Share via

Authentication-results header written by Outlook violates RFC

Anonymous
2023-11-16T14:31:34+00:00

Currently the Authentication-results header written by the Outlook mail servers are violating the RFC 8601 in multiple ways.

Example header written by Outlook:

Authentication-Results: spf=pass (sender IP is *removed PII*)
 smtp.mailfrom=n.glyph.net; dkim=pass (signature was verified)
 header.d=n.glyph.net;dmarc=pass action=none
 header.from=n.glyph.net;compauth=pass reason=100

The violations are:

  1. Missing Authentication Service Identifier Field (authserv-id, https://www.rfc-editor.org/rfc/rfc8601.html#section-2.5), e.g. outlook.com; at the very beginning.
  2. In the included DMARC result the action=none is invalid. Authentication-results header allows to include arbitrary properties, but they must be in the form of <ptype>.<property>, e.g. policy.action=none (https://www.rfc-editor.org/rfc/rfc8601.html#section-2.3).

This can causes incompatibilities with other software that want to read the Authentication-results header written by the Outlook mail server.

One example is the Thunderbird extension DKIM Verifier written by myself.

About (1):

I think the Authentication Service Identifier Field is a very important part of the Authentication-results header.

Because of this I am currently unwilling to change my Thunderbird extension to allow this violation.

It would be great if Outlook would start to be more compliant with the RFC and include the required Authentication Service Identifier Field.

About (2):

I understand if Outlook does not want to change this as it is also documented in e.g.

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/message-headers-eop-mdo?view=o365-worldwide#authentication-results-message-header.

I think this is a less serious violation of the RFC, and something I would probably be willing to accept in my Thunderbird extension if (1) is fixed.

Of course it would be great of Outlook would fix this violation too.

Note that I'm unsure if this is the correct place to report this Problem. If there is a better place please let me know.

*EDIT: Removed personally identifiable information (PII) from post.

Outlook | Web | Outlook.com | Email

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-11-17T20:57:20+00:00

    Hello Philippe Lieser,

    Thank you for posting in Microsoft Community.

    Based on your description, you are trying to report this issue you are encountering Outlook mail servers. Let’s us check on this together and sort this out in timely manner.

    We would like to ask for details about this concern:

    1. May we ask for your email domain? Sample of email domain: @outlook.com, @hotmail.com.
    2. Can we ask if your email receiver is using the same email domains or was it @outloo.com/@hotmail.com?
    3. Can we ask for the specific non-delivery report (NDR) error message and code you are getting? Sample: 5.1.10 - Recipient not found.

    For the meantime, you may want to check the list of NDR that could be related to the concern you are getting, please check this link:

    Email non-delivery report (NDR) and SMTP errors in Exchange Online - Exchange | Microsoft Learn

    We look forward to your response.

    If you have other clarifications about this matter, you can get back to us by replying to this post.

    Sincerely,

    Kathy A.

    Microsoft Community Moderator

    0 comments
  2. Anonymous
    2023-11-21T23:02:45+00:00

    I think there is some confusion about what my report is about.

    This is not about sending E-mails. And also not some kind of error message I am receiving.

    This is about:

    • Successfully receiving an e-mail from an arbitrary domain that has SPF or DKIM configured
    • Downloading the e-mail via IMAP or POP from the hotmail/outlook mail server (e.g. with the Thunderbird mail client)
    • The Authentication-Results header in the downloaded e-mail, which is written by the hotmail/outlook servers, having the format given in my example
    • And this format having an issue in my opinion (see my initial post for details), as it violates an important part of the RFC 8601
    • Which causes compatibility issues between Outlook servers and other software that tries to read the Authentication-Results header as specified in the RFC 8601

    To answer you questions:

    (1): I know for sure @hotmail.com is affected. But I think @outlook.com has the same Problem.

    (2): Note that this is about received e.mails, not sending. The sending domain was outside @outlook.com/@hotmail.com

    (3): Again this is not about sending e-mail.

    2 people found this answer helpful.
    0 comments
  3. Anonymous
    2023-11-21T23:06:38+00:00

    Hello Philippe Lieser,

    Thanks for letting me know my prior solution didn’t fix the issue. I do have some further strategies to try however, this will require your cooperation.

    We would like to ask for the answers to these questions:

    1. May we ask for your email domain? Sample of email domain: @outlook.com, @hotmail.com.
    2. Can we ask if your email receiver is using the same email domains or was it @outloo.com/@hotmail.com?
    3. Can we ask for the specific non-delivery report (NDR) error message and code you are getting? Sample: 5.1.10 - Recipient not found.

    Providing us details will help us further assists you. If any case you are trying to use an email that is managed by your IT admin, it would be best to contact them as they have the tools and the information to send this email to your recipients.

    Regards,

    Kathy A.

    0 comments
  4. Anonymous
    2023-11-22T00:21:58+00:00

    You seem to have asked the exact same questions again. Please carefully read my last replay, there I think I answered them already at the end.

    Maybe I asked the question also at the wrong place. But please note that my issue is not some standard support case that can be solved by asking some standard support questions.

    Solving it would definitely need some behavior change of the Outlook servers. I think this needs to reach some kind of product manager who can decide if Microsoft is wiling to change how Outlook behaves to be compatible with other products.

    2 people found this answer helpful.
    0 comments
  5. Anonymous
    2023-11-23T14:16:50+00:00

    Hello Philippe Lieser,

    Thanks for the reply you provided to our query.

    We're sorry for asking the same questions, it looks like our response is just minutes away from us. To set your expectations, we are part of consumer support, and we would like to make sure that your question will be answered. If we will not be the best people to answer your question then we will provide way to reach out the right people instead.

    To ensure we are on the same page, we would like to ask for additional questions:

    1. We can see in your reply that you knowledgeable about the methods of email authentication. May we know if you are using your email for personal use or business purposes? Also, if this is a personal email, please share to us your email domain.
    2. Since you are using Thunderbird mailing application, can we confirm if your email is set up as IMAP and POP3?
    3. Who is hosting your email domain?
    4. If you were to open the email from @hotmail.com or @outlook.com, on your webmail will issue persists?

    We look forward for your reply.

    Regards,

    Kathy A.

    0 comments