Welcome to the mailbox.org user forum!
 

Email dropped days later with "non DNSSEC destination" error

4464014 shared this question 17 days ago
Need Answer

I sent an email to a domain that I have sent emails to before. TWO DAYS later I got an undeliverability notice with the error message "non DNSSEC destination". I'm now out more than €100 for not cancelling a contract on time. What a fucking joke! Seriously, mailbox, you cannot deliver service like this an expect people to use you for mission critical email.

Comments (3)

photo
1

This destination must have been reachable by DNSSEC in the past while it is suddenly not DNSSEC-enabled any more. As we promised our customers, mailbox.org will do anything that's possible against man-in-the-middle attacks. For that, we do not stupidly deliver e-mails to destination, that suddenly massively lower their security level. I can't see any mistake here from mailbox.org. Instead, the destination host must state out, why they kicked of their security level and replaced it by something unsecure. When sending an e-mail, our webmail system shows up the security and crypto level and we promise to keep that.


Yes, there are rare cases where a destination lowers their security level that they had before. Mostly if they change their ISP and moved everything to somebody else. But that's a decision by the destination and they must know, that this become a problem. But that's nothing from mailbox.org.


Missing a contract on time is bad, maybe sending as latest-as-possible could also be a reason for that. But at the end this is an effect produced by the destination that lowered their security level and made a step back. To cancel the contract out of goodwill should be self-evident.


(Our learned security levels are self-expiring after some days. For sure, every destination can lower there level on the long run.)

photo
1

OK, so mailbox' systems noticed that the recipient host no longer has DNSSEC, and that it had in the past. Why not tell me then and there? Was the system waiting two days in the hope that the receiving host would re-enable DNSSEC? This seems crazy to me - clearly this should be a case where failing early makes sense!

photo
1

I agree that from a user's perspective it would be very helpful and in some cases even necessary to receive the notice for undeliverable emails much, much earlier.

Would it be possible to notify user in cases such as the one above (and all other cases where an email can not be delivered), let's say, within 10 minutes? The earlier, the better.

I am happy to send the email a second time or use another form of contact, even if the first one should get delivered eventually.

photo