EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 29 May 2017, 07:10 AM   #1
KingOfTheData
Junior Member
 
Join Date: May 2017
Posts: 7
Fastmail - Bounced Emails

*********************** THIS IS RESOLVED.*****************************

Fastmail was able to figure out this issue. It was actually user error and DNSSEC was being used on the domain level. Please see resolution below and I'd highly recommend Fastmail for any personal or business user.

Original post below
----------------------------------------------------------------------------------------------------------------------------

A month ago I submitted my initial ticket with Fastmail support which has now spiraled into a deeper issue with the services they provide. That was the start of why I'm leaving Fastmail. Now I finally have almost everything concluded and I will need to migrate a large business and over hundreds of users to a different service.

The first ticket I submitted with Fastmail support, it was exactly a month ago. They had very fast response times and responded to me within an hour or two of submitting the ticket.

The issue was that when a specific company sent me an email, they would get a bounced email message of "Status: 4.4.4 (unable to route: dns lookup failure)."

They escalated this to their supervisor and their supervisor came to the conclusion that it was a DNS caching issue on the senders side. They were caching old DNS information for my domain. They said that any users that have a "bounced" email from this sender will have to create an alias using their domains (@fastmail.com) and receive the email to that domain. Now, to do this for a very large business would be ridiculous but I brushed it off and started to work further with the sender of the email. They said that there's no issues on their end. This ticket was closed a while later.

This comes to my second ticket. I submitted this second ticket after the first one closed because now I noticed a completely different sender was getting bounced emails while trying to send to my domain. They were getting an error of "mydomain@mydomain.com: Host or domain name not found. Name service error for name=mydomain.com type=MX: Host not found, try again."

Fastmail support had great response times but came to the same conclusion after escalating this ticket to their supervisor. Their response was that it's a DNS cache issue on the senders side and they need to refresh their DNS cache. I worked directly with this sender as this sender is very technical and the one that set up this email. The sender refreshed and renewed their DNS cache but the emails were still bouncing. This ticket was then closed due to being idle.

Now my last and final ticket. I realized that I now had four different very large companies getting their emails bounced when sending any of my domains an email. This got concluded to being a "DNS cache" issue on the senders side again after being escalated. I took this a bit further on my side to determine if these very large companies are actually having issues with caching my DNS or if Fastmail is having issues.

I purchased a VPS and set up my own self hosting email server by configuring Postfix, Dovecot, Z-Push, Roundcube, Apache SpamAssassin, Postgrey, and Nginx for one of the domains that was getting bounced emails. Within approximately two hours of setting this up, I was able to receive all the emails that were previously being bounced.

I took the step even further. I purchased a Google Suite account and set up another domain that was having the same issues. Within about two hours of setting this up, I was able to receive all the emails that were previously being bounced.

I then migrated these domains back to Fastmail and the emails were being bounced again with the same errors on the senders side.

I then migrated it back to my self hosted solution and the emails did not get bounced anymore. I responded to the Fastmail ticket with these results and it has now been over 24 hours with no response although their usual response time is within an hour. For one of the larger companies I set up using Fastmails email service, this is a huge issue and now I have to look at migrating everything to a different service.

Just to also show that the issue is not just me, I looked at their Twitter account and noticed that other customers are having this issue. Check this and this out as examples. If the tweets get taken down, then check out the screenshots of them here.

I've came across a couple recent forum posts where other users are experiencing the same issue including on this forum here.

I really hope Fastmail fixes this for other customers or figures out what's going on but this issue has been a deciding factor to stop using their services. If only Fastmail resolved this issue as soon as possible, I'd probably keep using their services. I hope this post also helps others figure out if they really do want to use Fastmail or not. I would advise anyone looking at Fastmail to evaluate other options. You probably don't want to host your email with a company where you might never receive that important email you've been waiting for.

Last edited by KingOfTheData : 2 Jun 2017 at 03:48 AM.
KingOfTheData is offline   Reply With Quote

Old 29 May 2017, 07:44 AM   #2
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
Thank you for taking the time to document this issue here. I flatter myself that I am pretty good at recognizing the difference between a mischievous post and a genuine report. I am pretty confident yours is the latter, and it is a major concern.

I agree that something in FastMail's own system is most likely to be implicated, though other improbable possibilities (like a man-in-the-middle attack) cannot be ruled out.

In the past, FastMail staff often visited these forums, but now rarely. For the benefit of my own customers, it is important urgently to somehow get key FastMail staff involved in investigating the issue. I am going to open my own ticket, and see if private messages motivate FastMail staff to read this thread.
BritTim is offline   Reply With Quote
Old 29 May 2017, 08:32 AM   #3
DumbGuy
Essential Contributor
 
Join Date: Oct 2008
Posts: 212
Thank you both for drawing attention to this issue. Hopefully FM can really put some focus on troubleshooting. I don't have major issues with receiving emails at FM, but there have been some unusual quirks with emails that occasionally just never arrive, and I find myself scratching my head. So far I've been able to brush them off (low-priority newsletters) or workaround the issues, but perhaps there's a bug of some kind on FM's end.
DumbGuy is offline   Reply With Quote
Old 29 May 2017, 09:02 AM   #4
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
Hi,

BritTim PM'd me. I'm checking this out now. I don't suppose you have the ticket number for the original issue so I can know the actual domain at issue? I'll go dig through the history, but we get quite a lot of tickets every day, so knowing the number helps speed it up.

Thanks,

Bron.
brong is offline   Reply With Quote
Old 29 May 2017, 09:56 AM   #5
KingOfTheData
Junior Member
 
Join Date: May 2017
Posts: 7
Hello all,

Thank you very much for all the fast responses! The current open ticket is #2411632. The other past closed tickets that I referenced in the original post are tickets #2395248 and #2379984.

Please let me know if you need further information from me and I would be glad to assist.
KingOfTheData is offline   Reply With Quote
Old 29 May 2017, 01:14 PM   #6
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
Apparently after spending a whole lot of engineer time and having cloudflare join in and help we have a canonical answer for you:

"user has a half-arsed DNSSEC setup, and it's busted, so any site that checks DNSSEC will return no records"

*sigh*. https://ianix.com/pub/dnssec-outages.html - dnssec considered harmful.

Will reply on the ticket as well.
brong is offline   Reply With Quote
Old 29 May 2017, 01:14 PM   #7
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
https://blog.fastmail.com/2016/12/20/dnssec-dane/

That's us talking about why _we_ don't do DNSSEC. It leads to exactly the mess you are currently in.
brong is offline   Reply With Quote
Old 29 May 2017, 01:38 PM   #8
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 371
I went through this exact issue a couple of years ago (when rolling over my DNSSEC keys, my registrar didn't properly update one of the DS records), and I'm pretty sure it happened when my domain was on Google Apps (now G Suite) at the time, so I realize that part of it isn't specifically a FastMail problem in principle.

However, from the OP's description, it seems he simply changed his MX records to point to other mail servers and that caused everything to come through properly, so I'm a bit confused as to where this discrepancy comes into play. Is FastMail (or CloudFlare) checking DNSSEC at some point when routing mail inbound in a way that other services might not be? If DNSSEC is broken for the recipient's domain at the name server level, that should really affect DNS lookups regardless of where any of the resource records are pointing...
jhollington is offline   Reply With Quote
Old 29 May 2017, 02:27 PM   #9
KingOfTheData
Junior Member
 
Join Date: May 2017
Posts: 7
This did resolve the issue for all known companies that were getting bounced emails. From the way it looks, it is completely resolved. I'll update the ticket and this thread if I have any more issues with bounced emails.

I had DNSSEC set up on all my domains back when I used to self host on my own VPS. The information listed in my DNSSEC was still there as I never really venture into that area on my registrars website. It's hidden in an advanced features area that is not in plain sight. I simply removed the data listed in my DNSSEC and am now able to receive these emails.

I really can't believe it took a month of troubleshooting, having multiple tickets open, and it was user error with one small setting that has been over looked. I feel pretty embarrassed about this one .

I can't thank you enough for what you did today. Looks like I'm not moving away from Fastmail after all!

Just one small suggestion for your support team though. Please have your support team do a DNSSEC lookup or at least tell the customer to review their DNSSEC settings if they have continued issues with bounced emails. This would have saved a month of my time trying to figure it all out when the answer was right in front of me all along.

I'll update this topic if I have any continued issues with blocked emails.

Last edited by KingOfTheData : 29 May 2017 at 03:24 PM.
KingOfTheData is offline   Reply With Quote
Old 29 May 2017, 02:32 PM   #10
KingOfTheData
Junior Member
 
Join Date: May 2017
Posts: 7
Quote:
Originally Posted by jhollington View Post
However, from the OP's description, it seems he simply changed his MX records to point to other mail servers and that caused everything to come through properly, so I'm a bit confused as to where this discrepancy comes into play.

If DNSSEC is broken for the recipient's domain at the name server level, that should really affect DNS lookups regardless of where any of the resource records are pointing...
I'm a little confused about this as well. Google Suite was able to receive these emails with even a broken DNSSEC. Removing information from my DNSSEC area did resolve the bounced emails for all known problematic companies. I do think the issue is resolved now.

I am also interested in Fastmails response to your questions.

Last edited by KingOfTheData : 29 May 2017 at 03:28 PM.
KingOfTheData is offline   Reply With Quote
Old 29 May 2017, 02:54 PM   #11
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
Yep, you can be sure we'll be adding "Check DNSSEC" to our list of things for frontline support to examine.

As for successful delivery anyway - yeah, I'm surprised about that too. It shouldn't have changed the resolution of the domain itself at the source servers, unless they have some shortcut for google programmed in. Without knowing how Comcast and others of the "places that couldn't send to FastMail" do their DNSSEC checks, I have no idea about that at all

Bron.
brong is offline   Reply With Quote
Old 29 May 2017, 03:33 PM   #12
KingOfTheData
Junior Member
 
Join Date: May 2017
Posts: 7
Thank you for your response and that would be very helpful information for your support team!

Last edited by KingOfTheData : 2 Jun 2017 at 03:50 AM.
KingOfTheData is offline   Reply With Quote
Old 29 May 2017, 04:02 PM   #13
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
Many thanks, Bron. Resolution of this has put my mind at rest. I was terrified I could have customers losing emails. For some of them, it would be expensive.
BritTim is offline   Reply With Quote
Old 29 May 2017, 11:16 PM   #14
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 371
Quote:
Originally Posted by KingOfTheData View Post
I'm a little confused about this as well. Google Suite was able to receive these emails with even a broken DNSSEC. Removing information from my DNSSEC area did resolve the bounced emails for all known problematic companies. I do think the issue is resolved now.
I'm assuming that when you switched to G Suite and your own server you simply updated the MX records in those domains without changing anything else?

Quote:
Originally Posted by brong View Post
As for successful delivery anyway - yeah, I'm surprised about that too. It shouldn't have changed the resolution of the domain itself at the source servers, unless they have some shortcut for google programmed in. Without knowing how Comcast and others of the "places that couldn't send to FastMail" do their DNSSEC checks, I have no idea about that at all
Yeah, it bothers me just because it makes so little sense as to how it could be worked around unless there was something else changed in the name servers or in the way that resolution was occurring. Even if there was a "shortcut for Google" in there somewhere, the OP also tried this with his own server, which was presumably located at a completely obscure IP address and hostname that wouldn't have otherwise applied.

Unless the OP moved the name servers, about the only logical thing I can think of is that perhaps DNSSEC wasn't on the domain containing the actual MX records, but on the domain containing the A records (or, ugh, CNAME records) that the MX records were pointing to. But of course that doesn't make sense either since the MX records should have been pointing to messagingengine.com, which definitely doesn't have DNSSEC enabled.

The problem that the OP had — a leftover DS record — was also another exact same problem I had when I finally gave up on the vagaries of DNSSEC for my own domains and turned it off. Much like my registrar goofed by not updating a DS record when rolling over keys the year before, they also didn't properly de-publish the DS records when I turned OFF DNSSEC entirely. I can definitely attest to the fact that this was breaking things for me no matter what I otherwise did, although of course by that time I recognized the problem right away and managed to get it resolved within about 72 hours (a simple "dig" directed at Google's public resolvers is a good diagnostic tool, as those ones definitely care about DNSSEC more than most do).

Anyway, I guess if it's resolved it's worth shrugging off and just chalking up to under the general headings of "DNSSEC is dangerous" and "broken DNSSEC is very bad."

Quote:
Originally Posted by BritTim View Post
Many thanks, Bron. Resolution of this has put my mind at rest. I was terrified I could have customers losing emails. For some of them, it would be expensive.
Me too. I'd been starting to have similar concerns over the past couple weeks having seen other reports of delivery problems, and this one was just a big heap of icing on the cake. I don't like the feeling of not trusting my email provider, and that's not something I've normally had a problem with when it comes to FastMail. There's at least one e-mail that I know was sent to me in the past couple of weeks that definitely did not get through (it was cc'ed to others who did receive it, and had my name in the "To" line on their end), which was enough to give me pause, especially when another daily e-mail digest I get stopped coming through, but fortunately in that case the problem was on their end, not FastMail's. For the most part I'm not concerned at all, but I hate having even the tiniest feeling that something might be amiss
jhollington is offline   Reply With Quote
Old 30 May 2017, 02:42 AM   #15
KingOfTheData
Junior Member
 
Join Date: May 2017
Posts: 7
Quote:
Originally Posted by jhollington View Post
I'm assuming that when you switched to G Suite and your own server you simply updated the MX records in those domains without changing anything else?
That's correct, when I switched to G Suite, I only updated the MX Records. So I'm not quite sure how they have a "work around" to still resolve even with DNSSEC issues.

When I self hosted my own email server, I did update/change the DNSSEC to work with my email server. This was recommended for the email set up that I used. So it definitely makes sense that my self hosted solution would receive these emails, because the DNSSEC was set up properly to match my self hosted setup.

Quote:
Originally Posted by jhollington View Post
Yeah, it bothers me just because it makes so little sense as to how it could be worked around unless there was something else changed in the name servers or in the way that resolution was occurring. Even if there was a "shortcut for Google" in there somewhere, the OP also tried this with his own server, which was presumably located at a completely obscure IP address and hostname that wouldn't have otherwise applied.
I did try pointing my nameservers directly to Fastmail but this did not resolve the issue. In fact, when the issue started, my nameservers were pointed to fastmail. But I set these back to the default nameservers and set up mx records instead.

I did set up DNSSEC records for my self hosted solution, which worked great and was required by my self hosting setup.

Quote:
Originally Posted by BritTim View Post
Many thanks, Bron. Resolution of this has put my mind at rest. I was terrified I could have customers losing emails. For some of them, it would be expensive.
Agreed! Thank you all for your time on this. I'm so thankful that everything has been resolved.
KingOfTheData is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:38 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy