Oct 20 2020 04:11 PM - edited Oct 20 2020 05:57 PM
I have encountered an issue I believe is extremely widespread (albeit intermittent) affecting deliverability to hotmail.com / outlook.com from .AU Domains.
During the past few days, I have performed extensive testing to validate the issue which initially I thought was isolated to a single one of our .com.au domains.
I have since managed to replicate the issue across >5 different domains ending in .au such as .com.au, .net.au, and .edu.au. I have tested this across multiple Mail platforms such as Amazon accounts (SES), G Suite for business web interface, an internal SMTP relay which outbounds via Proofpoint and also from an O365 tenant.
I have tested a single email with multiple recipients to platforms such as Gmail, Yahoo and Hotmail in which Hotmail is the only recipient which reports an SPF TempError, DNS Timeout.
I have posted a portion of the email headers received in hotmail, being sent via multiple platforms, servers, subnets which have all failed. I have obfuscated the domain name for privacy reasons.
This is a huge issue, not only for us, but for anyone sending mail to Hotmail from an .AU domain. I have not been able to make any other TLD fail as of yet.
How does one make Microsoft aware of a fairly significant and widespread issue affecting multiple end users?
Having spoken with AWS regarding this issue (I initially thought the issue was isolated to domains hosted in Route53, they concur that the issue lies solely with the receiving mail platform being hotmail.com/outlook.live.com) At a guess I would say Microsoft is intermittently having an issue performing DNS lookups of TLD's ending in .AU
Authentication-Results: spf=temperror (sender IP is 180.189.28.115) smtp.mailfrom=domainname; hotmail.com; dkim=pass (signature was verified) header.d=domainname;hotmail.com; dmarc=pass action=none header.from=domainname;compauth=pass reason=100 Received-SPF: TempError (protection.outlook.com: error in processing during lookup of domainname DNS Timeout) Received: from au-smtp-delivery-115.mimecast.com (180.189.28.115) by BN3NAM01FT032.mail.protection.outlook.com (10.152.67.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.23 via Frontend Transport; Thu, 15 Oct 2020 07:07:36 +0000 X-IncomingTopHeaderMarker:
Authentication-Results: spf=temperror (sender IP is 23.251.230.203) smtp.mailfrom=domainname; hotmail.com; dkim=pass (signature was verified) header.d=domainname;hotmail.com; dmarc=pass action=none header.from=domainname;compauth=pass reason=100 Received-SPF: TempError (protection.outlook.com: error in processing during lookup of domainname DNS Timeout) Received: from e230-203.smtp-out.amazonses.com (23.251.230.203) by DM6NAM12FT050.mail.protection.outlook.com (10.13.178.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3499.7 via Frontend Transport; Thu, 15 Oct 2020 06:43:30 +0000 X-IncomingTopHeaderMarker:
Authentication-Results: spf=temperror (sender IP is 69.169.232.10) smtp.mailfrom=domainname; hotmail.com; dkim=pass (signature was verified) header.d=domainname;hotmail.com; dmarc=temperror action=none header.from=domainname; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of domainname DNS Timeout) Received: from b232-10.smtp-out.ap-southeast-2.amazonses.com (69.169.232.10) by VI1EUR06FT050.mail.protection.outlook.com (10.13.7.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3477.21 via Frontend Transport; Wed, 14 Oct 2020 02:10:39 +0000 X-IncomingTopHeaderMarker:
Authentication-Results: spf=temperror (sender IP is 148.163.148.88) smtp.mailfrom=domainname; hotmail.com; dkim=pass (signature was verified) header.d=domainname;hotmail.com; dmarc=bestguesspass action=none header.from=domainname;compauth=pass reason=109 Received-SPF: TempError (protection.outlook.com: error in processing during lookup of domainname DNS Timeout) Received: from mx0a-0020df01.pphosted.com (148.163.148.88) by VI1EUR06FT044.mail.protection.outlook.com (10.13.6.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.23 via Frontend Transport; Fri, 9 Oct 2020 00:54:44 +0000 X-IncomingTopHeaderMarker:
Authentication-Results: spf=temperror (sender IP is 209.85.166.48) smtp.mailfrom=domainname; hotmail.com; dkim=timeout (key query timeout) header.d=domainname;hotmail.com; dmarc=temperror action=none header.from=domainname; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of domainname DNS Timeout) Received: from mail-io1-f48.google.com (209.85.166.48) by BN7NAM10FT037.mail.protection.outlook.com (10.13.157.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.25 via Frontend Transport; Fri, 9 Oct 2020 01:01:58 +0000 X-IncomingTopHeaderMarker:
Any help or insight here would be much appreciated.
Oct 22 2020 04:25 PM
Oct 22 2020 04:41 PM
Hi @SaadItani,
From the testing I have done, this issue appears to lie on the Outlook.com/Hotmail side. This can only be fixed by Microsoft.
As I mentioned in my initial post, I am able to send a single email with multiple recipients and the email will only fail SPF arriving at Outlook.com/Hotmail due to a DNS Timeout. This would suggest the issue lies with how Microsoft are processing the message.
Hopefully someone will take notice of this thread soon and investigate.
Oct 22 2020 04:43 PM
Are you perhaps able to tell me which TLD you are sending from ? Is it a .AU, COM.AU, .NET.AU or something else? @SaadItani
Oct 31 2020 02:36 AM
@niaccarino1981
Your not the only one who has this problem.
I use a .com domain, with a german mail server and having the same problem.
This fix (https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/spf-tempe...) is not working for me
Seems like a microsoft problem, but as always, they don't give a damm about small companies outside of the US. They only care about themselfs.
Nov 13 2020 01:08 PM - edited Nov 13 2020 01:15 PM
.edu.lb Aslo I want to note that its happening at random times and not for every email. Its been months happening and I contacted TLD NS servers for support and yet no fix.
Also we know that emails getting spf fails are entiteled with email subject: [Warning Unauthenticted User] and again it happens at random times and our end users are getting frustrated...
we contacted Microsoft support and they said its from DNS side.
Mar 19 2021 08:07 AM
Same problem for a domain from the EU TLD with DNS servers hosted in Slovenia. I checked DNS logs and can confirm that Outlook did in fact query my domain servers.
19-Mar-2021 15:54:44.418 queries: info: client @0x7f54a470a200 127.0.0.1#58179 (eur05-db8-obe.outbound.protection.outlook.com): query: eur05-db8-obe.outbound.protection.outlook.com IN TXT + (127.0.0.1) 19-Mar-2021 15:54:44.591 queries: info: client @0x7f54b00d5d90 127.0.0.1#62160 (spf.protection.outlook.com): query: spf.protection.outlook.com IN TXT + (127.0.0.1) 19-Mar-2021 15:54:44.821 queries: info: client @0x7f54a405c090 127.0.0.1#56517 (spf.protection.outlook.com): query: spf.protection.outlook.com IN TXT + (127.0.0.1)
For some reason the timeout window is too short (which makes sense as you want the mail to get delivered quick - but 100 miliseconds is not a big deal). If I ping the outlook SPF protection server from my DNS server, no response is received - maybe pings are blocked by MS.
The other problem is that the PTR record of the SPF server are not resolvable, which is not allowed under applicable specification - maybe my DNS server rejects such queries because of that. Microsoft should fix their PTR records to actual hostnames as they are currently not resolvable.
Mar 19 2021 08:12 AM
We experience the same problem with all our servers. Mail goes to spam because of that 😞
Mar 19 2021 08:19 AM
I did some investigation and found out that the second email is SPF-verified. That's probably because Outlook's cache kicked in and used that previous cached query response as there was no additional request to my DNS server.
Authentication-Results: spf=pass (sender IP is 93.103.[censored].[censored]) smtp.mailfrom=[censored].eu; [censored].org; dkim=timeout (key query timeout) header.d=[censored].eu;[censored].org; dmarc=bestguesspass action=none header.from=[censored].eu;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of [censored].eu designates 93.103.[censored] as permitted sender) receiver=protection.outlook.com; client-ip=93.103.[censored]; helo=[censored].eu;
As you can see, DKIM failed, maybe because - again - Outlook did not get the key in time. Retrying ...
In the next couple mails I sent to Outlook, I experienced stranger issues. SPF failing randomly. So the issue is not about cache - there is no cache, as in the 300 second TTL I sent 4 messages with only the second one being SPF validated and NONE being DKIM validated.
Microsoft really doesn't sound like they are eager to fix issues, such a centralized email system as Outlook's can never work flawlessly, SMTP and IP itself was not designed for this.
Mar 19 2021 08:22 AM
Mar 19 2021 08:38 AM - edited Mar 19 2021 08:40 AM
Guys,
We opened a case with Microsoft 3 weeks ago and they confirm other users are having problems and they said that they are working on the new code that is not released to update there outlook servers regarding the DNS Timeouts. They insisted on me to wait until they roll out the updates which we dont know when.
In my situation the "Warning Unathenticated" email headers are being resolved as IPV6 by Outlook production server then they do the DNS timeouts.
example from header analysis mxtoolbox:
spf:MYDOMAIN:2603:10a6:10:1a5::22 (this is outlook prod server ipv6)
Received-SPF TempError (protection.outlook.com: error in processing during lookup of MYDOMAIN: DNS Timeout)
As its a Random problem but happens almost every day.
Normal emails arrive without warnings the header analysis shows that it resolved an IPV4 of our SPF mail servers and No DNS timeouts.
Example:
spf:MYDOMAIN:MyIPv4 from my SPF record
Received-SPF Pass (protection.outlook.com: domain Mydomain....)
Jun 03 2021 02:24 AM
Problem persists, we are seeing it here in Denmark.
Microsoft, please fix these bugs rather than deploy new buggy updates that throws way too much mail in spam / quarantine.
Aug 21 2021 10:16 AM
Can confirm, still an issue on three domains of ours.
This is pretty sad. Everything gets marked as spam due to this.
Lots of emails will be missed.
Nov 01 2021 01:21 AM
We are facing this problem now (01-Nov-21) event that we are relaying through Sophos central.
It seems that Microsoft wants us to use their Office365 ;(
Dec 09 2021 01:08 AM - edited Dec 09 2021 01:10 AM
I am getting this as well with delivery to .ph domains in the Philippines. Unfortunately it's the Banks and Legal firms that have followed strict process in how they setup DMARC (set to reject), and so DNS timeouts on the SPF lookup result in email being bounced back as undeliverable/rejected.
We don't relay our outbound mail... all goes through O365. DNS for our sending domain is sat on Cloudflare.
Aug 02 2022 06:06 PM