(Designed for engineering, security, QA, and infrastructure teams)
Technical Summary of Observed Behavior
Affected Domains
The following valid domains are rejected or fail silently:
Personal domains (multiple)
boldium.com
adobe.com
abbott.com
northeastern.edu
Accepted Domains
gmail.com
yahoo.com
hotmail.com
outlook.com
Completely fake Outlook addresses (e.g., random strings)
Delivery Behavior
Consumer domains receive verification emails instantly.
Non‑consumer domains receive no email or receive emails hours later.
Delayed emails contain links tied to the original browser session, which has expired.
Client‑Side Environment
Issue reproduced on:
Latest Chrome on macOS (Mac mini + two MacBooks)
Latest iOS on iPhone
Latest myDL app
Multiple networks
Clean browser sessions
No caching or cookie issues
No outdated software
This confirms the issue is not client‑side.
Likely Root Causes (Ranked)
1. Hardcoded Domain Allowlist (Most Likely)
Evidence:
Fake Outlook addresses accepted
Valid corporate/university/personal domains rejected
Instant delivery to Gmail/Yahoo/Hotmail/Outlook
“Domain not recognized” errors for legitimate domains
This strongly suggests a restrictive allowlist of consumer email providers.
2. Misconfigured Email Security Gateway
Possible systems:
Cloudflare Email Security
Proofpoint
Mimecast
Microsoft Defender
Cisco IronPort
Potential misconfigurations:
Domain reputation API rejecting non‑consumer domains
Allowlist/denylist rules applied incorrectly
Anti‑fraud scoring over‑blocking legitimate domains
Routing rules sending non‑consumer domains through a slow or failing path
3. Application‑Layer Domain Validation Logic
Possible issues:
Regex or validation rules that only accept common consumer domains
Incorrect domain parsing
New fraud‑prevention module introduced between August and December
Silent failure paths for unrecognized domains
4. Routing or MTA Configuration Changes
Potential causes:
Split routing based on domain category
Misconfigured secondary route for “unknown” domains
Delayed retries causing multi‑hour delivery
5. DNS or Authentication Checks
Unlikely but possible:
SPF/DKIM/DMARC lookups failing or timing out
DNS resolver misconfiguration
Overly strict alignment checks
Given that abbott.com and northeastern.edu fail, DNS/authentication issues are less likely.
Reproduction Steps (For QA)
Navigate to DMV login page.
Select “Create Account” or “Forgot Password.”
Enter an email address from any of the following domains:
abbott.com
adobe.com
northeastern.edu
any personal domain
Observe:
“Domain not recognized” error OR
Silent confirmation with no email delivered
Repeat with a fake Outlook address.
Observe:
System accepts the address
No validation of mailbox existence
Repeat with Gmail/Yahoo.
Observe:
Instant delivery
Successful account creation/reset
Impact Assessment
Users cannot create or recover accounts unless they use a consumer email provider.
Affects small businesses, universities, corporations, and privacy‑conscious individuals.
Undermines adoption of the mobile driver’s license (myDL) program.
Increases support call volume.
Creates accessibility and equity concerns.
Damages trust in state digital services.
Recommended Next Steps
Immediate
Identify ownership of email validation and outbound email systems.
Review allowlist/denylist logic in application code.
Audit email security gateway rules.
Check routing logic for domain‑based paths.
Short‑Term
Decouple password reset links from browser session timeouts.
Implement 24‑hour token validity.
Add logging for domain‑based failures.
Long‑Term
Publish clear domain requirements (if intentional).
Ensure domain‑agnostic account creation (if unintentional).
Add alternative verification methods (SMS, authenticator app).
No comments:
Post a Comment