I believe I’m experiencing an issue similar to this issue: Rejecting incoming messages - zen.spamhaus.org
Specifically, whenever I get an email from my friend, it’s reported in the logs as
2022-03-01 22:18:51 H=01b.relay.hey.com [204.62.114.225] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=<his email> rejected RCPT <my email>: Rejected because 204.62.114.225 is in a black list at zen.spamhaus.org
However I both looked up 204.62.114.225 on mxtoolbox, zen.spamhaus.org, and using dig 225.114.62.204.zen.spamhaus.org (from the server hosting my email) and it comes up clean every time. (I am basing the dig coming up clean on getting an nxdomain response - and confirm that I get the return codes mentioned here when adding @1.1.1.1 or similar to the dig command, but do NOT get it when I just use the default dns server with dig)
Additionally, when fortune smiles on us and hey uses a different relay server, it gets through just fine.
Would Hestia be using a different dns resolver than the system/dig is using?