Mimecast is currently investigating the cause of emails failing DKIM checks when sending to Microsoft freemail domains. This has been happening since Microsoft introduced this change.
We have observed the following:
- The issue appears to be affecting only Microsoft freemail domains; other email providers applying similar DNS checks and requirements are accepting the DKIM-signed messages without issue.
- This does not affect all messages sent to these domains.
- In some instances, generating and publishing new DKIM keys has resulted in Microsoft accepting messages. We recommend generating 2048 bit DKIM keys where possible. Steps to generate and publish new DKIM keys can be found here.
- The issue occurs predominantly with BCC recipient-only messages. If you are affected in this way, adding a recipient to the TO or CC field may allow for successful delivery.
- This issue is not isolated to BCC recipient-only messages.
- There is no defining set of circumstances within our customer base where this issue can be reproduced 100% of the time.
- The SMTP error code shown when a message fails to be delivered to MS Freemail domains that fail the authentication requirements is:
550 5.7.515 Access denied, sending domain <Your Sending Domain> doesn't meet the required authentication level. The sender's domain in the 5322.From address doesn't meet the authentication requirements defined for the sender. To learn how to fix this see: https://go.microsoft.com/fwlink/p/?linkid=2319303 Spf= Pass , Dkim= Fail , DMARC= Pass
- Mail merge can be used as an alternative to BCC'ing recipients.
- Ensure applications that generate messages and mail templates are set to Base64 Content-Transfer-Encoding instead of UTF-8.
Despite the issue solely affecting Microsoft freemail domains, we are conducting thorough investigations to identify the root cause. While we conduct our investigations, we advise customers to also contact Microsoft Support directly.
Comments
0 comments
Please sign in to leave a comment.