Problems delivering to domains that use Outlook.com
Question asked by David O'Leary - 5/16/2024 at 8:54 PM
In the last week, I've started getting new complaints about client emails not getting delivered, being quarantined, or going to junk mail. When I look up the MX record, it almost always resolves to a [domain].mail.protection.outlook.com 
I've got SPF, DKIM and DMARC all setup for these domains. MXToolbox, Google, and other DMARC checkers I've tried indicate things are setup correctly and I don't seem to be having any problems getting through to non-Outlook based domains (except one report for ionos.com). 

One of the Outlook users said I was failing on SPF Alignment and DKIM Authenticated.
For SPF alignment, do I need to have an IP specific to each domain I host and use that IP for all emails from that domain? 
Anyone else seeing these problems with outlook-based domains and have a solution?
Owner of Efficion Consulting

3 Replies

Reply to Thread
Douglas Foster Replied
Start by checking your delivery logs to see what response code and text description you are receiving when these messages are delivered.   Apparently they are being accepted, but they may be getting accepted with a conditional statement that will be helpful.

You should also be looking at your DMARC reports, even though the ones from Outlook.com are unreliable.

Alignment is a DMARC term.   It describes the relationship between the verified identifier (SMTP Mail From address or DKIM domain) and the message's From address.    If your DMARC policy species "Strict" alignment, the two domains have to match exactly.   If your DMARC policy specifies "relaxed" alignment, the two domains just have to have the same organizational domain as their parent.   So it has nothing to do with IP addresses.

SPF Pass uses IP address to prove that the sending IP address is authorized to send on behalf of the SMTP Mail From domain.   Based on the tests you say are passing, your SPF policies should be OK.

The most likely problem is that you are sending messages to a distribution list.   Many people are having problems sending messages to a list when the destination is on Outlook.com.   They seem to be dropping messages that have too many recipients.  I suggest 50 as a maximum, but nobody really knows what rule they are using.   I suspect that using Outlook mail-merge (or equivalent) to send a slightly personalized message to each recipient will evade the restriction, but I have not been able to prove that yet.

If it is a DMARC problem, here are things that can go wrong with it:

1) Maybe you allow forwarding, and a message from "user@otherdomain" is forwarded through a domain on your system.   The message is not DKIM-signed, but it passes SPF on the way in, and it passes DMARC based on SPF alignment.   On the way out, it will fail the DMARC test for "otherdomain".   Either it will fail SPF because your server is not in the SPF policy for "otherdomain", or you do SRS rewrite and it does SPF PASS based on your domain but your domain is not aligned with the originator's FROM domain.

Content Changes
2) Maybe you have an outgoing gateway that sometimes alters the message (which is probably a bug).   A signature applied by the SmarterMail server can become unverifiable if the message is altered on the way out the door.  Of course, in this scenario the message should still pass DMARC based on SPF alignment (or equality).

3) Mailing Lists
You have a mailing list that alters messages with a subject tag or body tag, without changing the message From address.   For posts from users hosted elsewhere, the message will lose SPF alignment because of forwarding, and will lose DKIM Pass because of the additions to the message.

The other possibility is that Outlook.com is messed up and you are their victim.   You can try making an appeal, but getting your recipients to open tickets is likely to produce faster and more informative results.
David O'Leary Replied
I made two changes that I believe have helped (one recipient is now receiving emails that wasn't before) but I'm waiting for further confirmation and monitoring my logs.
1.) First change was for the hostname, I previously had my mail server URL specified for these problematic domains. I changed that to mail.[clientdomain].com. I'm hoping that helps with SPF Alignment

2.) For the Outbound IP4 IP, I selected the one that matched to the IP that mail.[clientdomain].com resolved to. 
Owner of Efficion Consulting
David O'Leary Replied
I was able to figure these out by setting up a free Outlook.com email account and then emailing it from the problematic domains. For one domain, I learned I had never actually set up DKIM and DMARC. I thought I had but the client never sent me the needed credentials. 
For the other, it seems to have been fixed by the changes I mentioned above.
Owner of Efficion Consulting

Reply to Thread