> On 13 Aug 2025, at 09:20, Dan Malm <d...@one.com> wrote: > > On 8/13/25 09:51, Laura Atkins wrote: >>> On 13 Aug 2025, at 07:45, Dan Malm via mailop <mailop@mailop.org> wrote: >>> >>> Hi, >>> >>> I've seen some chatter here about Microsofts rules for large senders and >>> DKIM, but that discussion has missed one perspective: forwarding. It >>> appears Microsoft have decided that for "large senders" spf AND dkim AND >>> dmarc ALL need to pass (for the domain in the from header). That means it's >>> impossible to forward mails from large senders to addresses hosted by >>> Microsoft: >>> >>> 5.7.515 Access denied, sending domain JULA.COM doesn't meet the required >>> authentication level. The sender's domain in the 5322.From address doesn't >>> meet the authentication requirements defined for the sender. To learn how >>> to fix this see: https://go.microsoft.com/fwlink/ p/?linkid=2319303 Spf= >>> Fail , Dkim= Pass , DMARC= Pass >>> >>> This seems like absolute madness to me. >> While it is madness to expect every domain in a message to align that’s not >> what’s going on here. Microsoft are incorrectly marking mail as >> authentication failed when the authentication isn’t failing. Some folks >> think it might be related to DNS TTLs. Steve talked about it here: >> https://www.wordtothewise.com/2025/07/dont-make-your-dns-ttls-too-short/ >> <https://www.wordtothewise.com/2025/07/dont-make-your-dns-ttls-too-short/> >> laura >> -- > But both DKIM and DMARC passes here. The only thing MS indicates doesn't pass > is that SPF (for the domain in the from header). And that is true it does > fail, as it should well do. We're not that the sender, we're just forwarding > the mail on behalf of our customer, but as DMARC passes that SHOULD be fine. > I think the DNS TTLs you're referring to are the aforementioned discussions > about DKIM where MS says DKIM=fail despite having valid DKIM.
MS says both SPF fail and DKIM fail in different cases - I’ve seen both happen. I missed the part where SPF was actually failing (as opposed to just MS being unable to do basic inbound mail authentication). If it really is SFP failing then you may want to try SRS? I dunno how well that will work but it might help. Microsoft makes some rather challenging and hard to understand decisions about how they filter mail but experience suggests they are resistant to changing those decisions. > And some have suggested ARC is the savior here, but that would only be true > if there was some way to get Microsoft to trust our ARC signature, which they > don't. (We've been ARC signing all forwards since 2019) laura -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://www.wordtothewise.com/blog
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
