages aren't rejected immediately - they seem to be queued for 2-5 days and then only then rejected.

We have SPF set up, and forward and reverse DNS is fine. We've not set up DMARC but haven't seen any rejections of our emails due to this so far.

The rejection message received is as follows:

<REDACTED@virgin.net>: host mx.mnd.ukmail.iss.as9143.net[212.54.58.11]
said: 421-4.2.0 MXIN611 421-4.2.0 From header check failed 421 4.2.0
;id=EJqGidrAObmUiEJqGiqTR4;sid=EJqGidrAObmUi;mta=mx3.mnd;d=20190928;t=230125[CET];ipsrc=195.201.119.122;
(in reply to end of DATA command)

Please can you look into this, and see why these emails are being rejected despite the changes already made?

Thanks,
Zane.

0 Kudos
Reply
  • 17.89K
  • 988
  • 7.5K
Very Insightful Person
Very Insightful Person
339 Views
Message 2 of 3
Flag for a moderator
Helpful Answer

Re: Emails are being blocked with MXIN611 From header check failed

@ModTeam Could you get someone to take a look at this.

@zanewilson I'm not a Virgin Media employee, but I would like to offer some thoughts here.

From the message - this isn't down to SPF this looks down to From: header checks on Virgin Media's part.  They'll need to escalate this to the relevant team for review.

However I would like to make some comments with regard to SPF

SPF on it's own offers very little protection against spoofing as it merely specifies which IP addresses are allowed to deliver mail with an envelope sender ties to a particular domain.  It is broken by design as should you send to an email address which uses a forwarding service - SPF will fail.  However if you don't have a DMARC policy, what happens with that fail is entirely at the discretion of the recipient mailboxes email administrator.

DKIM offers additional assurances in that the mail is signed with a signature authorised using by the administrators of the domain indicated in the DKIM header.  It is also used to detect changes to the body of the email and specific headers, should the body or specified headers be altered in transit, then the mail will fail DKIM.

DKIM survives forwarders because typically forwarders DO NOT change the email apart from adding trace headers to the beginning of the mail.  However DKIM can be broken in some situations, so while it's better in some ways than SPF it's still not 100% foolproof.

Again like SPF - unless you deploy a DMARC record, how DKIM fails are treated is solely at the discretion of the receiving services email administrator, so SPF and DKIM alone may offer no protection against spoofing for your domain - certainly to the average user who may not dig into the email headers.

DMARC allows you to do the following.

1.  Set a policy for when DKIM and SPF fail, both for the main domain and any subdomains.
2. Prevent potential spoofing methods whereby someone can use a different domain to validate SPF and DKIM headers to that which is in the From: header.
3. Allow you to specify an email address which will receive aggregate and/or forensic reports allowing you to view what is happening with mail deliveries.

The list above is not necessarily exhaustive, but I hope it will give you pause for thought.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

  • 6.78K
  • 221
  • 1.24K
Community Lead
Community Lead
283 Views
Message 3 of 3
Flag for a moderator

Re: Emails are being blocked with MXIN611 From header check failed

@zanewilson 

I've just replied to another thread where I've mentioned you. We're looking into this currently.

Kev

The do's and don'ts. Keep the community welcoming for all. Follow the house rules


0 Kudos
Reply