On Wed, Aug 13, 2025 at 2:06 AM Dan Malm via mailop <mailop@mailop.org> wrote: > > Hi, > > I've seen some chatter here about Microsofts rules for large senders and > DKIM, but that discussion has missed one perspective: forwarding. It > appears Microsoft have decided that for "large senders" spf AND dkim AND > dmarc ALL need to pass (for the domain in the from header). That means > it's impossible to forward mails from large senders to addresses hosted > by Microsoft: > > 5.7.515 Access denied, sending domain JULA.COM doesn't meet the required > authentication level. The sender's domain in the 5322.From address > doesn't meet the authentication requirements defined for the sender. To > learn how to fix this see: > https://go.microsoft.com/fwlink/p/?linkid=2319303 Spf= Fail , Dkim= Pass > , DMARC= Pass > > This seems like absolute madness to me.
Indeed, Microsoft is requiring SPF to pass. It doesn't have to align, but it does have to pass. Which means a scenario you would expect to result in delivery -- DKIM pass, DMARC pass (because of DKIM pass and alignment), SPF fail (because of forwarding) -- will now be rejected. So, yeah, I think you're reading the requirements right. If you're a bulk sender, SPF, DKIM and DMARC all have to pass. Doesn't mean that both SPF and DKIM have to align. They encourage/recommend it, but do not mandate that both must align. It does seem to put a crimp in the ability to forward mail to destinations at MS's consumer mailbox domains. IMHO, this is fully unrelated to the "low TTLs"/DNS timeout issues others are mentioning here. Also a problem, but a different problem. Cheers, Al Iverson -- Al Iverson // 312-725-0130 // Chicago http://www.spamresource.com // Deliverability http://www.aliverson.com // All about me https://xnnd.com/calendar // Book my calendar _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop