Re: [mailop] Microsoft/O365 SPF failures

2022-01-23 Thread Ángel via mailop 
On 2022-01-20 at 20:33 +0100, Klaus Ethgen via mailop wrote:.
> > Scroll down to the relay pool subheader and read up more about it.
> 
> That means, Microsoft ist intentional breaking mail.
> 
> > Hope this helps.
> 
> Well, as I am not the sender than the recipient, no, it does not.
> 
> When it is not part of SPF pool and they have '-all' in SPF record,
> then the mail could not be delivered.
> 
> Only Microsoft is blamable for breaking it and only they can fix it.
> 
> Regards
>Klaus

Someone forwarding mail from one account to a different mail server
should configure the receiving account to know that it is being
forwarded mail from $OriginalAccount, so that it can take that into
account and trust the forwarding mta.
Otherwise, it just looks as if the forwarder is spoofing all the mail
that is forwarded.
DKIM-signatures would (should) survive, but forwarding will generally
break SPF (forwarding can either keep the original MAIL FROM or rewrite
it, I don't know which version O365 chooses), and that is expected. You
should place an exception on the receiving account to cater for that.

Microsoft adds another layer attempting to make it easier for you to
filter invalid mails since they forward from the relay IP addresses
when the mail didn't validate to begin with*

It is good that you are running your own mail server and can thus
tinker with it, since I know of no mail provider which offers such
preference to their users in their interface (although perhaps they
would support that as a custom request, though).



Best regards



* 
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages?view=o365-worldwide
mentions

«The forwarded/relayed message should meet one of the following
criteria to avoid using the relay pool:

* The outbound sender is in an accepted domain.
* SPF passes when the message comes to Microsoft 365.
* DKIM on the sender domain passes when the message comes to Microsoft
365.»

but I suspect it might not be accurate. It would make more sense that
the criteria would be having the outbound sender is in an accepted
domain and either SPF or DKIM passes when it arrived O365. Or mayb 









___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Microsoft/Linode issue resolved

2022-01-23 Thread John Gateley via mailop 

Hi y'all,

I resolved my Microsoft blocking my Linode IPv4 address issue. I posted 
several times here as it

was happening, so this is a recap:

Microsoft's mitigation process is fragile and complex, perhaps 
intentionally.


1. It requests forwarding the bounce message. My mailer (standard 
Dovecot + Postfix) adds
a couple of attachments to the message. Microsoft will reject messages 
with attachments

and not do anything. So you must remove the attachments before forwarding.

2. Microsoft's mitigation process handles both Office365 issues and 
outlook.com etc issues.
They seem to make no distinction in the error messages. My bounces 
indicated it was an
Office365 issue, but I followed that process several times with no 
result. Finally, I filed
an outlook.com delisting ticket, and after some back and forth they 
delisted me.
I wish Microsoft had a better system for communicating WHICH platform is 
blocking and

the process for that platform.

3. After several tries, the Office365 mitigation process just stopped 
working. After the forward
I receive an email saying "we will respond in 24 hours". The first few 
times, this incuded
a link to the Office365 delisting process. But at some point, Microsoft 
stopped responding.
I would get the "we will respond" email, but never anything more. It was 
blamed on huge
traffic from Linode, but that wasn't the case (as it happened several 
times over many days

and I NEVER got a response).

I truly appreciate the help I received from this list, and it is 
fantastic that there are Microsoft,
Linode (and other companies) people here contributing. That made it 
easier for me to find the

solution.

Linode has a mediocre reputation (I think this is undeserved) for IP 
cleanliness. I contacted
Linode and they offered me an IP address known to be clean w/r/t 
Microsoft filtering.
Changing a mailer's IP address is a dramatic operation so I haven't yet 
decided to go through
with this. But they were professional, helpful, and I have been using 
them for 15+ years,

and probably close to 10 on my current IPv4 address.

The reason I think their reputation is undeserved: I asked for better 
hosters, and did receive
some recommendations. I checked these, calling one and speaking with 
Sales, and reading
the websites of the others. They had no special restrictions or filters 
regarding email, the
sales person I spoke to just said "we don't allow spammers". My guess is 
that they are cleaner
IP addresses mostly because they are smaller, and spammers don't flock 
to them.


Linode has been pretty good to me, and very responsive. There seems to 
be a pile-on attitude

regarding them as mail servers, and in my opinion it is undeserved.

Thanks to all who contributed and helped me!

John


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop