Email forwarder responds with "Undelivered Mail Returned to sender"

What is the name of the domain?

mcmullanfamilyorguk

What is the error number?

521 5.3.0

What is the error message?

host route1.mx.cloudflare.net[162.159.205.12] said: 521 5.3.0 Upstream error

What is the issue you’re encountering

I’ve created forwarding and when I send myself a test email, I get an email response containing 521 5.3.0 Upstream error.

What steps have you taken to resolve the issue?

I’m not sure what my options are. I thought it would resolve itself in time, but it’s been two days now. I’ve tried emailing myself from a few different accounts. The final destination email address works just fine. There are plenty of references to this error on the community site, but none offer a solution.

What are the steps to reproduce the issue?

I simply send an email to myself at the above domain.
Does “upstream” error mean that my email service provider s rejecting the messages?
Can you help, please?

What is the name of the domain?

mcmullanfamily.org.uk

What is the error number?

521 5.3.0

What is the error message?

host route1.mx.cloudflare.net[162.159.205.12] said: 521 5.3.0 Upstream error

What is the issue you’re encountering

Email forwarding does not work

What steps have you taken to resolve the issue?

Periodically sending myself emails to see if it works

What are the steps to reproduce the issue?

Send an email to [email protected]
One person has managed to send an email to [email protected] No others seem to have got through, though. According to my dashboard, of 30 received, 14 have been forwarded.
I’ve received one.
Pease help.

Yes.

521 5.3.0 Upstream error is typically, as you referred to above, because the final destination (e.g. your email provider) decided to reject to take the message, when Cloudflare tried to pass it along.

→

Can you share a screenshot of the “Activity Log”, with each item expanded?

→ https://dash.cloudflare.com/?to=/:account/:zone/email/routing/overview

image1293×609 22.4 KB

It seems fairly random, whether it fails or not, but it seems to be forwarding increasingly more
frequently now than it did a few days ago.

The first and the last were accepted and delivered just fine to the final destination, if they do not appear (neither in Inbox, nor Spam folders), you would need to dig in to that part together with your mailbox provider.

However, -

For the second, or the one in the middle, if you wish, regarding the @talktalk.net domain.

The operators of @talktalk.net have an amazingly strict DMARC policy, instructing receivers to reject messages that they do not find matching (either valid DKIM with alignment, or valid SPF with alignment), which is nice, as it is attempting to prevent third parties, from being able to spoof messages, to appear to be from their domain, such as e.g. for spam / phishing messages.

It does however also mean that the mail server of the final destination’s MUST be able to verify that the things are still intact, which after forwarding would be the “valid DKIM with alignment” statement from above, because SPF typically won’t survive forwarding in any way for DMARC.

The explanation could very well be that there is some sort of temporary connectivity issue, that is preventing the final destination from checking the DKIM status for @talktalk.net, perhaps because the connectivity between them and @talktalk.net is broken, and since the DKIM status then is failing, as it cannot be verified, then DMARC will fail, and the final destination is therefore rejecting the message, as the @talktalk.net operators have instructed them to do that, with their DMARC policy, for the @talktalk.net domain.

@talktalk.net seem to have a very centralized DNS configuration, where all of their DNS servers are located within United Kingdom alone, instead of having them spread across multiple ISP’s and DNS providers, which is actually considered the best current practice, and mandated by various Internet Standads, for redundancy and resilience reasons, in order to avoid situations like this.

In @talktalk.net’s current set up, and if some random connectivity issues caused that the final destination to be completely isolated from the United Kingdom, then @talktalk.net would be completely gone from the Internet (in the eyes of the final destination).

And that statement is consistent with various problems, such as e.g.:

1. Transient connectivity issues

2. Transient DNS resolution issues (perhaps caused by #1)

There is (unfortunately) nothing you can do, in such events, from your side.