Messages to outlook.com fail DKIM check but no other company fails it

Question

I'm trying to send emails to people that have outlook.com or have their domains email hosted by office 365 from my business email server and I keep going to SPAM. In the headers it looks like maybe the reason is a DKIM failure. But, DKIM passes for all other companies I've sent emails to (Google, Yahoo, comcast, etc.).

Web searches show others having this issue but the resolution is unclear. Outlook.com doesn't seem to care or want to respond.

I'm at a loss right now on what to do. Anyone able to help or have suggestions?

Answer 1

I thought I had found out what the problem was, at least for my emails. I use a From header in the form: pi.sebi.org <******@pi.sebi.org>

No other email provide would change this header in transit, especially since it is DKIM signed. However, it seems that Microsoft’s devs thought they could just add double quotes to the From header while relaying my email, changing it to: “pi.sebi.org” <******@pi.sebi.org>

Of course, DKIM validation must fail when signed headers get mangled. Email servers must never change syntactically correct From headers, destroying any chance for DKIM validation. Nor should they touch any other header provided by the sender. This sabotages people’s emails w/o validation, and it is quite a stupid thing to do.

Unfortunately, this cannot be the only issue, as even with me adding the double quotes myself before signing the emails, they still bounce (header excerpt):

Authentication-Results-Original: spf=fail (sender IP is 62.128.216.132)
 smtp.mailfrom=pi.sebi.org; dkim=fail (signature did not verify)
 header.d=sebi.org;dmarc=fail action=oreject
 header.from=pi.sebi.org;compauth=none reason=451
Received-SPF: Fail (protection.outlook.com: domain of pi.sebi.org does not
 designate 62.128.216.132 as permitted sender)
 receiver=protection.outlook.com; client-ip=62.128.216.132;
 helo=fmta4.iomartcloud.net;
Received: from fmta4.iomartcloud.net (62.128.216.132) by
 DBAEUR03FT059.mail.protection.outlook.com (100.127.142.102) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6588.26 via Frontend Transport; Sun, 16 Jul 2023 21:30:26 +0000
[…]
Received: from mail.sebi.org (mail.sebi.org [185.207.105.38])
by xmta5.iomartcloud.com (8.14.7/8.14.7) with ESMTP id 36GLS60j032163
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <******@iomart.com>; Sun, 16 Jul 2023 22:28:06 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sebi.org;
s=rsa-2023; h=Date:Message-Id:Content-Type:MIME-Version:To:From:Subject:
Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=C79tCoHxMdknAVQN9Alwn5DH5j41+3YytHXP9zcUs5A=; b=u3vg6rbiNAzdViFrtKutg/OFVq
ud9sn+nbdi+Lr0nvI3bdwH2A7cijaXK5N+ZD+hfaBU3ip6masx29HOeElsu+OWnoiaEasRBr9wMED
bVc1+G9q+Lep19MkZnl2d8jQ/O1dEXK4JjLGo1BMCRP/aExmvHl51me/fEZ85DlxEVwhJz7Tc7M0Y
EN/UnydQAIk09OitTaQkqjvYvJbeIR1a0v9RhQSGOipmBfiqZepxcOvuQPBL7tzMtLfw3tZERHkBv
HICkqItvrLCgylexMhkglXSQCHyzOT3ecEO2mJD8/GteRZp2ft/oyQ/j+ZDBYNub4HuNp75O8OzRi
Fu0gyWHw==;
[…]
Subject: ATTACK from 130.185.145.233 - Sun, 16 Jul 2023 23:28:04 +0200
From: "pi.sebi.org" <******@pi.sebi.org>
To: ******@iomart.com
Auto-Submitted: auto-generated
X-XARF: PLAIN
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary=Abuse1689542884-3ad285141b205cd58dc2eb828824f6a2;
Message-Id: <******@pi.sebi.org>
Date: Sun, 16 Jul 2023 23:28:05 +0200
X-Auto-Response-Suppress: All
X-Thinkmail-SPF: pass (xmta5.iomartcloud.net: domain of ******@pi.sebi.org designates 185.207.105.38 as permitted sender) client-ip=185.207.105.38
X-Thinkmail-DKIM: pass
Authentication-Results-Original: mx.iomartcloud.com;        dkim=pass
 header.i=@sebi.org;        spf=pass (xmta5.iomartcloud.net: domain of
 ******@pi.sebi.org designates 185.207.105.38 as permitted sender)

Answer 2

Hello,

I have the exact same problem. Mails sent from mail.sebi.org are accepted by everyone, including Google, Yahoo, and Amazon, who regularly sent DMARC reports with passing DKIM checks. “Enterprise Outlook” sends multiple DMARC reports each day with failed DKIM checks. My DKIM settings are definitely okay, they have worked for years. It is obviously a problem with the signature verification in Enterprise Outlook that leads to all these failures. Please have your developers take a look and fix that bug!

Regards,

Sebastian

Answer 3

I run a very small mail server, and every few months Microsoft blocks our server. We then have to go through the tiresome process of making a delisting request, waiting for the email from Outlook support saying, 'Nothing was detected to prevent your mail from reaching Outlook.com customers', responding to that email to say that our server is still blocked, then waiting for them to delist the server. If I ask them why they blocked us (which I've given up doing now), I get the same response every time: 'we do not have the liberty to discuss the nature of the block'.

I too have noticed that DKIM sometimes (though not always) fails with mail to Outlook, even to microsoftsupport.com. As others have reported, my server is configured just fine and DMARC reports from other mail providers pass DKIM every time.

So to summarise our suspicions, it would appear that:

1. Microsoft screws with mail headers in transit, causing DKIM to fail.
2. Microsoft then blocks your server because of their own error.
3. Microsoft refuses to admit fault or fix a longstanding problem.

Corporate arrogance combined with incompetence—something Microsoft has a long history of, going back to the days of Internet Explorer and all the pain that caused developers.

Answer 4

I also confirm the same thing, every server passes our dkim except microsoft. All online dkim/spf checks also pass our dkim.

Fortunately, all of our customers are intelligent enough to not use microsoft addresses for important communications.

Microsoft: it's time to get out of the server business, let those who know how do it. You should just stick to selling desktop koolaid to those that don't know any better.

P.S. I wonder if the EU is aware of this address mangling, I doubt they'd be happy.

Answer 5

Jennifer,

Thanks for the response. I have checked with multiple 3rd party email validators and all pass us for SPF, DKIM, and DMARC configuration. In the DMARC reports we receive from providers only outlook.com fails DKIM. Yahoo, Google, Comcast, etc. all pass us with DKIM. SPF checks pass with everyone, including outlook.com.

I've set up an account with outlook.com to see the headers from that side of things and I see the following entries in the header:

Authentication-Results: spf=pass (sender IP is #.#.#.#)

smtp.mailfrom=domainhere.com; dkim=fail (signature did not verify) header.d=domainhere.com;dmarc=pass action=none header.from=domainhere.com;compauth=pass reason=100

So, the DKIM signature check is failing but I don't know why. Again, this check works for other providers, just not outlook.com

Thanks again for any help you are able to provide.

Ryan.