Recommended Posts

My company was using Rackspace for years up until the Ransomware attack and it was the best. All of our emails were delivered without issue.

Per Rackspace's recommendation, we switched and transitioned to Microsoft 365. Ever since, almost all of our outgoing emails are ending up in our customers' junk/spam folders. Anyone know why that would be and if it's something I can fix on my end? The emails still come from the exact same domain name, just a different host, Do a lot of servers detect Microsoft 365 emails as spam or something or is there some setting in my outgoing that is making them prone to be detected as spam? I can't really find any support at Microsoft. They just direct you to forums.

Fellow mods - if this is the wrong section, feel free to move.

Edit: I did a blacklist check for my domain and an IP address is listed which points to Bluehost, however my emails are supposed to be going through MS 365.

  On 09/03/2023 at 18:15, Matthew S. said:

Are you sure all the DNS entires are set up correctly?  DKIM is set to Microsoft's? SPF, etc?

Expand  

Agreed, SPF record is a must on your domain that email is being sent on. 

I had a hell of a time a year or two ago, had to get Microsoft support involved, something was messed up with the spf/dkim they were providing me for my domain.

tbh sounds similar to my issue.

  • Like 1

Follow the steps here to setup SPF, DKIM and DMARC: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide

After you have done that you can now use https://www.mail-tester.com/ to confirm everything is working correctly, you should score 10/10 and have no real issues with email deliverability after that.

  On 09/03/2023 at 21:01, limok said:

Agreed, SPF record is a must on your domain that email is being sent on. 

Expand  

I have the spf record set. The instructions said not to delete the bluehost entry if there was one which I had done, so I went back in and added the bluehost entry and appended the MS one like this: v=spf1 a mx ptr include:bluehost.com include:spf.protection.outlook.com -all

Does that look correct?

  On 10/03/2023 at 10:20, InsaneNutter said:

Follow the steps here to setup SPF, DKIM and DMARC: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide

After you have done that you can now use https://www.mail-tester.com/ to confirm everything is working correctly, you should score 10/10 and have no real issues with email deliverability after that.

Expand  

That looks like way more than their setup instructions told me to do. I'm not really even sure what I need to do now. I put in the spf record they told me. I just did that mail tester and got 2.8/10

 

msedge_zKZKXavkSx copy.jpg

The Exchange 365 setup instructions don't actually have you setup DKIM and DMARC, however it really helps if you do.

I presume your website hosted with Bluehost will also be sending email, if i believe that would be correct. I have done this a couple of times however not for a long while now, so i'd double check here: https://www.dmarcanalyzer.com/spf/checker/ to be 100%

This guide has a few more screenshots showcasing the DKIM setup: https://lazyadmin.nl/office-365/configure-dkim-office-365/ which might be easier to follow.

Finally for DMARC you can essentially create a new DNS record on your domain with the following to be covered:

Record type: TXT

Record Name: _dmarc

Record Content: v=DMARC1; p=none; rua=mailto:info@domain.com;

For the above record you can gradually work up to p=reject when you are confident everything that should be sending email on behalf of your domain is working correctly

  • p=none = if DMARC authentication fails no action should be taken on that mail - aka it ends up in someone's inbox regardless of if its a legit email from you (not ideal long term)
  • p=quarantine = if DMARC authentication fails the mail should go to someone's spam folder
  • p=reject = if DMARC authentication fails the email should be rejected by the mail server receiving it

Looks like your SPF record is still not correct or it hasn't yet propagated fully, paste it here (or expand the errors on the output of the test)


Also looks like you haven't enabled DKIM yet
DKIM is pretty straightforward: 

Go to https://security.microsoft.com/dkimv2 - select your primary domain initially - hit the slider to on and it will fail, but it will fail with an error that tells you exactly what you need to do and present you the records.
You need to create the CNAMEs it asks for in your DNS zone (selector1._domainkey pointing at the syntax it gives you and repeat with selector2._domainkey and it's associated content)
Then wait for propagation and and go try the slider again and it should then enable.

If you are setting up DMARC ensure you enable DKIM first.

 

  On 10/03/2023 at 16:29, grunger106 said:

Looks like your SPF record is still not correct or it hasn't yet propagated fully, paste it here (or expand the errors on the output of the test)


Also looks like you haven't enabled DKIM yet
DKIM is pretty straightforward: 

Go to https://security.microsoft.com/dkimv2 - select your primary domain initially - hit the slider to on and it will fail, but it will fail with an error that tells you exactly what you need to do and present you the records.
You need to create the CNAMEs it asks for in your DNS zone (selector1._domainkey pointing at the syntax it gives you and repeat with selector2._domainkey and it's associated content)
Then wait for propagation and and go try the slider again and it should then enable.

If you are setting up DMARC ensure you enable DKIM first.

 

Expand  

I pasted it above, here you go: v=spf1 a mx ptr include:bluehost.com include:spf.protection.outlook.com -all

  On 10/03/2023 at 15:04, patseguin said:

I have the spf record set. The instructions said not to delete the bluehost entry if there was one which I had done, so I went back in and added the bluehost entry and appended the MS one like this: v=spf1 a mx ptr include:bluehost.com include:spf.protection.outlook.com -all

Does that look correct?

Expand  

using "a mx ptr" is really not recommended in general.  You didn't give the context though.  The point is that you really don't want to use extra DNS lookups, and there IS a HARD limit to how many lookups a receiving SMTP service will do before it times out and just rejects.  But from a standpoint of all of your mail being delivered from M365, you don't need those.

I realize you were told not to delete the bluehost entry, but unless you're actually sending mail using that host, get rid of it.  What you're doing is continuing to allow it to send mail.  This isn't a grey area, you only want SPF to contain the hosts you use for sending mail using that domain, full stop.

You want to avoid making a truckton of changes to DNS, in fact, you really need to look at your DNS expiry times, as regardless of making a change, you need to allow it to time out worldwide for it to not fail.  For example, you make a change right now, but MY dns server may not pick up the changes until after the expiry passes.  I always recommend to make these changes slowly as a result -- the irony is that if you don't the reputation of your hosted domain might be hurt.

Edit:  Sometimes DNS expiry times is set to a week, which means in practice it can take that long or longer for a receiving service to even recognize changes to the SPF record.

Get an example of a rejected/spammed piece of mail and look at the headers for WHY it was rejected.

Use MXToolbox to get a moment-in-time example of the health.

Hope any of this helps.

  On 10/03/2023 at 16:29, grunger106 said:

Looks like your SPF record is still not correct or it hasn't yet propagated fully, paste it here (or expand the errors on the output of the test)


Also looks like you haven't enabled DKIM yet
DKIM is pretty straightforward: 

Go to https://security.microsoft.com/dkimv2 - select your primary domain initially - hit the slider to on and it will fail, but it will fail with an error that tells you exactly what you need to do and present you the records.
You need to create the CNAMEs it asks for in your DNS zone (selector1._domainkey pointing at the syntax it gives you and repeat with selector2._domainkey and it's associated content)
Then wait for propagation and and go try the slider again and it should then enable.

If you are setting up DMARC ensure you enable DKIM first.

 

Expand  

OK I'm doing this. I see 2 domain key choices. My email domain used is coveredwagonpromotions.com, not the onmicrosoft.com one. I'm not sure why that is listed as the default signing domain. Should I just do what you said for both of them or is there a way to set the domain that I use as the default signing domain?

  On 11/03/2023 at 07:47, mram said:

using "a mx ptr" is really not recommended in general.  You didn't give the context though.  The point is that you really don't want to use extra DNS lookups, and there IS a HARD limit to how many lookups a receiving SMTP service will do before it times out and just rejects.  But from a standpoint of all of your mail being delivered from M365, you don't need those.

I realize you were told not to delete the bluehost entry, but unless you're actually sending mail using that host, get rid of it.  What you're doing is continuing to allow it to send mail.  This isn't a grey area, you only want SPF to contain the hosts you use for sending mail using that domain, full stop.

You want to avoid making a truckton of changes to DNS, in fact, you really need to look at your DNS expiry times, as regardless of making a change, you need to allow it to time out worldwide for it to not fail.  For example, you make a change right now, but MY dns server may not pick up the changes until after the expiry passes.  I always recommend to make these changes slowly as a result -- the irony is that if you don't the reputation of your hosted domain might be hurt.

Edit:  Sometimes DNS expiry times is set to a week, which means in practice it can take that long or longer for a receiving service to even recognize changes to the SPF record.

Get an example of a rejected/spammed piece of mail and look at the headers for WHY it was rejected.

Use MXToolbox to get a moment-in-time example of the health.

Hope any of this helps.

Expand  

OK thank you! I change it to just what MS said to have in there.

Update. I did both things that everyone told me to do and now got this at mail tester. Do the yellow checks mean there are still things that need to be done? I'm curious about the "do not have DMARC record" and "reverse DNS does not match sending domain" (is this because of the hosted Exchange?).

msedge_b9USnJGEH6.png

  On 14/03/2023 at 10:52, patseguin said:

Update. I did both things that everyone told me to do and now got this at mail tester. Do the yellow checks mean there are still things that need to be done? I'm curious about the "do not have DMARC record" and "reverse DNS does not match sending domain" (is this because of the hosted Exchange?).

msedge_b9USnJGEH6.png

Expand  

Having SPF is usually fine, DKIM is better, DMARC is best.  But living without DMARC is fine for most, truly.  Let everything else settle and be good before you consider DMARC policies.

All those yellow checkmarks are fine, in context.  

  On 14/03/2023 at 11:24, mram said:

Having SPF is usually fine, DKIM is better, DMARC is best.  But living without DMARC is fine for most, truly.  Let everything else settle and be good before you consider DMARC policies.

All those yellow checkmarks are fine, in context.  

Expand  

OK so other than everything I've done, there's nothing else that could be done on my end? I'm hoping a lot of our emails are still not going to customer spam. This never happened with Rackspace who in fact used Exchange. That's why I'm not sure why the spam issues just moving directly to Microsoft and using the same domain. Thanks so much for your help.

  On 14/03/2023 at 11:54, patseguin said:

OK so other than everything I've done, there's nothing else that could be done on my end? I'm hoping a lot of our emails are still not going to customer spam. This never happened with Rackspace who in fact used Exchange. That's why I'm not sure why the spam issues just moving directly to Microsoft and using the same domain. Thanks so much for your help.

Expand  

Your best bet is to send a test message to a google mail account and look at the headers and have them analyzed  .. I think MXToolbox does it, but also here Message Header Analyzer (mha.azurewebsites.net)  Once you look at it you can see the scores and usually why the score is good/bad.  

You can directly affect the score of the sending domain - your domain - through SPF/DKIM/DMARC and none of that is a mystery.  The only transient problems are DNS expiry.

The most common issues I've run into is just too much assumption.  For example that "a mx ptr" issie is huge -- I looked it up and SPF only does 10 DNS lookups at all before it errors out.  Those commands alone are 3 DNS lookups alone, you had the M365 one in there (which actually ends up being 2 dns lookups), and holy hell, you look at bluehost.com -- it's got SEVEN named lookups in and of itself before you even drill into the recursion.  It's no question, that was the problem.

This is Bluehost's SPF:

"v=spf1 ip4:209.17.115.0/24 ip4:64.69.218.0/24 include:spf2.bluehost.com include:_spf.qualtrics.com include:_spf.google.com include:_spf.salesforce.com include:sparkpostmail.com include:spf.mailjet.com include:spf.protection.outlook.com -all"

Each underline is a new DNS lookup.  Google alone is 3 DNS lookups - that'd be 10 total right there, not to mention more lookups for "a mx ptr"...  a receiving system would never even make it to the M365 lookups before failing.  Checks out.

Per the SPF RFC:  SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit.

I'm just explaining why the original "v=spf1 a mx ptr include:bluehost.com include:spf.protection.outlook.com -all" failed.   Without drilling into it, SPF would generate a permerror and may not even reply with a viable and valid response - if even accepted, the first 10 are the only accepted.  Order matters too.  Not that I'm encouraging you to change but if you had it as...
     v=spf1 a mx ptr include:spf.protection.outlook.com include:bluehost.com -all
     (reversing the include order)
... it might've actually worked, even if it still generated a permerror.

It might seem to you that you just moved and suddenly you get these errors but looking at and analyzing the headers should ALWAYS be part of an analytics process when moving mail domains.  These above issues are black and white, and they would be visible in header logs.  I assumed what bluehost was doing even before drilling into the details because a lot of hosting companies like bluehost are notorious for stacking their SPF TXT records.  Bad juju, and makes it hard to leave, like somehow moving is bad.  It's not.

  On 14/03/2023 at 11:24, mram said:

Having SPF is usually fine, DKIM is better, DMARC is best.  But living without DMARC is fine for most, truly.  Let everything else settle and be good before you consider DMARC policies.

All those yellow checkmarks are fine, in context.  

Expand  

I just emailed a customer and they replied and I noticed in the subject this...Does that just mean that my SPF change this morning hasn't propogated yet?

 

  On 14/03/2023 at 13:52, binaryzero said:

Talk about doxing... lol

The TTL on your MX and SPF records is far too long, set them to 3600 (1hr) as per what MS provides you.

Expand  

They are just domains, is that bad? The shortest Bluehost give is 4 hours

  On 14/03/2023 at 14:36, patseguin said:

They are just domains, is that bad? The shortest Bluehost give is 4 hours

Expand  

I'm sure Meghen wouldn't appreciate it...

Microsoft's recommended (and what's provided) TTLs for Exchange Online records is 3600. Set MX, SPF, and Autodiscover to 3600, the others meh up to you.

Review the headers of the email to understand why SPF failed\flagged, your records may be cached at the receiver's mail gateway (could be its own time limit, or TTLs 🤷‍♂️). In the Microsoft 365 admin centre, go to Settings > Domains, verify that the domains have been configured correctly, I suspect they are if you're receiving\sending mail as expected.

If you've changed a bunch of records in a short period of time, leave things for 24-48 hrs and see what results you get.

  On 14/03/2023 at 14:43, binaryzero said:

I'm sure Meghen wouldn't appreciate it...

Microsoft's recommended (and what's provided) TTLs for Exchange Online records is 3600. Set MX, SPF, and Autodiscover to 3600, the others meh up to you.

Review the headers of the email to understand why SPF failed\flagged, your records may be cached at the receiver's mail gateway (could be its own time limit, or TTLs 🤷‍♂️). In the Microsoft 365 admin centre, go to Settings > Domains, verify that the domains have been configured correctly, I suspect they are if you're receiving\sending mail as expected.

If you've changed a bunch of records in a short period of time, leave things for 24-48 hrs and see what results you get.

Expand  

You're probably right. I removed the image. Blue host doesn't offer 3600. 

msedge_dEbDL7xTUH.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • And bring back taskbar deskbands which were removed, and full and total customization of notification area icons like earlier
    • This has all the markings of a thinly veiled mechanism for force users of older versions of Windows to upgrade...and trash perfectly good hardware. Microsoft, your history easily supports this line of reasoning.
    • Plasma 6.5 brings improved Emoji Selector, better performance in Activity manager, and more by David Uzondu This week saw the long-awaited release of KDE Plasma 6.4, bringing better window management and a whole lot of color management features. Apart from the release of 6.4, the KDE team was able to get other work done, and this was all outlined in the latest issue of This Week in Plasma, which details what is coming down the pipe for future versions. Looking ahead to Plasma 6.5, the developers are making some notable changes to improve performance and general usability. To prevent its database from growing endlessly and causing performance problems over time, the Activity Manager service will now only store the last four months of your history by default. The Emoji selector app is also getting a much-needed redesign that makes the window more compact and moves the sidebar button to the header for a cleaner look. Other little details for 6.5 are being polished up too. The unpopular vertical line separating the date and time on the horizontal Digital Clock widget is gone; if you want it back, you can add it yourself with a custom date format. The "Add New" button has also been moved to the top toolbar in the Shortcuts page within Settings, freeing up some valuable screen real estate. The devs also reduced the minimum size of custom tiling tiles, a small but significant fix for anyone with an ultrawide monitor. In addition to that, the Networks widget's captive portal banner now uses inline header styling, so it doesn't look like a bunch of frames stacked inside each other anymore. Of course, before we get to 6.5, the current release needs some attention. Plasma 6.4's first bug fix release, 6.4.1, addresses issues like broken item selection in the Folder View widget and a bug that could cause the system to lock or suspend faster than intended. Keyboard navigation in list views in Discover feels smoother now, and text is easier to read in certain list items in KRunner. The devs also cleaned up how list items look when you press or click them in Discover. 6.4.1 also fixes a bug where the clipboard history popup would fail to select the top item, and makes the Earth Science Picture of The Day wallpaper plugin work again after its data source changed. Here's the full list of fixes: Fixed several issues in the Folder View widget that caused selecting or opening items to not work when using certain non-default view settings, when the view was scrollable, or when using a touchscreen. Fixed a bug in the Meta+V clipboard popup that sometimes failed to pre-select the top-most item. The Clipboard settings window’s shortcuts page no longer shows columns for local shortcuts that don’t do anything, since the clipboard is global in scope. Fixed the Earth Science Picture of the Day wallpaper plugin after the source data changed formatting again. Made a few fixes to the “Missing Backends” section of Discover’s settings window that kept it from working properly. Fixed a bug that prevented direct scan-out (and its performance benefits) from activating on rotated screens. Fixed an issue where the system could lock or suspend sooner than expected after an app stopped blocking those actions. Installing a new wallpaper plugin no longer causes the plugin list combobox to appear blank. The team even went back to squash some bugs in the older 6.3.6, tackling an issue that could cause keyboard shortcuts to get lost during a system upgrade and fixing an overflow bug with KRunner's faded completion text. Plasma 6.4.1 is set to arrive on June 24th, with 6.3.6 following on July 8th.
    • UniGetUI 3.2.1 Beta 1 by Razvan Serea UniGetUI is an application whose main goal is to create an intuitive GUI for the most common CLI package managers for Windows 10 and Windows 11, such as Winget, Scoop and Chocolatey. With UniGetUI, you'll be able to download, install, update and uninstall any software that's published on the supported package managers — and so much more. UniGetUI features Install, update and remove software from your system easily at one click: UniGetUI combines the packages from the most used package managers for windows: WinGet, Chocolatey, Scoop, Pip, Npm and .NET Tool. Discover new packages and filter them to easily find the package you want. View detailed metadata about any package before installing it. Get the direct download URL or the name of the publisher, as well as the size of the download. Easily bulk-install, update or uninstall multiple packages at once selecting multiple packages before performing an operation Automatically update packages, or be notified when updates become available. Skip versions or completely ignore updates in a per-package basis. Manage your available updates at the touch of a button from the Widgets pane or from Dev Home pane with UniGetUI Widgets. The system tray icon will also show the available updates and installed package, to efficiently update a program or remove a package from your system. Easily customize how and where packages are installed. Select different installation options and switches for each package. Install an older version or force to install a 32bit architecture. [But don't worry, those options will be saved for future updates for this package] Share packages with your friends to show them off that program you found. Here is an example: Hey @friend, Check out this program! Export custom lists of packages to then import them to another machine and install those packages with previously-specified, custom installation parameters. Setting up machines or configuring a specific software setup has never been easier. Backup your packages to a local file to easily recover your setup in a matter of seconds when migrating to a new machine UniGetUI 3.2.1 Beta 1 changelog: Added per-package-manager default install options Added the ability to run pre-install/update/uninstall and post-install/update/uninstall commands Added the ability to kill process(es) before a package is installed/updated/uninstalled Block custom command-line arguments (and pre/post commands) behind a SecureSetting switch SecureSettings are settings that require administrator privileges to be switched. Bundles won't import custom arguments & custom commands by default Bundles will show a security report when importing potentially dangerous settings Added a better crash message for when UniGetUI files are missing Deep improvements to how bundles and InstallOptions are loaded from disk. Improvements to WebView lifecycle Download: UniGetUI 3.2.1 Beta 1 | 51.7 MB (Open Source) Links: WingetUI Home Page | GitHub | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • I'm just waiting on what they will do when outlook doesn't load properly, and you have to set a new profile as a test.
  • Recent Achievements

    • Rising Star
      aphanic went up a rank
      Rising Star
    • Contributor
      GravityDead went up a rank
      Contributor
    • Week One Done
      BlakeBringer earned a badge
      Week One Done
    • Week One Done
      Helen Shafer earned a badge
      Week One Done
    • First Post
      emptyother earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      668
    2. 2
      ATLien_0
      267
    3. 3
      Michael Scrip
      237
    4. 4
      Steven P.
      163
    5. 5
      +FloatingFatMan
      156
  • Tell a friend

    Love Neowin? Tell a friend!