postfix can deliver e-mails again towards Microsoft addresses
Recently I upgraded to my new, freedom-loving, pro-privacy Internet Service Provider Freedom Internet. I was already running a mailserver before I switched: postfix. For years I had no issues sending out e-mails towards other mailservers. After I upgraded though, it seemed I was unable to send e-mail to Microsoft e-mail addresses. I noticed it only after a few months, when I tried to reach someone with an @live.nl e-mail address.
TL;DR
So I decided to change my reverse DNS record from something.connected.by.freedominter.net to something.domain.tld And behold, my e-mail was now being accepted again by Microsoft.
So although Microsoft’s policies and guidelines state “Email servers must have valid reverse DNS records.”, that is not the entirely true. I assume that Microsoft rejects e-mail servers with rDNS records with more than 2 dots. Beware if you use multiple DNS zones.
The beginning - Undelivered Mail Returned to Sender
So I sent an e-mail to an @live.nl e-mail address and within minutes I got the dreaded “Undelivered Mail Returned to Sender” e-mail back. Essentially these was the error (e-mail address and IP address are obfuscated):
<some.random.username@live.nl>: host eur.olc.protection.outlook.com[104.47.18.225]
said: 550 5.7.1 Unfortunately, messages from [46.118.121.321] weren't sent.
Please contact your Internet service provider since part of their network
is on our block list (S3150). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[VI1EUR06FT035.eop-eur06.prod.protection.outlook.com] (in reply to MAIL
FROM command)
Reading the provided link, I initially do not find anything weird (noticeable) or this specific error. Somewhere in the middle of the page, there is a way to contact support:
“If your email complies with our policies and guidelines and you are still experiencing email delivery problems that are not addressed in the FAQ below, click here to contact support.”
Since my own domains can not send e-mail towards Microsoft, I had to fallback to use a backup e-mail address.
Contacting support - Part 1
The first e-mail I got back from support stated the following (again, IP address is obfuscated):
We have completed reviewing the IP(s) you submitted. The following
table contains the results of our investigation.
Not qualified for mitigation
46.118.121.321/32
Our investigation has determined that the above IP(s) do not qualify
for mitigation.
Please ensure your emails comply with the Outlook.com policies,
practices and guidelines found here:
http://mail.live.com/mail/policies.aspx.
To have Deliverability Support investigate further, please reply to
this email with a detailed description of the problem you are having,
including specific error messages, and an agent will contact you.
Regardless of the deliverability status, Outlook.com recommends that
all senders join two free programs that provide visibility into the
Outlook.com traffic on your sending IP(s), the sending IP reputation
with Outlook.com and the Outlook.com user complaint rates.
Junk Email Reporting program (JMRP) When an Outlook.com user marks an
email as "junk", senders enrolled in this program get a copy of the
mail forwarded to the email address of their choice. It allows senders
to see which mails are being marked as junk and to identify mail
traffic you did not intend to send. To join, please visit
https://sendersupport.olc.protection.outlook.com/snds/JMRP.aspx
Smart Network Data Services program (SNDS). This program allows you to
monitor the ‘health’ and reputation of your registered IPs by providing
data about traffic such as mail volume and complaint rates seen
originating from your IPs. To register, please visit
http://postmaster.live.com/snds/.
There is no silver bullet to maintaining or improving good IP
reputation, but these programs help you proactively manage your email
eco-system to help better ensure deliverability to Outlook.com users.
Thank you,
Outlook.com Deliverability Support
A kind and generic first reply. Their policies contain partially good advice. They also try to sneak in the Junk Email Reporting program (JMRP) and Smart Network Data Services program (SNDS). Of course I will not use it. Luckily these programs are not mandatory. Since my IP is not blacklisted and the rest of the mailservers on the internet accept e-mails from my mailserver, I reply to this e-mail. I state that I have looked at their policies, that I’m not on a blacklist and ask to which part of their policy I’m not complying.
Contacting support - Part 2
Another kind e-mail is sent back to me:
Hello,
My name is <blank> and I work with the Outlook.com Sender Support Team.
I do not see anything offhand that would be preventing your mail from
reaching our customers. For the following IP (46.118.121.321/32)
You may be able to find additional information on common delivery
questions at the Outlook.com Postmaster Site found at
https://mail.live.com/mail/postmaster.aspx
<https://mail.live.com/mail/postmaster.aspx> I would like to highlight
some key areas that I believe are appropriate to your company.
Outlook.com has created the Smart Network Data Services (SNDS) program.
This is a service that helps legitimate email senders work with their
customers and partners to reduce spam originating from their IP. To
register, please go to http://postmaster.msn.com/snds
<http://postmaster.msn.com/snds> / This program allows a sender to
monitor the 'health' of their IPs.
Monitor user complaints. Outlook.com also has a sender complaint
feedback loop program called the Junk Email Reporting Program (JMRP).
Enrollment in this free program will benefit you as a sender as it will
keep your email lists updated and populated with interested Outlook.com
customers. This program will help you to remove those Outlook.com
customers who do not want to receive emails from your company. If you
are interested in joining this program, please visit
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0
<https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0> .
While using the SNDS tool and enrollment in the JMRP will not allow
emails from your mail servers to bypass our filters, these are in place
to help legitimate companies deliver their emails to Outlook.com
customers.
Apply for IP Certification by Return Path, a Validity Product?
If you are doing all the above and you continue to have deliverability
issues, you may wish to consider joining Return Path's IP Certified
Mail Program, a third-party program administered by Return Path, a
Validity Product. Many legitimate mailers and marketers have qualified
and joined this program to improve mail deliverability and decrease
email from being filtered to the Junk E-mail Folder. Return Path's IP
Certification
(https://www.validity.com/products/returnpath/certification/
<https://nam06.safelinks.protection.outlook.com/?url=https://www.validit
y.com/products/returnpath/certification/&data=04%7c01%7cv-2mksi%40micros
oft.com%7c8e147627254f4b33135508d8b9ad6d0c%7c72f988bf86f141af91ab2d7cd01
1db47%7c1%7c0%7c637463501880086391%7cUnknown%7cTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7c1000&sdata=JwyWw
qXQ5nKyYdbPaalpTX%2BmW9JmQ/wKpL3FUeQIs4U%3D&reserved=0> ) is the only
service to which we subscribe
The troubleshooting steps in this email are recommendations only.
Microsoft makes no guarantees that following these steps will guarantee
deliverability to MSN, Outlook.com, or Live.com customers.
For more detailed information about best sending practices to
Outlook.com users, please review the following white paper:
http://download.microsoft.com/download/e/3/3/e3397e7c-17a6-497d-9693-78f
80be272fb/enhance_deliver.pdf
<http://download.microsoft.com/download/e/3/3/e3397e7c-17a6-497d-9693-78
f80be272fb/enhance_deliver.pdf>
Sincerely,
Hmmmm, that is strange. Apparently, at first glance, nothing “strange” pop ups to them why e-mail from my IP address would be rejected. I get the feeling that my contact person actually had a look at my IP address and their policies (the previous e-mail was more a ‘standard first reply’ e-mail).
Note: in addition to the Junk Email Reporting program (JMRP) and Smart Network Data Services program (SNDS) programs, they also sneak in the Return Path’s IP Certification. The latter sounds like something useful and generic, but is not. Your e-mail server will run fine without any of this.
Meanwhile at my own ISP
Of course I did not wait quietly for a reply to my e-mail and started my own investigation. My ISP has a great community and I found this thread on their community with people who have exactly the same problem.
In that thread Noci suggested we can modify our default reverse DNS record, by sending an e-mail to the helpdesk.
So I decided to change my reverse DNS record from something.connected.by.freedominter.net to something.domain.tld And behold, my e-mail was now being accepted again by Microsoft.
So although Microsoft’s policies and guidelines state “Email servers must have valid reverse DNS records.”, that is not the entirely true. I assume that Microsoft rejects e-mail servers with rDNS records with more than 2 dots. Beware if you use multiple DNS zones.
Contacting support - Part 3
A few weeks passed and finally I had some time to reply to the previous support e-mail. I wanted to inform them of the bug (and solution) I found. Then I got this automatic reply:
Thank you for contacting Microsoft Technical Support. The service
request has been archived due to inactivity. If you still require
assistance, please contact us via support.microsoft.com or
1-800-Microsoft.
Essentially this is fine with me, but I will not create a new ticket to provide the solution. I would rather create this blogpost so everyone can learn from my experience and we can continue to keep the e-mail infrastructure working.