Bounce 5.0.0 Unable ... diagnostic code

Attempts to send a Zivver message result in a non-delivery report (NDR), a bounce message. The bounce message is as follows:

5.0.0 Unable to specify specific reason due to missing diagnostic code

It occurs when Zivver cannot deliver the message to the recipient.

For the error Bounce 5.3.0, refer to Bounce 5.3.0 Unable … delivered; 5.3.0

There are two dominant reasons for this bounce:

Misspelled domain name
In most cases, the issue occurs when the recipient email domain does not exist, for example because of a typing mistake in the domain of the recipient email address.

Technical issues
Possibly Zivver cannot deliver the message because there is a technical problem with the secure protocols. Examples are DANE, PANE or NTA 7516, when Zivver must have a minimum security level for the message.

Example causes are:

  • Incorrect DNSSEC configuration.
  • Expired TLS certificate.
  • Expired NTA 7516 DNS record.
  • Do checks on typing mistakes first before you examine the technical causes.
  • Only after the issues are resolved, the mail system can deliver the message.

Causes and solutions

Typo in the domain name

A typo in the domain name causes this NDR, only in the domain name. For example zivver.n. is incorrect. The correct domain name is zivver.com .

Diagnose
Do a check on the email address of the recipient. Make sure that the domain is correct. The domain is the part after the @.

Technical check
Make sure that there is an mail exchanger (MX) record for the domain of the recipient.

Solution
Correct the typo.

Disclaimer: If the cause of the issue was not a typo in the recipient’s domain, we recommend that you share this document with your IT administrator. The administrator can help to resolve the issue.

Receiving mail server unavailable

The recipient mail server is unavailable. For example, there is a DNS problem. In this case, the receiving server does not receive messages because it is not operational.

Diagnose
Tell your administrator to do these steps.

  1. Examine the domain MX records to find the recipient mail server.
  2. Do a test whether the mail server responds.
    For example, use Telnet, PowerShell, or OpenSSL.

Solution
If the server does not respond, speak to the recipient. They can resolve the issue on their end.

Invalid NTA 7516 certificate

The receiving party claims that they are NTA 7516 compliant. But the certificate of the NTA 7516 MX server is invalid or is expired.

You can do a test whether a recipient claims NTA 7516 compliance. Use the domain DNS records. For more information, refer to Maak interoperabiliteit conform NTA 7516 kenbaar (in Dutch) of our NTA 7516 compliance manual.

Diagnose
Tell your administrator to do these steps.

  1. Examine the recipient NTA 7516 DNS record to find the recipient MTA 7516 MX server.
    The NTA 7516 MX server is listed after the part ‘ntamx=10’ in the record.
  2. Examine the NTA 7516 MX server certificate for warnings or discrepancies.
    You can use an online tool. For example, the certificate expiration date passed. For this, find the NotAfter field.

Solution
Tell the receiving party to renew their NTA 7516 MX certificate or resolve all the issues that are related to that. If this certificate is correct and the issue stays, refer to Deprecated TLSA record NTA or Deprecated TLSA record TLS

Deprecated TLSA Record NTA

Possibly the receiving party claims that they are NTA7516 compliant, but there are no issues with the NTA 7516 MX certificate. Then, the recipient did not update their TLSA record after they updated the NTA7516 MX certificate.

Diagnose
Tell your administrator to do these steps.

  1. Examine the NTA 7516 DNS record to find the recipient NTA 7516 MX server.
    The NTA7516 MX server is listed after the part ntamx=10 in the record.
  2. Do a validity check on the NTA7516 MX server’s TLSA record
    For example, run it through an online DANE SMTP Validator tool.
    An invalid TLSA record will return an error.

Solution
Speak to the receiving party about the discrepancy. Tell them to resolve the issue of the TLSA Record.

Deprecated TLSA Record TLS

The TLS certificate was renewed, but the corresponding TLSA record was not updated accordingly. In this case, DANE is enabled for the receiving domain. Because of this, an invalid TLSA record breaks DANE. Thus, messages cannot be delivered.

Solution
Speak to the receiving party about the discrepancy. Tell them to update the TLSA record in accordance with the new TLS certificate.

Invalid MX Certificate

Zivver must have a more secure channel to deliver the message. But, there is an issue with one of the technical requirements for this more secure option. An example is the mail server certificate.

Examples of known causes are:

  • Expiration of the MX certificate.
  • Mismatch of the common name (CN) of the MX certificate with the hostname of the server.

Diagnose

  1. Examine the MX DNS records to find the recipient MX server.
  2. Examine the MX server certificate to find warnings and discrepancies.
    You can use an online tool. For example, the certificate expiration date passed. For this, find the NotAfter field.

Solution
Tell the receiving party to resolve all the issues of their MX certificate or renew the MX certifcate.