On Wed, Aug 13, 2025 at 2:06 AM Dan Malm via mailop <mailop@mailop.org> wrote:
>
> Hi,
>
> I've seen some chatter here about Microsofts rules for large senders and
> DKIM, but that discussion has missed one perspective: forwarding. It
> appears Microsoft have decided that for "large senders" spf AND dkim AND
> dmarc ALL need to pass (for the domain in the from header). That means
> it's impossible to forward mails from large senders to addresses hosted
> by Microsoft:
>
> 5.7.515 Access denied, sending domain JULA.COM doesn't meet the required
> authentication level. The sender's domain in the 5322.From address
> doesn't meet the authentication requirements defined for the sender. To
> learn how to fix this see:
> https://go.microsoft.com/fwlink/p/?linkid=2319303 Spf= Fail , Dkim= Pass
> , DMARC= Pass
>
> This seems like absolute madness to me.

Indeed, Microsoft is requiring SPF to pass. It doesn't have to align,
but it does have to pass. Which means a scenario you would expect to
result in delivery -- DKIM pass, DMARC pass (because of DKIM pass and
alignment), SPF fail (because of forwarding) -- will now be rejected.

So, yeah, I think you're reading the requirements right. If you're a
bulk sender, SPF, DKIM and DMARC all have to pass. Doesn't mean that
both SPF and DKIM have to align. They encourage/recommend it, but do
not mandate that both must align. It does seem to put a crimp in the
ability to forward mail to destinations at MS's consumer mailbox
domains.

IMHO, this is fully unrelated to the "low TTLs"/DNS timeout issues
others are mentioning here. Also a problem, but a different problem.

Cheers,
Al Iverson


-- 

Al Iverson // 312-725-0130 // Chicago
http://www.spamresource.com // Deliverability
http://www.aliverson.com // All about me
https://xnnd.com/calendar // Book my calendar
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to