Feb 22 2023 12:26 PM
Many of my customers are recently not getting any authentication emails from my apps anymore. The DKIM keys are setup, authorized senders and so on.
The authentication emails do go through to non-office365 emails.
Any hints on who to talk to?
Feb 22 2023 05:14 PM
Feb 27 2023 05:57 AM
hi@Kidd_Ip
yes but I get the answer "We were unable to identify anything on our side that would prevent your mail from reaching Outlook.com customers."
I have tried sending to my own @outlook.com account, and it goes through. But none of the business customers get their authentication emails.
Feb 27 2023 06:00 AM
Feb 27 2023 06:54 AM
Hi @arnotixe,
I'll send you a private message with a test email address in a dev O365 tenant. So you can send there a message and I'll be able to trace it and see if something is blocking it.
Feb 27 2023 07:52 AM
Hi @arnotixe,
Thanks for sending me a test message.
It was Quarantined by O365 as High Spam/Phish.
The problems that I see here are 2 main ones. On one hand the links are considered dangerous, ( but that probably can be easily solved fixing the other problem.
On the other hand, your sending server is blacklisted: mail-vs1-f70.google.com (209.85.217.70)
So, basically you need to ensure to delist it or use another relay for such deliveries. DKIM passes, but the sender server has low reputation.
Feb 27 2023 09:54 AM
Feb 27 2023 10:10 AM
Hi @arnotixe,
Not sure if I got your question. But you have many options...
- Ask the provider to delist.
- Use another relay
- Request the recipients IT teams to whitelist you, ( probably rejected by the Security teams. Think that they have no control over the sender servers... You neither. Too risky ).
And probably other options depending on your environment and requirements.
The point is basically that O365 identifies your messages as SPAM/Phish and is quarantining all your messages.
Mar 14 2023 04:30 PM
Mar 15 2023 03:43 AM
Hi @arnotixe,
I just analyzed the new test message that you sent me and it passes the security scans and it's not identified as Bulk. The only problem is the SCL level, (5), and by default EOP will deliver those messages to the Junk email folder. ( Note that this can be modified by the Admins, so it's possible that in some cases it landes in the inbox folder and in other ones it will be quarantined ).
I'll share the message header with you in a private message. Finde here more information about the SCL value:
Spam confidence level - Office 365 | Microsoft Learn
Antispam stamps | Microsoft Learn
Anti-spam message headers - Office 365 | Microsoft Learn
Mar 18 2023 11:33 AM
I have a brand new app, that is also using Firebase and I am experiencing exactly the same issue. The Firebase Authentication service has pre-configured templates that it sends for user email verification and similar interactions. The Authentication product sends these communications by default from Firebase's own email service.
This issue will affect any developer who uses Firebase (of which there are many) and uses Firebase authentication. Seems like this is a new issue though as these emails were all still working at the beginning of Feb.
Given that this is a universal problem experienced by many users of the Firebase Service, how can this be addressed at a large scale, rather than everybody trying to address this individually?
Mar 20 2023 07:00 AM
Mar 20 2023 08:03 AM
Unfortunatley there's no much more I can do here.
I searched around and found other forums with similar issues:
Firebase Auth: How to connect a custom domain for email templates | by Azmi Rutkay Biyik | Medium
Firebase confirmation email : Firebase (reddit.com)
On the last test message received by @arnotixe I see all quite good, only a problem with the returnpath and that SCL score, ( 5 ).
The sender was "robot & domainname.no" and the returnpath was "
bounces-201492346-robot=domainname.no & mailer.domainname.no" |
EOP is very strict with spammers, so they pay a lot of attention at the returnpath and reputation of the senders servers.
Mark messages as safe ones will help for a single O365 organization, but that doesn't mean that the same messages will go thorugh the other ones. ( And if the messages are considered High confidence SPAM/Phish, that will not help ). In the case of @arnotixe I think he's quite close to a solution, as all the other headers and scans are clean. In your case, @StefDevs I don't know without analyze a message header, but I'm quite sure that the issue will be the same, ( server/IP reputation, domainname, returnpath... ).
My suggestion will be to refer to the Firebase community and the fixes mentioned there.
Microsoft Defender/EOP adapts the detection engine as per admins feedbacks, but if something seems suspicious, the security of the O365 customers environments will always be the priority, and only tenants admins will be able to "adapt" it to each own environment.
Sorry that I have not better news...
Mar 20 2023 10:42 AM
May 21 2023 04:17 PM - edited May 21 2023 04:23 PM
I tried the https://sender.office.com/ to delist it, but it said it sent a confirmation email to the email that I was trying to delist. This is an email provided by Firebase with literally the "noreply" at the beginning. Obviously, I can't access it. Any other suggestions? It seems like you are basically just saying, nothing we can do, we have big dumb spam filters that suck at precision and there is nothing we are going to do about it.
This is kinda bullshit to be honest. I get that some people use these services to spam, but with the tech available today to sort out who is using it for spam and who is using it for legitimate purposes, this is a big FAIL for Microsoft. Probably still using regression for spam filters.
Ironically, I was just looking into whether I should use Outlook or Gmail for my company's emails. I do not have problems with blocking from Gmail from any other service, whether it is a Google service or otherwise. This sealed the deal to use Gmail, thanks for making the decision easier!
Jun 01 2023 07:35 PM
@kbourne650yeah, I'm tempted to actually buy one of those Whitelisting services Microsoft themselves offer… It is a stretch at about $1500 a year though o_O
As an alternative I'm currently adding SMS login, bypassing the problem to an extent
SSO is another option, but setting it up is pretty heavy, and if you want Auth0 to take the app integration for you, a quote there was $30 000 a year (--PER MICROSOFT TENANT!!). As I have about 70 Microsoft customers, that is, well, out of the question.
I've also tried registering at https://sendersupport.olc.protection.outlook.com/snds/pref.aspx but the confirmation mail never reaches me (and no, I don't block their emails, and the email address I choose for notification IS working). Also I don't know if that page has anything to do with this issue.
Only thing that makes me feel a little bad about paying up for "email deliverability to Microsoft" is that it is basically a kind of hostage situation. We need to send mail there, but have to pay $1500 a year for them to take it? Hmmmmmmmmm
If you find any better pointers, PLEASE let me know 😄 I'll do the same