iCloud Mail has DNS misconfigured?
99 comments
·March 29, 2025Avamander
wildekek
Not only does Apple frown upon that, they just silently drop emails that are sent from a server without PTR records. Yes, that includes their own servers. Yes, sending email from iCloud to iCloud is silently dropped if they decide you get assigned an outgoing server without PTR. The absolute amateurism just blows my mind.
kemotep
I hate getting a report telling me my work domain is blocked because it is missing a PTR record and we use Exchange Online. I can’t do anything about that!
solid_fuel
Complain to your provider. You're paying for the service, right? They should run a properly configured mail exchange and part of that is having PTR records. If they can't manage that then it's time for a serious discussion about changing vendors.
genewitch
Sure you can. For instance, I don't use Exchange at all.
bongodongobob
Yep, whenever I start a new job I say "Don't worry, because iamverysmart, you don't need any Microsoft products!" I am then hailed as a genius, everyone claps, and I get a big fat raise.
TabTwo
sure you can, take your business elsewhere
kemotep
It’s a minor (but annoying) issue to make the reason to migrate 1,500 users. Who many of which would still need licenses for Excel anyway.
Microsoft being annoying and frustrating and having so many issues is why I have a well paying job in IT.
cyberax
You can set up a reflector on a properly set up host, and have your Exchange server use it to route the outgoing mail.
wildekek
Be glad you receive a report. Apple just silently drops the email.
walrus01
It's incredibly entitled of some big cloud based operator to send mail from an SMTP source that doesn't have proper reverse DNS. Any normal independent small operator sending mail without proper reverse DNS will increase its likelihood of spam rank by a thousand percent. Or get flat out rejected at the SMTP negotiation process or relay attempt.
But things like icloud, office365, google workspace and similar are "too big to fail", right? They don't have to play by the same rules as the rest of us peons.
as referenced here, from the post on the 'mailop' mailing list
https://news.ycombinator.com/item?id=43512353
This is either an astonishing level of technical fuck-up from what has to be an entire work group of people with six figure salaries whose jobs are nothing but running email server infrastructure, so they must clearly know better, or a lack of regard for the internet community and accepted standards. I really cannot think of a third possible explanation for it.
To be clear for those people who don't run their own email servers: Having proper reverse DNS for the IP of your outbound SMTP sending server is one of the absolute bare minimum requirements for accepted mail flow, and is a standard that's probably 25 years old or older now. It significantly pre-dates SPF, DKIM, DMARC and all the rest. Proper RDNS is literally one of the first things you verify before you set up everything else.
rreichel03
A few years ago, when iCloud custom domains first launched, I found a bug where Apple would permanently cache the MX record. If an iCloud user had ever used a custom domain, future emails from iCloud to that domain would still get routed to their iCloud inbox—even if the domain’s MX record no longer pointed to Apple. They eventually fixed it, but didn’t think it deserved a bounty, which was a bit surprising.
I'm sure there's a ton of interesting surface area here.
wildekek
So, Apple sends the wrong EHLO domain when trying to send emails out. This results in them dropping emails to their own users. Can't get past Apple's level 1 support. How can I get to someone that maintains their SMTP k8s cluster?
morphle
We usually ask around on the NANOG mailing list. Someone on that list usually already knows the contact method or a person at an ISP, datacenter or hyperscaler.
null
sammy2255
[flagged]
nikanj
> How can I get to someone that maintains their SMTP k8s cluster?
By posting on Hacker News and making it to the front page. The same support strategy also works for all the other major providers
Polizeiposaune
This was mentioned earlier today on the mailop list:
https://www.mail-archive.com/mailop@mailop.org/msg24300.html
with a later response indicating that Apple was aware:
https://www.mail-archive.com/mailop@mailop.org/msg24312.html
darkwater
Greybeard here but it gives me shivers that in a mailop ML people top-posts.
SSLy
might've been replied from iphone, mail.app does that sadly.
qingcharles
OK, that response is from an actual Apple employee, so does look promising.
djhworld
I lost faith in iCloud custom domains a few months ago, I was receiving the usual marketing emails etc fine, but actual person to person emails? Sometimes replies would come through, other times nothing.
I thought at first people were just ignoring me, but when a company reached out to me over SMS to respond to a complaint I had, they said their email reply had bounced so was contacting me on SMS instead
Switched to fastmail at that point.
9dev
You’re really scaring me—I also had the impression people are ignoring me, and didn’t even consider their mail simply bounces… I’m so over migrating email again.
MisterBiggs
Is this new? I've been using icloud with a custom domain for about a year and just had my first failure today with an address that I've actively been talking to all week.
DrBenCarson
Yes, I’ve been on iCloud 2y+ and saw my first failure today
zeagle
I switched from migadu to iCloud to increase my bus factor for the family. It's been interesting and a bit painful. For example I have a filter to forward emails from an 'bothofus' alias to my spouse's iCloud account at the same domain because there is no way to have a true alias --> mailbox1, mailbox2. Sometimes iCloud bounces these emails from sent from itself.
JumpCrisscross
> to increase my bus factor for the family
?
nycdatasci
https://en.wikipedia.org/wiki/Bus_factor
The bus factor (aka lottery factor,[1][2] truck factor,[3] or circus factor[4]) is a measurement of the risk resulting from information and capabilities not being shared among team members, derived from the phrase "in case they get hit by a bus".
dktp
I think the question is about why someone would want to _increase_ their bus factor for the family
null
jeffbee
p00-icloudmta-asmtp-us-central-1k-100-percent-10.p00-icloudmta-asmtp-vip.icloud-mail-production.svc.kube.us-central-1k.k8s.cloud.apple.com is one hell of a name, though.
Did you try postmaster@apple.com, hostmaster@apple.com, or icloudadmin@apple.com (not traditional, but given in their docs)?
ndegruchy
I paid for that domain, I'm gonna use all of the characters in that domain!
jasonjayr
Interesting insight into how they organize their compute resources!
null
cchance
i mean if if your never typing it which... i mean they never are its all automated most likely, why not have all the details they could ever need probably makes tracking issues and traceroutes etc much easier to deal with
Galaco
iCloud Custom Domains & Mail are filled with bugs. My favourite one is that if my custom email I want to register has EVER been associated with an Apple account, it can never be used as a custom domain, unless that domain is set to catch all; it is impossible to add that specific address; it just errors without any specific message. The original account was fully deleted; going to the arduous process they set up that takes weeks to actually delete the account.
Customer support is worthless for actual technical problems as usual for Apple. Fun extra regarding customer support; if you arrange a support call in a language not native to your region, they honor that, but that information is lost if they escalate the call; the callback is always in the national language, despite explicit requests over the phone during the callback schedule
CraigRood
For what it's worth, I was able to add my custom domain to iCloud under this exact scenario without any issues. This was 3 years ago, so I don't know if anything has changed, and I didn't have the 'catch all' limitation either.
ctippett
I had to give up trying to use iCloud for email. So many inbound emails would be silently dropped. I've also sent emails to @icloud.com addresses that the recipient never received.
The deliverability issues also apply to their Hide My Email feature. I frequently miss confirmation or verification emails after signing up with a @privaterelay.appleid.com address, so much so that I don't even bother with it anymore.
iancarroll
We send OTP codes for our login flow and iCloud is definitely a big source of delayed email complaints. Codes eventually arrive, but not before a support ticket is created. Instant on every other ISP.
jlund-molfese
I'm seeing 10/10 though, with a custom iCloud domain ("Your hostname outbound.mr.icloud.com is assigned to a server.").
What's different?
wildekek
You got assigned a different outgoing server/PoP.
jlund-molfese
Interesting! I misunderstood and thought the issue was with every iCloud Mail server
alfiedotwtf
This shows that email should die in a tyre fire and we all need to collectively move to something else… but we should have done this more than 10 years ago.
Email has SO many technical issues that if someone would have come out with email today, nobody would use it!
The ONLY thing going for it really is that it’s decentralised and has the network effect that almost everyone uses it. Bzzzt, I kid I kid!
Anyone under 25 will tell you they do NOT use emails and instead prefer instant message, and is email really decentralised? NO!! Try setting up your own relay and you’ll be dropped by any big service. Gmail+Outlook is basically a cartel with zero recourse!
Hmmm… could there even be a case of anti-trust given Gmail’s behaviour
tonyedgecombe
Yes, we should move to a proprietary service where the provider can extort us for the rest of our lives.
alfiedotwtf
Not sure where in my comment I said proprietary?
I just means we take RFC 821 and RFC822, then everything build on top of that flaming tire fire and send it into an orbit directly into the sun, and replace it with new open protocols that weren’t designed when the internet was a trusted network but with layers and layers of crust stacked on top in order to mitigate its shortfall
They also started using new IPs without PTR records to send out mail. Though so has Microsoft just recently. Both heavily frown upon that when receiving mail themselves. Do as we say...