Sender Verification

Email as a technology and public service is a mess.

It was engineered in a ‘closed system’ — ‘bad guys’ did not exist.

The need to scale to billions of users worldwide was not properly anticipated in the design.

Today we are left with a patchwork of underlying vulnerabilities and inconsistencies, made better or worse by higher-layer duct-tape fixes that sometimes even conflict with each other.

One of the technologies currently in use is Sender Verification. In short, when a server verification-enabled email server receives an email message, it queries the originating server, asking it if such a user exists. If one does, it approves the message; if one does not, it denies the message, and may go on to take further steps, such as blacklisting or greylisting the sender or the sender’s email server.

For this setup to work, it requires careful configuration, especially of the DNS records, for all the servers involved.

—~∞~—

We just solved a bizarre error related to this setup. In this scenario, users were getting their outbound emails blocked with a “550-No Such User Here 550 Sender verify failed” error. The emails were failing the sender verification, but only for one particular domain.

After some time and some troubleshooting, we discovered it was the same error that Mick West wrote about. It was a cpanel server, and the destination server was ostensibly hosted on the same server as the originating server. In actual fact, while the website, or A-Record (in global internet DNS) did in fact point to that server, the MX-Record pointed elsewhere. However, the internal DNS did not reflect this.

So, while email sent from any other server would check the global DNS and find the right mail exchange server to verify the email address with, any email sent through the same server (for example, by the users in question who were experiencing and reporting this error) would draw the incorrect MX record from the local (to that server) DNS. When the server would then try to verify the user, (actually against itself, istaed of the real mail server in this case) that verification would fail.

We changed the local DNS copy of the MX record, and the problems disappeared.

—~∞~—

Your Computer Genius is available to configure your hosting solution, establish sender verification for your domain, troubleshoot your DNS, setup your corporation or institution on a Google-Hosted service, and resolve all your computer woes.