Cannot send email to specific domain

Hello,

With 1.1.1.1 defined in my email server, i cannot send emails to domain @edp.pt a big company in Portugal.

with google dns it works ok.

Message is unroutable address.

regards.

Pedro

Could you follow this Have problems with 1.1.1.1? *Read Me First* (replace example.com with edp.pt) and report the output? In the US, both CF and Google DNS seem to resolve this correctly.

$ dig @1.1.1.1 edp.pt MX +short
10 edp-pt.mail.protection.outlook.com.
$ dig @8.8.8.8 edp.pt MX +short
10 edp-pt.mail.protection.outlook.com.

server 8.8.8.8
Default Server: dns.google
Address: 8.8.8.8

edp.pt.
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
edp.pt MX preference = 10, mail exchanger = edp-pt.mail.protection.outlook.com

server 1.1.1.1
Default Server: one.one.one.one
Address: 1.1.1.1

edp.pt.
Server: one.one.one.one
Address: 1.1.1.1

edp.pt
primary name server = ns.edp.pt
responsible mail addr = dns.edp.pt
serial = 2020011303
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 1209600 (14 days)
default TTL = 38400 (10 hours 40 mins)

I think this is a problem with the edp.pt when NSEC3 aggressive caching is used. When you ask the NS for edp.pt for a record that doesn’t exist like:

$ kdig @ns.edp.pt. edp.pt AAAA +dnssec | grep NSEC3
b0fuivg9bs7m8tn43tdbdc4mp72ppv7a.edp.pt. 38400	IN	NSEC3	1 0 1 D02E48527EF336BB b0fuivg9bs7m8tn43tdbdc4mp72ppv7b NS SOA RRSIG DNSKEY NSEC3PARAM
b0fuivg9bs7m8tn43tdbdc4mp72ppv7a.edp.pt. 38400	IN	RRSIG	NSEC3 10 3 38400 20200130043540 20200123043540 27035 edp.pt. jG3rqxg2FnK01Q6RujnDgNLupulYnWMYj1qzaFT9By6iVoj4fp39Pxr1pZrt7EcQ5gkcJ3lEeZ034g4kQPzoHKh48uS0txf1CxIXV7MejO2JpJ9Wk5z92aa6lacbXeV0Gb9XjcmV3s2C+uzA6XPMHpM4rvflUekx/UzII7yI16a7/U6wVwbAd3JaphD7Qu9Rm+R9JQSgyMpcf+Oy/fCf+kOotYJhfiFJYJ/9ngcEIL8BwYESNPECkP8WG0kJXdykHfRu2WCEKsbwCmGBe89ySNBAhXi6bNe1DZksjUv13DrS6AX/VjJs+fn442vOkr9Og+CNB3ZdXbsh/145hM620w==

The NSEC3 is for edp.pt:

$ knsec3hash D02E48527EF336BB 1 1 edp.pt
b0fuivg9bs7m8tn43tdbdc4mp72ppv7a (salt=D02E48527EF336BB, hash=1, iterations=1)

So the NSEC3 says the edp.pt has only NS SOA RRSIG DNSKEY NSEC3PARAM, not MX or A, which isn’t true since those records exist. We’ll try to reach out.