I, too, have recently seen QQ.com SPF failures that didn't seem to make any
sense. We ended up changing a custom SPF record for a client just to see if
it might help things (even though the original one passed with various
tests, but failed only at QQ). I'm waiting for a client's next send to see
if it has fixed things or not.
Regards,
Al Iverson
On Mon, Dec 2, 2019 at 6:18 PM Jason Carter via mailop <mailop@mailop.org>
wrote:
> Included the relevant part in my original post, but here it is again in
> its entirety. I took out any identifying email addresses.
>
> Your message to {blah blah blah}@qq.com <dengjingz...@qq.com> couldn't be
> delivered.
>
> qq.com couldn't confirm that your message was sent from a trusted
> location.
>
> *Rhiannon.Paget*
>
> *Office 365*
>
> *blah blah blah*
>
> *Action Required*
>
> *Recipient*
>
>
>
>
>
>
>
>
>
>
>
> *SPF validation error*
>
>
>
> How to Fix It
>
> Your organization's email admin will have to diagnose and fix your
> domain's email settings. Please forward this message to your email admin.
>
> ------------------------------
>
>
> More Info for Email Admins
>
> *Status code: 550 5.7.23*
>
> This error occurs when Sender Policy Framework (SPF) validation for the
> sender's domain fails. If you're the sender's email admin, make sure the
> SPF records for your domain at your domain registrar are set up correctly.
> Office 365 supports only one SPF record (a TXT record that defines SPF) for
> your domain. Include the following domain name: *spf.protection.outlook.com
> <http://spf.protection.outlook.com>*. If you have a hybrid configuration
> (some mailboxes in the cloud, and some mailboxes on premises) or if you're
> an Exchange Online Protection standalone customer, add the outbound IP
> address of your on-premises servers to the TXT record.
>
> For more information and instructions about configuring SPF records see
> Customize
> an SPF record to validate outbound mail sent from your domain
> <https://technet.microsoft.com/library/dn789058(v=exchg.150).aspx> and
> also External Domain Name System records for Office 365
> <https://support.office.com/article/External-Domain-Name-System-records-for-Office-365-c0531a6f-9e25-4f2d-ad0e-a70bfef09ac0#BKMK_SPFrecords>
> .
>
> Original Message Details
>
> Created Date:
>
> 12/2/2019 7:38:53 PM
>
> Sender Address:
>
> {blah blah blah}@ringling.org <rhiannon.pa...@ringling.org>
>
> Recipient Address:
>
> {blah blah blah}@qq.com <dengjingz...@qq.com>
>
> Subject:
>
> RE: {subject went here....}
>
>
> Error Details
>
> Reported error:
>
> *550 5.7.23 The message was rejected because of Sender Policy Framework
> violation -> 550 DMARC check failed
> [MTIzknf/jEeC0aTwbOXvrBiAcTvXxZqFXcru3oWyMZucp1BLJ8LQWCk= IP:
> 40.107.82.82].
> http://service.mail.qq.com/cgi-bin/help?subtype=1&&no=1001508&&id=16
> <http://service.mail.qq.com/cgi-bin/help?subtype=1&&no=1001508&&id=16>.*
>
> DSN generated by:
>
> BN6PR02MB2308.namprd02.prod.outlook.com
>
> Remote server:
>
> newxmmxszb50.qq.com
>
>
>
>
>
>
>
> *Jason Carter*
> IT Manager
> Microsoft Enterprise Applications and Systems
> Information Technology Services | Florida State University
> *p* 850.645.8069 | *w* its.fsu.edu
>
>
>
>
> ------------------------------
> *From:* Michael Wise <michael.w...@microsoft.com>
> *Sent:* Monday, December 2, 2019 7:11 PM
> *To:* Jason Carter <jason.car...@fsu.edu>; mailop@mailop.org <
> mailop@mailop.org>
> *Subject:* RE: QQ failing Office 365 emails for SPF?
>
>
>
>
> Would need to see the NDR.
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise*
> Microsoft Corporation| Spam Analysis
>
> "Your Spam Specimen Has Been Processed."
>
> Open a ticket for Hotmail
> <https://urldefense.com/v3/__http://go.microsoft.com/fwlink/?LinkID=614866__;!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6TqM-zeaVw$>
> ?
>
>
>
> *From:* Jason Carter <jason.car...@fsu.edu>
> *Sent:* Monday, December 2, 2019 4:08 PM
> *To:* mailop@mailop.org; Michael Wise <michael.w...@microsoft.com>
> *Subject:* [EXTERNAL] Re: QQ failing Office 365 emails for SPF?
>
>
>
> Well I am not talking about mail sent TO a Office 365 tenant. It was sent
> FROM a Office 365 tenant to a @QQ.com address, and they bounced it for a
> SPF failure, even though the SPF record for the sending domain clearly
> includes the IP address they said failed SPF.
>
>
>
>
>
>
>
>
>
> *Jason Carter*
>
> IT Manager
>
> Microsoft Enterprise Applications and Systems
>
> Information Technology Services | Florida State University
>
> *p* 850.645.8069 | *w* its.fsu.edu
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fits.fsu.edu*2F&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834503704&sdata=Bo*2B8*2F7qAA4AYEkcHPp5sGrDdhNvlyeUs8mPR3Y6g*2BbE*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJQ!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6Trl5g03ag$>
>
>
>
>
>
>
> ------------------------------
>
> *From:* mailop <mailop-boun...@mailop.org> on behalf of Michael Wise via
> mailop <mailop@mailop.org>
> *Sent:* Monday, December 2, 2019 7:02 PM
> *To:* mailop@mailop.org <mailop@mailop.org>
> *Subject:* Re: [mailop] QQ failing Office 365 emails for SPF?
>
>
>
>
>
> At Microsoft, be that either mail sent to an Office365 tenant or a Hotmail
> / Outlook customer, the DMARC p=reject will **NOT** generate a bounce.
>
> For many, many reasons.
>
>
>
> Primarily because the SPF/DKIM/DMARC checks are done **AFTER** the email
> has been received, and the port 25 connection has been closed.
>
> Secondarily because, in light of the above, it would make backscatter
> issues worse, and possibly result in a DDOS attack.
>
> Load concerns makes any other approach impractical.
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise*
> Microsoft Corporation| Spam Analysis
>
> "Your Spam Specimen Has Been Processed."
>
> Open a ticket for Hotmail
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=http*3A*2F*2Fgo.microsoft.com*2Ffwlink*2F*3FLinkID*3D614866&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834513661&sdata=ZwKYvnixZzdymjprTH2LrI4f74y8vmf*2Btef6teaxPDA*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6Tpvn3EB7g$>
> ?
>
>
>
> *From:* mailop <mailop-boun...@mailop.org> *On Behalf Of *Jason Carter
> via mailop
> *Sent:* Monday, December 2, 2019 3:56 PM
> *To:* mailop@mailop.org
> *Subject:* [外部] [mailop] QQ failing Office 365 emails for SPF?
>
>
>
> Any using Office 365 that has a domain at DMARC=REJECT see any bounce
> backs for mail sent to QQ.com addresses for SPF failures, when they IP
> address they mentioned failed is clearly in the SPF record?
>
>
>
> Example:
>
>
>
> Reported error:
>
> *550 5.7.23 The message was rejected because of Sender Policy Framework
> violation -> 550 DMARC check failed
> [MTIzknf/jEeC0aTwbOXvrBiAcTvXxZqFXcru3oWyMZucp1BLJ8LQWCk= IP:
> 40.107.82.82].
> **http://service.mail.qq.com/cgi-bin/help?subtype=1&&no=1001508&&id=16
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=http*3A*2F*2Fservice.mail.qq.com*2Fcgi-bin*2Fhelp*3Fsubtype*3D1*26*26no*3D1001508*26*26id*3D16&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834513661&sdata=gh*2Bk9XHsY14nJTaX4SYj0CwJs4afL8l8a8uhHLZFjeQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6TqfQUeBBw$>*
>
> DMARC指引_QQ邮箱帮助中心
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=http*3A*2F*2Fservice.mail.qq.com*2Fcgi-bin*2Fhelp*3Fsubtype*3D1*26*26no*3D1001508*26*26id*3D16&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834513661&sdata=gh*2Bk9XHsY14nJTaX4SYj0CwJs4afL8l8a8uhHLZFjeQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6TqfQUeBBw$>
>
> 一、DMARC(Domain-based Message Authentication,Reporting & Conformance)DMARC
> 是一种基于现有的SPF和DKIM
> 协议的可扩展电子邮件认证协议,在邮件收发双方建立了邮件反馈机制,便于邮件发送方和邮件接收方共同对域名的管理进行完善和监督...
>
> service.mail.qq.com
>
> *.*
>
> DSN generated by:
>
> BN6PR02MB2308.namprd02.prod.outlook.com
>
> Remote server:
>
> newxmmxszb50.qq.com
>
>
>
>
>
> 40.107.82.82 is within 40.107.0.0/16, which is in the SPF record they ask
> you to use: spf.protection.outlook.com
>
>
>
>
>
>
>
>
>
>
>
> *Jason Carter*
>
> IT Manager
>
> Microsoft Enterprise Applications and Systems
>
> Information Technology Services | Florida State University
>
> *p* 850.645.8069 | *w* its.fsu.edu
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fits.fsu.edu*2F&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834523617&sdata=04lipEyKZS*2B*2BRoxWLdeQWUC0S70wBFdHBS362WVsyIg*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUl!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6TqSM-sG8A$>
>
>
>
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
--
al iverson // wombatmail // chicago
http://www.aliverson.com
http://www.spamresource.com
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
