Forum Discussion
adelacruz010
Feb 20, 2024Copper Contributor
All outside emails are keep on bouncing back
Hi everyone, I'm new in here and I am having with my microsoft email it keeps on bouncing back. Here's the issue. Thanks
-----------------
Ensure your email authentication records are set up to avoid mail flow issues to third-party email accounts
EX715925, Last updated: Feb 14, 2024, 4:04 PM EST
Estimated start time: Feb 14, 2024, 3:46 PM EST
Affected services
Exchange Online
Issue type
Advisory
Issue origin
Your environment
Status
Investigating
Manage notifications for this issue
User impact
If action isn't taken, email messages may not send to third-party email providers and return a NDR.
Action needed
This is a continuation of EX711592 and can be safely ignored if your organization has already reviewed and/or taken action on the event. If your admins have already confirmed that your organization's DKIM, SPF, and DMARC records have been established already, and your users haven't received the error code mentioned below in NDRs, then you can safely ignore this message.
We've received various reports from users that email sent to specific third-party email providers aren't sending and return a "550 5.4.300 Message expired -> 421 4.4.2 Connection dropped due to SocketError'" error code within the NDR. This is stemming from a result from recent security related changes from said third parties to improve their resiliency against potential spam and other malicious email attempts. Part of these efforts now requires users to authenticate to DomainKeys Identified Mail (DKIM) and/or Sender Policy Framework (SPF), depending on your organization's setup. For those who are bulk sending email, both DKIM and SPF are required.
Additional diagnostics
To check if you're impacted by this event, admins can use https://aka.ms/diagdkim to confirm that your email authentication records are valid.
For more information about how to remain compliant with some of the most common email providers, please review the following documents below:
Are you experiencing this issue?
Is this post helpful?
All updates
Feb 14, 2024, 4:04 PM EST
Title: Ensure your email authentication records are set up to avoid mail flow issues to third-party email accounts User impact: If action isn't taken, email messages may not send to third-party email providers and return a NDR. Current status: We've received reports from some users that they're unable to send email messages to some third-party email providers and receive a NDR. Please ensure your organization's set up is aligned with recent security changes to third-party email provider, outlined in the Additional Diagnostics section of this communication, so that mail flow remains uninterrupted. This message will expire in 7 days and is scheduled to remain active for the full duration.
- BrianD_BizCloudCopper Contributor10 minute Fix, Really Why Not Publish Info in Plain Terms?
Overview In all the documentation provided on this subject, I couldn’t find simple wording applying to Multiple Customers (Our company also). Scenario for Tenants addressed below:
• MS 365 is Managing the DNS. Aka Managed at Microsoft 365 - Default domain
This can be misleading. When DNS shows “All Good” on MS365, it does not represent any incorrect settings on registrar
• We Manage the DNS for Our Customers (Have Admin Privileges in Registrar site)
• We have Global Admin users in each Tenant.
Most would assume that if MS 365 is Managing the DNS, Aka Managed at Microsoft 365 and, During Domain Setup or Post Setup on MS365, you had checked the Setup my online services for me, the assumption may have been, all settings were correct. Not so.
After reading through possibly hundreds of references, that leave most knowing less than when they started, I found 1 vague reference to the problem. A Tip.
There are no admin portals or PowerShell cmdlets in Microsoft 365 for you to manage SPF records in your
domain. Instead, you create the SPF TXT record at your domain registrar or DNS hosting service (often the same
company).
A 10-minute “Fix” may have stated (Along with the screen prints provided below No Pics uploaded):
1. After determining what needs to be changed (Screen print below shows what to look for)
2. Log in to Registrar as admin. Reset to Default (registrars) or Revoke the 4x ns*.bdm.microsoftonline.com Name Servers.
3. Enter Correct DNS info.
4. Remove incorrect or stale data, including the original proof of domain ownership TXT record for Microsoft 365, generated by Microsoft during initial setup at many domain registrars. @ MS=ms######## TTL: 3600
a. One SPF record per domain or subdomain. Multiple SPF TXT records for the same domain or subdomain causes DNS lookup loop that makes SPF fail, so use only one SPF record per domain or subdomain.
5. Change DNS back to MS365 4x ns*.bdm.microsoftonline.com
Of course there are multiple other DNS that can be configured, Skype, Mobility etc.
For most Tenants, if the below 3 Exchange items are correct, you did a 10 minute “Fix”.
Additional diagnostics
To check if you're impacted by this event, admins can use https://aka.ms/diagdkim to confirm that your email authentication records are valid. Or, from Admin Landing page, click help, type dkim to run test.
Set up SPF to identify valid email sources for your Microsoft 365 domain
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide
Set up DKIM to sign mail from your Microsoft 365 domain
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide&wt.mc_id=365admincsh_supportcentral
Add DNS records to connect your domain
https://learn.microsoft.com/en-us/ icrosoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide
From the above landing page, the instructions for the different Providers are listed below
To know how to verify your domain with Microsoft by adding TXT record and to know how to connect to Microsoft services by adding DNS records see:
• Connect your DNS records at IONOS by 1&1 to Microsoft 365
• Connect your DNS records at 123-reg.co.uk to Microsoft 365
• Connect your DNS records at Amazon Web Services (AWS) to Microsoft 365
• Connect your DNS records at Cloudflare to Microsoft 365
• Connect your DNS records at GoDaddy to Microsoft 365
• Connect your DNS records at Namecheap to Microsoft 365
• Connect your DNS records at Network Solutions to Microsoft 365
• Connect your DNS records at OVH to Microsoft 365
• Connect your DNS records at web.com to Microsoft 365
• Connect your DNS records at Wix to Microsoft 365
• Create DNS records for Microsoft using Windows-based DNS