Re: [mailop] Microsoft blocks forwarding mails from "large senders" (MUST spf pass)

Wed, 13 Aug 2025 01:45:54 -0700 

On 8/13/25 09:51, Laura Atkins wrote:




On 13 Aug 2025, at 07:45, Dan Malm via mailop <[email protected]> wrote:

Hi,


I've seen some chatter here about Microsofts rules for large senders 
and DKIM, but that discussion has missed one perspective: forwarding. 
It appears Microsoft have decided that for "large senders" spf AND 
dkim AND dmarc ALL need to pass (for the domain in the from header). 
That means it's impossible to forward mails from large senders to 
addresses hosted by Microsoft:



5.7.515 Access denied, sending domain JULA.COM doesn't meet the 
required authentication level. The sender's domain in the 5322.From 
address doesn't meet the authentication requirements defined for the 
sender. To learn how to fix this see: https://go.microsoft.com/fwlink/ 
p/?linkid=2319303 Spf= Fail , Dkim= Pass , DMARC= Pass


This seems like absolute madness to me.



While it is madness to expect every domain in a message to align that’s 
not what’s going on here. Microsoft are incorrectly marking mail as 
authentication failed when the authentication isn’t failing. Some folks 
think it might be related to DNS TTLs. Steve talked about it here: 
https://www.wordtothewise.com/2025/07/dont-make-your-dns-ttls-too-short/ 
<https://www.wordtothewise.com/2025/07/dont-make-your-dns-ttls-too-short/>


laura
--

But both DKIM and DMARC passes here. The only thing MS indicates doesn't 
pass is that SPF (for the domain in the from header). And that is true 
it does fail, as it should well do. We're not that the sender, we're 
just forwarding the mail on behalf of our customer, but as DMARC passes 
that SHOULD be fine. I think the DNS TTLs you're referring to are the 
aforementioned discussions about DKIM where MS says DKIM=fail despite 
having valid DKIM.



And some have suggested ARC is the savior here, but that would only be 
true if there was some way to get Microsoft to trust our ARC signature, 
which they don't. (We've been ARC signing all forwards since 2019)

--
BR/Mvh. Dan Malm, Systems Engineer, one.com
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop






















					Reply via email to