Is 4.3.2 a hard bounce?

No. A 4.3.2 code is temporary at first. It becomes a final reported bounce only after the sending platform's retry window ends without successful delivery.

Why would Telia and iCloud fail at the same time?

A shared sending change is the usual explanation. New IPs, a new bounce domain, different DKIM signing, changed throttling, or weak sender reputation can affect multiple strict receivers at once.

Should I remove every recipient with a 4.3.2 bounce?

No. Keep temporary bounces separate from permanent address failures. Suppress only after repeated failures continue after the route, DNS, and reputation issues have been fixed.

Can DMARC cause a 4.3.2 error?

DMARC usually produces clearer policy wording, but weak or mismatched authentication can contribute to receiver distrust that appears as a temporary deferral.

How long should I wait before escalating?

If the affected domain still has high temporary failures after one retry cycle and you have fixed obvious authentication and throttling issues, escalate with raw DSNs and header samples.

Learn

Email deliverability

Why are emails bouncing from Telia and iCloud with a 4.3.2 error?

Matthew Whittaker

Co-founder & CTO, Suped

Published 15 Jun 2025

Updated 28 May 2026

9 min read

Summarize with

Article thumbnail about Telia and iCloud 4.3.2 email bounces.

Emails bouncing from Telia and iCloud with a 4.3.2 error usually means the receiving mail system is temporarily refusing network mail, not that every recipient address is invalid. In a migration, especially when moving a large send stream between platforms, I treat this as a sender change problem first: new IP reputation, new envelope sender, changed DKIM signing, SPF or DMARC domain mismatch, different throttling, or a blocklist (blacklist) signal.

The important point is that 4.3.2 starts with 4. That is a temporary enhanced status code. It tells the sending system to retry. If retries continue to fail for the provider's retry window, often around 72 hours, the message gets reported as a soft bounce or a final bounce depending on the sending platform.

Direct answer: Telia and iCloud are rejecting or deferring the new sending route at SMTP time, usually because the new route has different reputation or authentication signals.
First action: Pull raw bounce diagnostics, not open-rate reports, and group them by recipient domain, sending IP, bounce code, and campaign.
Best fix: Verify authentication, slow the affected domains, compare old and new headers, and rebuild trust with smaller volumes before resuming full sends.

What 4.3.2 means

A 4.3.2 response is an enhanced SMTP status code. The first digit, 4, means temporary failure. The middle digit, 3, points at a mail system issue. The last digit, 2, is commonly described as the system not accepting network messages. In plain English, the receiver is saying: do not accept this message right now, try again later.

That wording sounds like a server outage, but in real sending it often appears when the receiver is protecting itself. Telia and iCloud can throttle new sender patterns, defer mail from IPs with weak recent history, or reject traffic that looks different from the mail stream recipients were already receiving.

Treat it as temporary first

Do not suppress every Telia or iCloud recipient after one 4.3.2 event. A 4xx code deserves controlled retries and investigation. Suppression makes sense only when the final DSN confirms a permanent address problem or repeated domain-level failures continue after remediation.

Temporary code: Retry with lower concurrency and watch whether acceptance improves.
Domain pattern: If thousands fail at one provider, investigate the sending route before blaming individual addresses.

Typical bounce texttext

BounceReason: 4.3.2
Diagnostic-Code: smtp; system not accepting network messages
Action: delayed, then failed after retry window
Remote-MTA: dns; receiver mail exchanger

The final line matters. If the remote MTA is an iCloud or Telia mail exchanger, the refusal happened at the receiving side. If the failure comes from your own relay or sending platform, the problem is inside your sending stack.

Why Telia and iCloud react during a migration

When a sender migrates from one email platform to another, the mailbox provider sees a new pattern even if the brand and recipient list stay the same. Campaign Monitor and Salesforce, for example, can use different sending IPs, DKIM selectors, bounce domains, tracking domains, MIME structure, and retry behavior. Telia and iCloud evaluate those signals together.

If this is mostly affecting Apple mailboxes, compare the symptoms with Apple domain bounces. If Telia fails at the same time, the shared cause is usually the new sender path rather than a provider-specific outage.

Old sending route

Known IPs: The receiver has recent accepted mail history for the old route.
Known headers: Return-Path, DKIM, and tracking hostnames are familiar to mailbox filters.
Known cadence: The provider has already learned normal sending volume and complaint rates.

New sending route

New IPs: Traffic starts with little or no receiver-specific reputation.
New domains: SPF, DKIM, and DMARC can pass but still fail a domain-match check.
New cadence: A full-volume launch can look abrupt even to engaged recipient domains.

Salesforce Marketing Cloud style send tracking screen with bounce diagnostics.

A migration also changes what your team can see. One platform can expose a friendly bounce reason while another exposes the raw SMTP diagnostic. That difference makes it easy to compare open rates and miss the underlying SMTP behavior.

How to prove the cause

Start with raw evidence. Open-rate comparison is weak delivery evidence, especially now that privacy protection and image loading behavior distort opens. A sudden drop in opens tells you something changed, but it does not tell you whether mail was rejected, deferred, accepted into spam, or accepted without an image load.

When I need a clean live sample, I send one controlled message through the same route and inspect it with the Email tester. That gives the team a repeatable sample with headers, authentication results, and content checks instead of relying on aggregate campaign reports.

Email tester

Send a real email to this address. Suped opens the report when the test is ready.

?/43tests passed

Preparing test address...

For campaign-level diagnosis, export the bounce rows and keep the original diagnostic text. A normalized bounce reason like 4.3.2 is useful, but the raw reply often contains the receiver host, retry timing, and policy wording that decide the fix.

Signal	What it tells you	Action
4.3.2	Temporary refusal	Retry slower
SPF	Return-Path trust	Fix DNS
DKIM	Signed identity	Check selector
DMARC	From-domain match	Review reports
IP	Route reputation	Throttle domain

Use this table to keep the investigation focused on signals that change the fix.

Header evidence to savetext

From: Brand <news@example.com>
Return-Path: bounce.mail.example.net
DKIM-Signature: d=example.com; s=selector1;
Authentication-Results: receiver; spf=pass; dkim=pass; dmarc=pass
Received: from outbound.example.net by receiver.example

Save the same evidence from the old and new platform. If the old system gets accepted by Telia while the new system gets 4.3.2, the fastest path is to identify the exact difference, then change only one variable at a time.

Authentication checks that matter

Authentication passing is necessary, but it is not enough. SPF can pass on the bounce domain while the visible From domain has no match. DKIM can pass on a platform domain while your brand domain remains unsigned. DMARC can pass for one stream and fail for another because the new platform uses different identifiers.

For this workflow, Suped's product is the best overall DMARC platform for most teams because it connects DMARC monitoring, the domain health check, hosted SPF, hosted MTA-STS, issue detection, and blocklist monitoring in one place. The practical benefit is that a migration issue does not sit across disconnected DNS notes, bounce exports, and reputation checks.

Issue steps to fix dialog showing the issue overview, tailored fix steps, and verification action

In Suped's product, the workflow I care about is simple: add the domain, let aggregate reports show which sources send mail, verify which sources pass SPF and DKIM for the visible domain, then work through the suggested fixes. For a Telia and iCloud bounce spike, I also want real-time alerts when authentication or blocklist (blacklist) status changes.

DMARC record for monitoring during migrationtext

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;
fo=1; adkim=r; aspf=r

Use reporting mode before enforcement

During a platform migration, reporting mode gives visibility without blocking legitimate mail that still needs DNS or vendor configuration work. Move toward quarantine or reject after the new route has steady passing results and all intended sources are accounted for.

Also check reverse DNS, HELO naming, TLS behavior, and whether the new sending IPs are listed on a major blocklist or blacklist. A receiver rarely tells you every scoring input in the bounce text, so you need to remove obvious negative signals before asking the receiver to trust the new route.

Operational remediation plan

The fix is not one DNS edit. Treat it like a controlled recovery: preserve evidence, reduce pressure on the affected receivers, repair authentication, then ramp back up only when acceptance improves.

Collect DSNs: Export full bounce rows with recipient domain, remote MTA, diagnostic text, campaign ID, sending IP, and final status.
Segment domains: Separate Telia, iCloud, and normal domains so one provider's behavior does not distort the whole campaign.
Throttle traffic: Lower hourly volume and connection concurrency for affected domains while retries are still active.
Compare headers: Send the same message through the old and new routes, then compare Return-Path, DKIM domain, SPF result, and tracking host.
Repair DNS: Fix missing includes, broken selectors, duplicate SPF records, or DMARC reports showing unexpected sources.
Ramp slowly: Resume affected domains in smaller batches and compare acceptance, soft bounces, complaints, and engagement.

Flowchart for investigating and fixing 4.3.2 email bounces.

Domain-level bounce response

Use domain-specific rates, not only whole-campaign averages, when deciding how hard to intervene.

Normal watch

0-2%

Small changes can happen during retries.

Throttle

2-10%

Slow volume and compare diagnostics.

Pause domain

10%+

Stop pressure while fixing route signals.

For Apple-heavy failures, the same recovery logic applies to iCloud troubleshooting: reduce pressure, prove authentication, and avoid making permanent suppression decisions while temporary deferrals are still being retried.

Handling bounces and list hygiene

A 4.3.2 bounce does not prove the address is bad. It proves the message was not accepted through that SMTP path at that time. That distinction matters because large accidental suppressions can remove valid Telia and iCloud subscribers.

Do not confuse no opens with no delivery

One open out of several thousand is a serious signal, but it is not a complete delivery diagnosis. Use SMTP responses, accepted counts, final bounce status, and complaint data before deciding whether the mail never reached the provider or simply failed to generate opens.

Use suppression rules that respect bounce class. Permanent codes like 5.1.1 deserve hard suppression. Temporary 4xx codes deserve retry-aware handling. If a recipient has repeated 4.3.2 failures across many campaigns after the route is repaired, then suppressing or resting that recipient becomes reasonable.

Poor handling

Blanket suppression: Every 4.3.2 recipient is treated like a bad address.
Open-only proof: Low opens are used as the only evidence of blocking.
Full resend: The same volume is resent before authentication and reputation checks finish.

Better handling

Status-aware rules: 4xx failures are tracked separately from permanent address failures.
SMTP proof: Raw DSNs and receiver hosts drive diagnosis.
Controlled resend: Affected domains are resumed gradually after fixes are verified.

Keep the old platform's accepted-mail evidence for a short overlap period if contracts and data rules allow it. That comparison can show whether the recipient list is healthy while the new route is the variable causing deferrals.

Where Suped fits

Suped's product is useful when this kind of incident crosses DNS, authentication, and reputation work. Instead of treating Telia and iCloud bounces as a single vague deliverability problem, Suped helps separate source authentication, policy status, SPF risk, DKIM coverage, DMARC reporting, and blocklist or blacklist changes.

The strongest practical workflow is to add the sending domain, confirm all legitimate sources, turn on alerts, and use the issue list to fix what changed during the migration. Hosted SPF is useful when the SPF record is already close to DNS lookup limits. Hosted MTA-STS is useful when mail transport security needs enforcement without building separate web hosting.

Manual process

Slow triage: Bounce exports, DNS checks, and reputation notes live in different places.
Missed change: A selector, SPF include, or sender source can change without a clear alert.
Harder scaling: MSPs and multi-brand teams repeat the same checks for every domain.

Suped workflow

Unified view: DMARC, SPF, DKIM, blocklist, and deliverability signals sit together.
Fix steps: Automated issue detection gives specific actions instead of broad warnings.
Team scale: Multi-tenancy helps agencies and managed service providers work across domains.

That does not replace bounce analysis. You still need the raw DSNs from the sending platform. Suped adds the domain-authentication and monitoring layer that explains why the new route looks risky and what to repair before the next send.

Views from the trenches

Best practices

Capture raw DSNs by domain before changing throttles, suppression rules, or DNS records.

Separate Telia and iCloud traffic so one receiver pattern does not hide another issue.

Compare old and new sending headers, including Return-Path, DKIM domain, and HELO.

Common pitfalls

Using open rates as delivery proof misses deferred mail, blocked images, and privacy opens.

Suppressing every 4.3.2 address treats temporary receiver deferrals as hard failures.

Sending full launch volume from a new route can trigger throttling at strict receivers.

Expert tips

Retry with smaller batches, then watch if Telia accepts mail once concurrency drops again.

Keep DMARC in reporting mode while fixing domain matches, then stage quarantine later.

Track complaints and blocklist or blacklist changes beside authentication failures daily.

Marketer from Email Geeks says bounce messages should be collected before deciding whether Telia is rejecting, deferring, or filtering the mail.

2019-05-08 - Email Geeks

Marketer from Email Geeks says opens are not reliable enough to prove delivery because they miss mail accepted without an image load.

2019-05-08 - Email Geeks

The practical read

Telia and iCloud 4.3.2 bounces mean the receiving systems are not accepting the message stream at that moment. In a platform migration, the most likely cause is a changed sender route, not thousands of suddenly invalid addresses.

The fastest path is evidence-first: collect raw DSNs, compare old and new headers, verify SPF and DKIM for the visible sending domain, review DMARC reports, check blocklists and blacklists, then throttle the affected domains until acceptance returns. After that, ramp volume in stages instead of treating the issue as a one-time bounce export problem.