How to resolve 'HELO/EHLO outbound.qs.icloud.com is not matching your DNS configuration' error in iCloud Mail?

The EHLO DNS mismatch is an SMTP-level error involving whatever pool of Apple SMTP mail servers implementing outbound.qs.icloud.com or the associated Apple DNS translations, or issues with the DNS servers and DNS translations at the destination mail server, or DNS caching at either originating or recipient, and is unrelated to local routers and local mail client settings and local DNS.

SMTP servers will send a HELO or EHLO message as part of the initial connection to the destination mail server, and that mail provider is verifying that address.

Restarting local networking gear, or switching to a different network path, or client updates, or other similar steps probably gets you onto a different Apple mail server (with a correct configuration), which will then mask the problem on either the outbound sending server pool or in the recipient mail server translations.

This is not an error that an end-user can resolve.

@peterkurt - This is nothing to do with your DNS settings. I would love to see the headers on the successful mail, to see what the difference is though.

This is down to how Apple’s outbound mail system is set up.

As a real world example we’ll use my server.

When it talks to an inbound server it anounces itself with an EHLO command

EHLO mail.timothy*****.co.uk

if you do a DNS lookup for that FQDN you’ll see it’s IP addresses

mail@mail:~$ nslookup mail.timothydutton.co.uk

Server: 213.186.33.99

Address: 213.186.33.*****

Non-authoritative answer:

Name: mail.timothy*****.co.uk

Address: 51.68.***.***

Name: mail.timothy*****.co.uk

Address: 2001:41d0:801:****::****

If you do a reverse lookup on the server IP’s

;; ANSWER SECTION:

229.196.**.**.in-addr.arpa. 86400 IN PTR mail.timothy*****.co.uk.

As you can see, everything matches up.

When it doesn’t, mail providers can reject the mail. Whoever’s responsible for the mail system needs to be looking into this and fixing their setup.

Tim

[Edited by Moderator]

It looks like I solved my problem.

On de site https://easydmarc.com/tools/spf-lookup I tested my spf and dmarc records. There was an issue with both records. So I deleted them all in my DNS and I created on the site easydmarc.com new records (same as before) and copied them to my dns, with no "" !

I made 2 spf's and 2 dmarc. 1 rule with hostname mydomain and 1 without a hostname (_dmarc and _dmarc.mydomain.com).

The next tests on easydmarc.com where now OK.

So after 1 hour whaiting i tested my e-mail again on dmarctester.com and now all was OK

Why the problem was solved by deleting the dns records and make them new, I have no clue, but it worked for me.

Or maybe Apple also did something with the spf records?

Now I sent a tesmail to a ziggo.nl adress and hope it is not comming back this time. Fingers crossed..

In Mobile Data Options, turning off 'Limit IP Address Tracking' worked for me.

I guess Virgin want to track your IP address for some reason.

@PeterKurt - Where did you delete, change re-add DNS settings?

Edit: That worked, though for how long I don't know. In Mac OS Settings, for the active WiFi network click Details > DNS, change to 8.8.8.8 and send a mail - worked. Deleted that which caused it to revert to the router/gateway address of 192.168.0.1. Sent another test and that too worked. I guess I'll do the same on my iPhone to test that works.

Changing DNS to Google did not work.

What has worked is simply restarting my Linksys Mesh Router system !

At least for now.

Will report again if it happens again.

Well that’s interesting. Just rebooted my Netgear Orbi Mesh system and lo and behold a test email went through!

Similar here. I switched off 'Limit IP Address Tracking' and emails worked for a day.

Then went back to email Mail Delivery error. All to Virgin email addresses.

I don't have broadband. All on hotspot.

mikebhm wrote:

Thanks @Ravenstar68

Is that explanation consistent with the fact that sending by webmail from iCloud.com avoids the problem?

Yes.

Apple operates immense pools of servers.

One mail server or one web server is not going to handle a billion-ish iCloud users.

This for many reasons. The sheer load of users for one, and the need to have services be available when a major network link or a server pool, or an entire data center, fails.

Now within what are likely various different pools of mail servers, and different pools of DNS servers, the different servers will have different confogurations, some of which will be intentional configuration differences, and some can be stale caches or data corruptions.

Which outbound mail server is used can be based on the current load across the mail servers and trying to use less-loaded servers, servers selected based on geographic or network or data center locality, or other factors.

Many, many, many servers, organized into multiple pools, across multiple data centers.

How the EHLO works and the trigger here has been posted in a reply or two in this thread, as well.

TL;DR: yes, this is entirely consistent (mis)behavior in a complex system such as mail services at Apple’s scale. You’re using a different mail server from whichever server or servers or pool or pools have the mail or DNS misconfiguration or corruption, or getting a different receiving server from the server where the misconfiguration ormcorruption exists in the receiving mail server or its DNS.

Thank you very much for this. Has anyone else tried this solution?

I have two individuals (out of hundreds of people I email) whose messages from my mac.com address have started bouncing with this message. Both were OK last month.

I have changed my DNS to Googles 8.8.8.8 and 8.8.4.4 and sent them both a test message. Now waiting for a thumbs up from them or another bounce.

If it works think I will probably keep the Google DNS.

Lots of people are struggling with this issue at the moment. There doesn't seem to be a quick fix.

This discussion on Reddit gives some details: https://www.reddit.com/r/sysadmin/comments/1k3wa6c/icloud_mail_rejected_by_dutch_isp_ziggo_ehlo/

I have the same problem. So i did a view test with dmarctester.com.

From my iphone and select my own domain e-mail everything is ok and all records (spf,dkim and dmarc) are ok and the e-mail wil pass.

from my outlook client you need to send the mail as your own e-mail adres, when you use your icloud.com adres and send it on behave it wil fail anyway.

From my own domain adres it gives an error on the spf and dmarc records. But the DKIM is ok. So the overall wil pass.

I checked all my DNS settings and they are ok (v=spf1 include:icloud.com ~all and v=DMARC1; p=quarantine; fo=1)

There seems no problem, but spf wil not pass. Is there a problem with the spf of Apple? is it incompleet?

The mail from my outlook client uses the Host p-east3-cluster1-host10-snip4-10.eps.apple.com

Do you have all the same problem?

This is doing my head in now. While connected to my home network I'm unable to send from myself@icloud.com to any ntlworld.com or virginmedia.com address. I just get the error in the opening post, not straight away, but after a number of hours. I have several icloud addresses and I've tried both the main address and the aliases and the result is the same. I've tried everything, restarts, reboots, altering mail privacy/IP hiding settings in iCloud, turning private relay off, all to no avail. If I tether to my phone and use mobile data (or just turn off wifi from my phone and send from there) it works fine, just not while I'm connected to my home network, which is a Virgin Media connection.

One thing that does work....if I just go to iCloud.com on the web and send the mail from there, it works, even while I'm connected to my home network. I'm not sure why that gets around it, but it's hardly convenient as I'd rather just use the Mac Mail app.