Share via

E-mail message rejected by icloud because of DMARC policy

Tomass Pētersons 341 Reputation points
2021-01-29T10:17:28.1+00:00

Hi,

Recently one of our users received NDR saying that e-mail message to icloud can't be delivered because it got rejected due to DMARC policy. User sent e-mail message using Outlook on the Web app, it is legit and user can accept that e-mail message was sent by him - respectively, it should not be rejected.
Our SPF records is correct - 

v=spf1 ip4:<ourpublicip> include:spf.protection.outlook.com -all

When I was inspecting received NDR, I noticed that e-mail message was sent from AM8PR10MB4212.EURPRD10.PROD.OUTLOOK.COM -
61705-ndr2.png

Also I noticed that spf.protection.outlook.com nor spfd.protection.outlook.com does not includes this particular IP -
61749-txt.png

Could this be because Microsoft hasn't added this particular IP address to spf.protection.outlook.com TXT records? Or something is wrong on icloud side? Has anyone else has experienced this recently?

----------

More details -

DMARC records are following - 

v=DMARC1; p=reject; rua=mailto:******@ourdomain.com; ruf=mailto:******@ourdomain.com; fo=1;

Received NDR -
62062-ndr3.png

Raw data on pastebin -
BzZK4zYR

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Roy de Wijs 1 Reputation point
    2022-11-07T11:38:43.17+00:00

    I've researched the issue for our customers with the same issue.

    The problem is if you look in the headers of the mail that it's going trough a Microsoft mailsever with an ip adres of in the range: 2603:10a6:xxxxx:xxxxx. Because this ip is not included in the SPF record of the sending party the DMARC (if it's on reject) rejects the mail. That's what the return mail means.

    The issue is that most mail traffic goes trough the spf record: spf.protection.outlook.com (if mailing with office365) and this doesn't include the range 2603:10a6 range. The DMARC then rejects the message because of it's settings.

    We made a support ticket to Microsoft and they aknowledged and are now looking to inlcude the range to the spf record.

    As workaround we added ip6:2603:10a6::/37 to our own spf record, if MS added it to their SPF we are going to delete this record again in our own spf.

    I still recommend if you have this issue to make a support ticket in the Microsoft 365 Admin Center.

    Was this answer helpful?

  2. Janine Thoma 1 Reputation point
    2022-08-23T07:37:38.757+00:00

    Is there any solution for this case? We are also faced with exactly the same issue.

    Was this answer helpful?

  3. Kai Yao 37,791 Reputation points Moderator
    2021-02-01T03:32:43.17+00:00

    Hi, @Tomass Pētersons

    Could this be because Microsoft hasn't added this particular IP address to spf.protection.outlook.com TXT records?
    There is another thread discussing the same problem: Exchange Online Protection SPF record
    62336-9.png
    The problem seems to be caused by the specific ip addresses.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.