Forum Discussion
niaccarino1981
Oct 20, 2020Copper Contributor
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of "domain-name":
I have encountered an issue I believe is extremely widespread (albeit intermittent) affecting deliverability to hotmail.com / outlook.com from .AU Domains. During the past few days, I have perfor...
niaccarino1981
Oct 22, 2020Copper Contributor
Are you perhaps able to tell me which TLD you are sending from ? Is it a .AU, COM.AU, .NET.AU or something else? SaadItani
SaadItani
Nov 13, 2020Copper Contributor
.edu.lb Aslo I want to note that its happening at random times and not for every email. Its been months happening and I contacted TLD NS servers for support and yet no fix.
Also we know that emails getting spf fails are entiteled with email subject: [Warning Unauthenticted User] and again it happens at random times and our end users are getting frustrated...
we contacted Microsoft support and they said its from DNS side.
- webawereMar 19, 2021Copper Contributor
We experience the same problem with all our servers. Mail goes to spam because of that 😞
- sijanecMar 19, 2021Copper ContributorYou could try removing DMARC restrictions. My mail gets delivered and never flagged as spam because I explicitly stated in my DMARC record that mail with bad SPF/DKIM shall not get flagged as spam. It's weird how DMARC records are accessible to Outlook - maybe they're just cached longer, but my mail never gets to spam.
Make sure to also enable dmarc-forensic reports so your postmaster will get an email when a mail is delivered into a spam folder.
More on that on https://dmarc.org/. I hope this issue gets resolved.- SaadItaniMar 19, 2021Copper Contributor
Guys,
We opened a case with Microsoft 3 weeks ago and they confirm other users are having problems and they said that they are working on the new code that is not released to update there outlook servers regarding the DNS Timeouts. They insisted on me to wait until they roll out the updates which we dont know when.
In my situation the "Warning Unathenticated" email headers are being resolved as IPV6 by Outlook production server then they do the DNS timeouts.
example from header analysis mxtoolbox:
spf:MYDOMAIN:2603:10a6:10:1a5::22 (this is outlook prod server ipv6)
Received-SPF TempError (protection.outlook.com: error in processing during lookup of MYDOMAIN: DNS Timeout)
As its a Random problem but happens almost every day.
Normal emails arrive without warnings the header analysis shows that it resolved an IPV4 of our SPF mail servers and No DNS timeouts.
Example:
spf:MYDOMAIN:MyIPv4 from my SPF record
Received-SPF Pass (protection.outlook.com: domain Mydomain....)
- sijanecMar 19, 2021Copper Contributor
Same problem for a domain from the EU TLD with DNS servers hosted in Slovenia. I checked DNS logs and can confirm that Outlook did in fact query my domain servers.
19-Mar-2021 15:54:44.418 queries: info: client @0x7f54a470a200 127.0.0.1#58179 (eur05-db8-obe.outbound.protection.outlook.com): query: eur05-db8-obe.outbound.protection.outlook.com IN TXT + (127.0.0.1) 19-Mar-2021 15:54:44.591 queries: info: client @0x7f54b00d5d90 127.0.0.1#62160 (spf.protection.outlook.com): query: spf.protection.outlook.com IN TXT + (127.0.0.1) 19-Mar-2021 15:54:44.821 queries: info: client @0x7f54a405c090 127.0.0.1#56517 (spf.protection.outlook.com): query: spf.protection.outlook.com IN TXT + (127.0.0.1)
For some reason the timeout window is too short (which makes sense as you want the mail to get delivered quick - but 100 miliseconds is not a big deal). If I ping the outlook SPF protection server from my DNS server, no response is received - maybe pings are blocked by MS.
The other problem is that the PTR record of the SPF server are not resolvable, which is not allowed under applicable specification - maybe my DNS server rejects such queries because of that. Microsoft should fix their PTR records to actual hostnames as they are currently not resolvable.
- sijanecMar 19, 2021Copper Contributor
I did some investigation and found out that the second email is SPF-verified. That's probably because Outlook's cache kicked in and used that previous cached query response as there was no additional request to my DNS server.
Authentication-Results: spf=pass (sender IP is 93.103.[censored].[censored]) smtp.mailfrom=[censored].eu; [censored].org; dkim=timeout (key query timeout) header.d=[censored].eu;[censored].org; dmarc=bestguesspass action=none header.from=[censored].eu;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of [censored].eu designates 93.103.[censored] as permitted sender) receiver=protection.outlook.com; client-ip=93.103.[censored]; helo=[censored].eu;
As you can see, DKIM failed, maybe because - again - Outlook did not get the key in time. Retrying ...
In the next couple mails I sent to Outlook, I experienced stranger issues. SPF failing randomly. So the issue is not about cache - there is no cache, as in the 300 second TTL I sent 4 messages with only the second one being SPF validated and NONE being DKIM validated.
Microsoft really doesn't sound like they are eager to fix issues, such a centralized email system as Outlook's can never work flawlessly, SMTP and IP itself was not designed for this.