MicrosoftMicrosoftThis seems to break things badly.
At iki.fi, a non profit society with 30K members, we provide a permanent e-mail addresses with mail forwarding.
Outlook is now rejecting around 1500 - 2000 forwarded mails per day with 5.7.515 and "Spf= Fail , Dkim= Pass , DMARC= Pass" in explanation.
Almost everything is coming from well known legitimate sender domains.
The filtering does not honor the DMARC standard as either SPF pass or DKIM pass should be sufficient. Now it requires both to pass.
SPF is not compatible with email forwarding, Even Microsoft acknowledges this on your https://learn.microsoft.com/en-us/defender-office-365/email-authentication-about www-page.
Is there anything that we can do to get mail flowing again?
We do spam filtering, we use ARC to sign forwarded emails.
SRS is not an options as it breaks DKIM.
Should we just recommend our members to use some other e-mail provider?
SRS is a solution, why do you thing it breaks DKIM ?
SRS rewrites headers that are covered with the original DKIM signature.
Of course you can add a new DKIM signature, but it only proves that the mail was re-sent by the forwarding server.
From the security aspect, bad actors may trivially mimic SRS and there is no way for the receiver to differentiate legitimate and fake relayed mail.
SRS rewrites the RFC5321.mailfrom (envelope from), which is input prior to the SMTP DATA command. DKIM (in its current iteration) can only sign headers added during the DATA stage.
Currently SRS has no relation to DKIM whatsoever.
