Hey John, if I were in your shoes, I would see if you can find something else wrong with the message.
There have been multiple other instances lately -- at least two blogged about publicly by others -- where Microsoft says "broken auth" in an NDR when it's actually some other kind of RFC violation, like double headers where not allowed, or too-long headers, or a missing header. Sometimes it's something that Gmail would reject, too, but other times it's something that Gmail would just quietly correct or ignore. Here's folks blogging about two instances of this issue: Example number one -- double headers: https://www.engagor.ai/resources/blog/duplicate-headers-dkim-microsoft-bounce Example number two -- too long header: https://postmarkapp.com/blog/how-we-improved-unsubscribe-links-to-boost-your-deliverability Hope that helps. Cheers, Al Iverson On Fri, May 8, 2026 at 2:48 PM John R Levine via mailop <[email protected]> wrote: > > > I've noticed that Microsoft's systems fail intermittently to > > validate DNS lookups for DMARC, SPF, DKIM, and PTR records. Some > > users have become accustomed to trying again later to get their > > eMails through (which is not ideal). > > > > Although it doesn't happen very often, Microsoft's systems have been > > doing this since last year (and possibly earlier than that), and it > > doesn't seem to target any particular providers (e.g., a few of my > > clients with GMail accounts have asked me what the errors mean when > > they've received bounce-backs just like the one that you included). > > > > Feel free to send some test messages to > > [email protected] from that address if you want to > > confirm that your DKIM is working -- they'll be rejected if it isn't. > > Oh, I know the DKIM is OK, I can send messages to myself and everywhere > else and even usually Microsoft. I guess if they ask I'll have to remind > them that sometimes free services are worth what you pay for them. > > R's, > John > > >> We've been sending this person mail for years at an outlook.com.au > >> address and nearly all of them have worked, including several today. > >> > >> 550,5.7.515,Access denied, sending domain ARXIV.ORG doesn't meet the > >> required authentication level. The sender's domain in the 5322.From > >> address doesn't meet the authentication requirements defined for the > >> sender. To learn how to fix this see: > >> https://go.microsoft.com/fwlink/p/?linkid=2319303 Spf= Pass , Dkim= Fail , > >> DMARC= Pass [SY8P300MB0731.AUSP300.PROD.OUTLOOK.COM > >> 2026-05-08T18:21:38.150Z 08DEAD0640C37A36] > >> [MW4PR04CA0059.namprd04.prod.outlook.com 2026-05-08T18:21:38.232Z > >> 08DEACE91EBF534A] [MW1PEPF0001615B.namprd21.prod.outlook.com > >> 2026-05-08T18:21:38.253Z 08DEACF5EA686851] > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop -- Al Iverson // 312-725-0130 // Chicago http://www.spamresource.com // Deliverability http://www.aliverson.com // All about me https://xnnd.com/calendar // Book my calendar _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
