They also started using new IPs without PTR records to send out mail. Though so has Microsoft just recently. Both heavily frown upon that when receiving mail themselves. Do as we say...
So, Apple sends the wrong EHLO domain when trying to send emails out. This results in them dropping emails to their own users. Can't get past Apple's level 1 support. How can I get to someone that maintains their SMTP k8s cluster?
A few years ago, when iCloud custom domains first launched, I found a bug where Apple would permanently cache the MX record. If an iCloud user had ever used a custom domain, future emails from iCloud to that domain would still get routed to their iCloud inbox—even if the domain’s MX record no longer pointed to Apple. They eventually fixed it, but didn’t think it deserved a bounty, which was a bit surprising.<p>I'm sure there's a ton of interesting surface area here.
This was mentioned earlier today on the mailop list:<p><a href="https://www.mail-archive.com/mailop@mailop.org/msg24300.html" rel="nofollow">https://www.mail-archive.com/mailop@mailop.org/msg24300.html</a><p>with a later response indicating that Apple was aware:<p><a href="https://www.mail-archive.com/mailop@mailop.org/msg24312.html" rel="nofollow">https://www.mail-archive.com/mailop@mailop.org/msg24312.html</a>
I lost faith in iCloud custom domains a few months ago, I was receiving the usual marketing emails etc fine, but actual person to person emails? Sometimes replies would come through, other times nothing.<p>I thought at first people were just ignoring me, but when a company reached out to me over SMS to respond to a complaint I had, they said their email reply had bounced so was contacting me on SMS instead<p>Switched to fastmail at that point.
Is this new? I've been using icloud with a custom domain for about a year and just had my first failure today with an address that I've actively been talking to all week.
I switched from migadu to iCloud to increase my bus factor for the family. It's been interesting and a bit painful. For example I have a filter to forward emails from an 'bothofus' alias to my spouse's iCloud account at the same domain because there is no way to have a true alias --> mailbox1, mailbox2. Sometimes iCloud bounces these emails from sent from itself.
p00-icloudmta-asmtp-us-central-1k-100-percent-10.p00-icloudmta-asmtp-vip.icloud-mail-production.svc.kube.us-central-1k.k8s.cloud.apple.com is one hell of a name, though.<p>Did you try postmaster@apple.com, hostmaster@apple.com, or icloudadmin@apple.com (not traditional, but given in their docs)?
iCloud Custom Domains & Mail are filled with bugs. My favourite one is that if my custom email I want to register has EVER been associated with an Apple account, it can never be used as a custom domain, unless that domain is set to catch all; it is impossible to add that specific address; it just errors without any specific message. The original account was fully deleted; going to the arduous process they set up that takes weeks to actually delete the account.<p>Customer support is worthless for actual technical problems as usual for Apple. Fun extra regarding customer support; if you arrange a support call in a language not native to your region, they honor that, but that information is lost if they escalate the call; the callback is always in the national language, despite explicit requests over the phone during the callback schedule
I had to give up trying to use iCloud for email. So many inbound emails would be silently dropped. I've also sent emails to @icloud.com addresses that the recipient never received.<p>The deliverability issues also apply to their Hide My Email feature. I frequently miss confirmation or verification emails after signing up with a @privaterelay.appleid.com address, so much so that I don't even bother with it anymore.
I'm seeing 10/10 though, with a custom iCloud domain ("Your hostname outbound.mr.icloud.com is assigned to a server.").<p>What's different?
This shows that email should die in a tyre fire and we all need to collectively move to something else… but we should have done this more than 10 years ago.<p>Email has SO many technical issues that if someone would have come out with email today, nobody would use it!<p>The ONLY thing going for it really is that it’s decentralised and has the network effect that almost everyone uses it. Bzzzt, I kid I kid!<p>Anyone under 25 will tell you they do NOT use emails and instead prefer instant message, and is email really decentralised? NO!! Try setting up your own relay and you’ll be dropped by any big service. Gmail+Outlook is basically a cartel with zero recourse!<p>Hmmm… could there even be a case of anti-trust given Gmail’s behaviour
How do they not have an A record for it, kinda nuts<p><a href="https://dns-lookup.jvns.ca/#p00-icloudmta-asmtp-us-central-1k-100-percent-10.p00-icloudmta-asmtp-vip.icloud-mail-production.svc.kube.us-central-1k.k8s.cloud.apple.com|A" rel="nofollow">https://dns-lookup.jvns.ca/#p00-icloudmta-asmtp-us-central-1...</a>
I also use iCloud mail, mine looks slightly better (though not perfect): <a href="https://www.mail-tester.com/test-n5b4ip8ey" rel="nofollow">https://www.mail-tester.com/test-n5b4ip8ey</a>
The biggest problem with huge corporations is that sometimes it's next to impossible to actually communicate with them. Does anyone have any good contacts at Apple?<p>I sent this more than two weeks ago:<p><pre><code> Date: Wed, 12 Mar 2025 22:56:55 +0000 (UTC)
From: John Klos <*******@klos.com>
To: apple.com-Admin@anonymised.email, apple.com-Tech@anonymised.email, Apple-NOC@apple.com, d*******@apple.com
Subject: Issue with Apple's SMTP delivery
Hello,
I've had several issues reported about email delivery from Apple. The error they have in common is this:
Mar 12 21:38:17 daisy sm-mta[28249]: 52CLcCoi028249: ruleset=check_mail, arg1=<*******@me.com>, relay=p-west1-cluster6-host7-snip6-8.eps.apple.com [IPv6:2a01:b747:3003:204:0:0:0:47], reject=550 4.1.8 <*******@me.com>... Access denied. HELO does not resolve. (HELO p00-icloudmta-asmtp-us-west-1a-1.p00-icloudmta-asmtp-vip.icloud-mail-carry.svc.kube.us-west-1a.k8s.cloud.apple.com)
Looking in to this, the resolution of "p00-icloudmta-asmtp-us-west-1a-1.p00-icloudmta-asmtp-vip.icloud-mail-carry.svc.kube.us-west-1a.k8s.cloud.apple.com" results in this list of MX:
mx-in.g.apple.com
mx-in-mdn.apple.com
mx-in-hfd.apple.com
mx-in-ma.apple.com
mx-in-rn.apple.com
mx-in-vib.apple.com
mx-in-rno.apple.com
mx-in-sg.apple.com
All but two of these resolve to A records.
Two of those, though, resolve to more MX:
host mx-in-rno.apple.com
mx-in-rno.apple.com mail is handled by 10 mx-in.g.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-vib.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-rno.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-rn.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-hfd.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-sg.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-mdn.apple.com.
mx-in-rno.apple.com mail is handled by 20 mx-in-ma.apple.com.
host mx-in-mdn.apple.com
mx-in-mdn.apple.com mail is handled by 20 mx-in-mdn.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-sg.apple.com.
mx-in-mdn.apple.com mail is handled by 10 mx-in.g.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-vib.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-rn.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-hfd.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-ma.apple.com.
mx-in-mdn.apple.com mail is handled by 20 mx-in-rno.apple.com.
This loop is a mistake and should be fixed.
Additionally, RFC 5321 section 2.3.5 says that the name given in an EHLO / HELO greeting should be an IP literal or a primary host name ("a domain name that resolves to an address RR"). The name given in the EHLO / HELO exchange does not resolve to an address RR; it only resolves to an MX. While this is technically incorrect, the looping MX is the real issue. However, if you're fixing the looping issue, you may want to consider fixing this issue at the same time.
Please look in to this, and please let me know if you have any questions or need any additional information.
Thank you,
John Klos</code></pre>
So you created a proxy to an endpoint to an email from iCloud and something in the chain had a misconfigured DNS with the domain “p00-icloudmta-asmtp-us-central-1k-100-percent-10.p00-icloudmta-asmtp-vip.icloud-mail-production.svc.kube.us-central-1k”. It might as well be an issue with mail-testers.com or icloud.com<p>It’s impossible to tell from the shared page because both services are about DNS caching.
iCloud custom domain, i'm scoring perfectly (other than mail message content which is irrelevant in this case). <a href="https://www.mail-tester.com/test-cqf7rdktf" rel="nofollow">https://www.mail-tester.com/test-cqf7rdktf</a>
When you own a 17 net or 12 net, I think it comes as a given on extra txt records not needed. Totally not fair, but reality, and someone’s allowing it on the filtering side.