Forum Discussion

niaccarino1981's avatar
niaccarino1981
Copper Contributor
Oct 20, 2020

Received-SPF: TempError (protection.outlook.com: error in processing during lookup of "domain-name":

I have encountered an issue I believe is extremely widespread (albeit intermittent) affecting deliverability to hotmail.com / outlook.com from .AU Domains.   During the past few days, I have perfor...
sijanec's avatar
sijanec
Copper Contributor
Mar 19, 2021

Same problem for a domain from the EU TLD with DNS servers hosted in Slovenia. I checked DNS logs and can confirm that Outlook did in fact query my domain servers.

 

19-Mar-2021 15:54:44.418 queries: info: client @0x7f54a470a200 127.0.0.1#58179 (eur05-db8-obe.outbound.protection.outlook.com): query: eur05-db8-obe.outbound.protection.outlook.com IN TXT + (127.0.0.1)
19-Mar-2021 15:54:44.591 queries: info: client @0x7f54b00d5d90 127.0.0.1#62160 (spf.protection.outlook.com): query: spf.protection.outlook.com IN TXT + (127.0.0.1)
19-Mar-2021 15:54:44.821 queries: info: client @0x7f54a405c090 127.0.0.1#56517 (spf.protection.outlook.com): query: spf.protection.outlook.com IN TXT + (127.0.0.1)

 

For some reason the timeout window is too short (which makes sense as you want the mail to get delivered quick - but 100 miliseconds is not a big deal). If I ping the outlook SPF protection server from my DNS server, no response is received - maybe pings are blocked by MS.

 

The other problem is that the PTR record of the SPF server are not resolvable, which is not allowed under applicable specification - maybe my DNS server rejects such queries because of that. Microsoft should fix their PTR records to actual hostnames as they are currently not resolvable.

sijanec's avatar
sijanec
Copper Contributor
Mar 19, 2021

I did some investigation and found out that the second email is SPF-verified. That's probably because Outlook's cache kicked in and used that previous cached query response as there was no additional request to my DNS server.

 

Authentication-Results: spf=pass (sender IP is 93.103.[censored].[censored]) smtp.mailfrom=[censored].eu; [censored].org; dkim=timeout (key query timeout) header.d=[censored].eu;[censored].org; dmarc=bestguesspass action=none header.from=[censored].eu;compauth=pass reason=109

Received-SPF: Pass (protection.outlook.com: domain of [censored].eu designates 93.103.[censored] as permitted sender) receiver=protection.outlook.com; client-ip=93.103.[censored]; helo=[censored].eu;

 

As you can see, DKIM failed, maybe because - again - Outlook did not get the key in time. Retrying ...

In the next couple mails I sent to Outlook, I experienced stranger issues. SPF failing randomly. So the issue is not about cache - there is no cache, as in the 300 second TTL I sent 4 messages with only the second one being SPF validated and NONE being DKIM validated.

Microsoft really doesn't sound like they are eager to fix issues, such a centralized email system as Outlook's can never work flawlessly, SMTP and IP itself was not designed for this.

Resources