[Mailman-Users] AOL screening Reply-To header thru DMARC ?

Mark Sapiro mark at msapiro.net
Sat Oct 18 20:03:11 CEST 2014

On 10/17/2014 10:33 PM, Ed Ravin wrote:
> I set up the list to use the list's address as the From address and to
> put the sender's address in Reply-To:.  I started playing around with a
> test list - in no time at all, AOL began bouncing all my mail.
> After researching AOL's error messages, it appeared that my server
> had been temporarily blacklisted.  That went away but then I noticed
> this error:
>    Oct 18 01:01:26 vc18 postfix/smtp[25098]: C77D416B4D9: host mailin-01.mx.aol.com[] said: 421 4.2.1 :  (RLY:SN) http://postmaster.info.aol.com/errors/421rlysn.html (in reply to end of DATA command)

I have a somewhat different issue. I am using dmarc_moderation_action =
Munge From, and when an AOL user posts to the list, the list message
sent back to the user bounces with "521 5.2.1 :  AOL will not accept
delivery of this message. (in reply to end of DATA command))". The same
messages sent to other AOL users are accepted by AOL.

> According to that URL on AOL's site, either my From or Reply-To is using an
> address in violation of DMARC.

I just read that link after writing all the rest of this reply (which
now seems moot). It says "421 RLY:SN    This error indicates you are
sending email using a disallowed AOL.COM screenname as your FROM or
REPLY-TO address, or as one of AOL's affiliates from an unauthorized IP
address. Example: Billing at aol.com". It doesn't mention DMARC. It says
the specific address in (in this case) Reply-To: is a disallowed AOL.COM
screenname or affiliate address. Assuming the aol.com address in
question is valid, I don't know why AOL doesn't like it, but AOL isn't
blaming DMARC.

Interesting as there is nothing in the DMARC specification about
Reply-To: headers. DMARC is only about From: header domains aligning
with valid SPF or DKIM signature domains.

If AOL is really checking Reply-To: domains for 'DMARC' compliance, this
is outside the specification, but in my case at least they don't seem to
be because the original message with From: address = the list address
and Reply-To: address = the OP's aol.com address is accepted by AOL when
sent to AOL addresses other than the OP's.

Note also that in my case, I started DKIM signing these outgoing
messages with the domain of the list, so they should pass DMARC as they
are From: the list's domain and have both valid SPF and DKIM sig from
that domain, but the OP's list copy is still rejected by AOL as above.

> I had already checked the From address so
> it was apparent the Reply-To was at fault.  Aalthough the mail was not
> being rejected, given AOL's hair-trigger sensors I figured it would be
> better to do it their way.   Changing the  Reply-To: to the list's address
> got rid of the 421 error.
> Has anyone else run into this?  I hate doing this, since now we're going
> to see people sending what they think are private messages to the entire
> list.

And it may solve my issue too, but I'm not going to do it because of the
above and since so far at least it only affects delivery to the poster.
The poster does score bounces, but this can be avoided by setting
non-digest AOL members to not receive their own posts which is
effectively the case anyway.

> I see from the docs that Mailman can do different behavior on the From:
> address depending on whether it is in a DMARC-protected domain - are there
> any plans to do the same for the Reply-To?  Looks to me like it will be
> necessary given what AOL is doing.

If and when there is an accepted standard governing this behavior, I'll
consider it. In the mean time, I'm not interested in accommodating
non-compliant behavior by one rogue ESP.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list