451 Unable to Verify Sender Due to DNSSEC/DANE with SpamExperts

Introduction

Some users may encounter issues when sending emails through SpamExperts’ outbound filtering service, receiving a temporary error similar to:

451 unable to verify sender (in reply to MAIL FROM command)

This typically occurs when DNSSEC (Domain Name System Security Extensions) is enabled on the sender’s domain, especially in combination with DANE (DNS-based Authentication of Named Entities) and associated TLSA records.

Cause

This issue is caused by the way SpamExperts’ Hosted Cloud platform handles sender verification (null sender callout) when DNSSEC and DANE are active. Specifically:

DNSSEC validation fails during the sender callout process due to limitations in the Hosted Cloud platform’s DNS resolvers.

DANE/TLSA records exacerbate the issue, leading to the rejection or deferral of messages.

SpamExperts has confirmed the following:

Currently DANE/DNSSEC is not supported on the Hosted Cloud platform. This is due to a limitation with AWS not supporting it at this time. As such, there is no definite roadmap we can advise on when this may be available.

This means domains signed with DNSSEC and configured with TLSA records for DANE may experience mail delivery problems through SpamExperts, both incoming and outgoing.

Known Issues

This problem has been reported by multiple users over time and is known to be an ongoing issue for over a year.

It affects emails relayed via SpamExperts’ outbound filtering, particularly when verifying the sender’s identity.

Despite having valid DNSSEC and DANE configurations (e.g., scoring 100% at internet.nl tests), mail delivery still fails.

Workarounds

Until full support for DNSSEC/DANE is implemented by SpamExperts, there are two main options available:

1. Disable DANE (Recommended Temporary Fix)

Remove TLSA records from the DNS zone of the affected domain. This disables DANE validation while keeping DNSSEC intact.

Email delivery should resume normal operation after removing the TLSA records.

DNSSEC can remain enabled if desired, as the main issue is with the TLSA/DANE portion.

2. Use a Different Outbound Mail Provider

If DANE is considered essential for your domain’s security posture, consider using an outbound email provider that fully supports DNSSEC and DANE.

Note: Not all providers support DNSSEC/DANE, so ensure to confirm their capabilities before switching.

Conclusion

This issue is a limitation of SpamExperts’ Hosted Cloud platform due to underlying constraints with DNSSEC resolution on AWS infrastructure. It is known, persistent, and not expected to be resolved in the short term.

For domains prioritizing email reliability over advanced DNS-based authentication mechanisms, disabling DANE by removing TLSA records is currently the most practical solution.