Thanks, Dick and Franck, that URL has some great information. I'm 99% sure that neither Office365 customer turned IPv6 on and off, especially in the same afternoon (that MSDN blog entry notes that the customer has to specifically request it), so I'm guessing that something happened at MSFT that it accidentally turned on for a while for some customers.
Frank -----Original Message----- From: Dick Visser [mailto:[email protected]] Sent: Thursday, November 27, 2014 1:02 PM To: Frank Bulk Cc: [email protected]; IPv6 operators forum Subject: Re: IPv6 addresses for Microsoft Office 365 hosted domains? On a related note, I'm in the process of setting up mail for our new domain, and Office365 was one of the options. I was surprised to see that Office 365 hosted domains have only one MX, which resolves to only two IPv4 addresses: visser@cajones:~$ host geant-org.mail.protection.outlook.com. geant-org.mail.protection.outlook.com has address 213.199.154.87 geant-org.mail.protection.outlook.com has address 213.199.154.23 Both sit in the same network, which seems like a bad idea. Unless this is anycast? Can't tell from here. However, MS seems to have changed things recently: http://blogs.msdn.com/b/tzink/archive/2014/10/28/support-for-anonymous-inbound-email-over-ipv6-in-office-365.aspx Better late than never. The alternative for e-mail is Google Apps, which has IPv6 for years. Dick On 27 November 2014 at 03:00, Frank Bulk <[email protected]> wrote: > This afternoon I saw several log messages in our email server's logs in > relation to emails our local business customer (who uses our ISP email > server) was trying to send to a Microsoft Office 365 hosted domain: > > "[::ffff:12.43.166.xx] Site <target domain redacted> > (2a01:111:f400:7c0c::11) said after data sent: 554 5.7.1 Service > unavailable, message sent over IPv6 [2607:fe28:0:4000::10] must pass SPF or > DKIM validation (message not signed)" > > The PTR for 2a01:111:f400:7c0c::11 is > mail-by26c0c.inbound.protection.outlook.com. > > But when I check the MX record of the target domain I see there's no AAAA > for the <redacted>.mail.eo.outlook.com, just three A's. > > Fortunately we control our local business customer's DNS and I've added in > our email server's DKIM so that future emails, if they were sent over IPv6, > should be accepted by Microsoft. Our customer has no SPF record. > > > I also saw two log messages for two Microsoft Office 365 hosted domains: > 26 13:30:59.00 [56882563] Failed ::ffff:199.120.69.25 > <[email protected]> <target domain1 email redacted> > 9259 <[email protected]> > "[::ffff:199.120.69.25] ubad=0, Site (target domain1 > redacted/2a01:111:f400:7c10::1:10) said: 550 5.2.1 Service Unavailable, > [target domain1 redacted] does not accept email over IPv6" > 26 19:04:52.00 [83985160] Failed ::ffff:12.43.166.20 <from redacted> <target > domain2 email redacted> 6546 <[email protected]> > "[::ffff:12.43.166.20] ubad=1, Site (target domain2 email > redacted/2a01:111:f400:7c0c::11) said: 550 5.2.1 Service Unavailable, > [target domain2 email redacted] does not accept email over IPv6" > > There's no PTR for 2a01:111:f400:7c10::1:10. I checked the last 7 days of > logs I only saw these today. > > It's like Microsoft published some AAAA's for some MX records, but then > withdrew them, but not before there were a few failures. > > Frank > > > -- Dick Visser Sr. System & Networking Engineer GÉANT Association, Amsterdam Office (formerly TERENA) Singel 468D, 1017 AW Amsterdam, the Netherlands Tel: +31 (0) 20 530 4488 GÉANT Association Networking. Services. People. Learn more at: http://www.géant.org
