I'm currently having the same experience.
Unlike virtually all other email providers, Microsoft does not cooperate if you follow standard email practices. You can follow all their instructions, sign up for their monitoring tools, submit issue reports, try to build "reputation" and if you are self-hosting they will still have a high likelihood of silently dropping your emails after their server tells you it got them, or putting them in the recipients spam even after being marked as an approved sender.
>Biggest problem is, that Microsoft always blacklists the whole server! If only one of my customers does something not in line with the secret rules of SmartScreen, emails of all other customers are blocked too. IMHO this is just unprofessional. Why not just block the domain under suspicion and send the adminstrator a message (maybe as part of the JMRP)?
The reason for blocking IP originates from a culture set before DKIM. Any IP could shoot out emails for any domain. You don't want to blacklist a domain for an email it did not legitimately author.
However, in a post DKIM world, where adoption is above 80% this could be a feasible solution at least for emails carrying a DKIM signature. The domain owner has provided proofs that the IP address is being used by them to send out emails. Flagging emails from a domain and IP could be blocked while allowing other domains from the same IP to operate.
As someone who worked on reputation at Microsoft, it sounds like a bad case of the right hand not talking to the left. Outlook SmartScreen judgment should be available to tier 3 support along with the IP block list check as a primary investigation step. The author should not have needed to go through tier 3 on two tickets before escalating to someone who had visibility into SmartScreen judgments. Hopefully this blog gets some publicity and Microsoft support amends their investigation process, as I’m sure the author is not the only person running into this issue.
All opinions are my own and not that of Microsoft.
> SmartScreen® Filter technology is always adapting and learning more about what is and isn’t unwanted mail, it is not possible for us to offer specific advice about improving your mail content.
Translation: "The filtering is based on machine learning. If there are false positives, too bad, even we don't know what's causing them. Try to look less like spam or something?"
Oh hey, Microsoft is breaking another open decentralized standard again as they are pushing their own proprietary alternative. But let's keep pretending they changed.
Had the exact same experience when I worked at a non-profit: we had a self-hosted Postfix server, and our subscriber emails would get silently dropped. This only ever happened for Outlook.com users, and we had set up SPF, DKIM, and DMARC long ago. We got the same run-around with Microsoft support, and eventually we had to give up and move to using Google's SMTP Relay service.
I run an email forwarding service https://hanami.run and I used to had this exact problem.
They had a dedicated page at https://sendersupport.olc.protection.outlook.com/snds/data.a... that supposed to be used for these delivery issue. I tried to submit multiple requests from there.
Even IPs that aren't sent any email in last 3 months.
Then one day the problem just disappears and I was able to send email just fine. Till this day, I still don't know what happen.
Another similar service is apple icloud, which I think even much more worse than Hotmail. At least, hotmail give you a portal that you can see some data.
With the announcement of apple icloud email service, I imagine people who are self-hosted email gonna have a lot issue with them.
I started getting this on our transactional mail relay some years ago, hotmail responded with "Not qualified for mitigation", therefore instead of spending pointless effort dealing with these miserable jollems i used o365 to counter it (my organization was already using o365, which also never did this S3150 thing to me) by:
Adding a relay user to the o365 then configuring all the domains i needed to send from on the o365 tenant (without changing the MX records naturally). (Using a normal o365 user account to relay is possible for me as our typical customer base is enterprise and education, not random end users) Adding distribution lists as the from-addresses that i needed to send from and gave send-as rights to the relay user, compiled a list of hotmail/outlook domains (which i've had to add to over the years but it is relatively stable for me by now), then configured the outgoing relay server that does all the dkim-stamping to route all outgoing mail to outlook/hotmail domains through o365.
When i see a S3150 in the logs i just add another domain to the list, i should probably make this pre-emptive by looking at the target mx records before sending, as its not trivial to make exim resend something that ended in a 5xx.
All other mail providers have removed blocks by simply asking, not hotmail. Also all our newsletter-like mail goes through separate services, these are all transactional mails (meeting invites, user account creation, password resets and such).
I have had the exact same experience. Even put the senders on your whitelist and it makes no difference at all. It means that Office 365 cannot be trusted for handling mail. When it comes time to renew, after two years of putting up with this, I am moving off it.
Even the user side of Microsoft's email is confusing and prone to loosing emails. O365 defaults or at least the recommended settings will just quarantine emails without notifying anyone. I guess Microsoft doesn't trust users to not open emails in the spam folder?
I think I have it configured now to alert the recipient and me on quarantined emails but there are at least two relevant dashboard (Exchange and umm Security Center? who knows what the current names are today) that probably have like 35 submenus and 1000+ settings. Running my own email server would be easier.
Another thing, a few months ago I noticed a couple incoming emails were not quarantined/blocked but also not delivered. I don't think the issue has reoccurred since but it's just crazy that emails are just lost sometimes.
Meanwhile, I get so much spam on my hotmail account (from obvious spam addresses too) that I’ve had to switch to gmail. It seems both the false positive and false negative rate is sky-high.
Governments don't like self-hosting, because they need to ask for data every time they need it. For big hosting providers like Google, Microsoft, Fastmail and others they have mails already. So there are incentives to make it harder and harder to self-host...
Had the same problem as well when sending an email to a client of mine who used Hotmail. Had had successful communications with them in the past 1.5 years then suddenly, bam. Was put on the "S3140 block list". Had to use my personal Gmail to send emails to them. Never emailed another person who used Microsoft email services.
Was told my email server was sending spam by them (as people had reported emails from the IP as unwanted), so I did a full security check (using logs, trying to find holes, etc), and upgraded software. No problems that I could find.
After lots of back and forth, they said my IP was blocked as it was "suspicious" and they unblocked it (how kind of them). The process took a long time, which I could imagine could be devastating to a small business (luckily my client understood as I made sure to tell them how bad Microsoft is).
Unrelated but if the author is reading this please get rid of the sticky header on that site. It is beyond annoying.
Had this same issue many times sending via AWS (SES). Spent dozens of hours on it with no help from Microsoft, ultimately Amazon had to sort it out with them.
Silently dropping mail (not even to the spam folder) is a maddeningly cryptic action on MS's part, and has squandered massive amounts of developer and system administrator time.
If you're in a position to sway anybody from using Outlook.com, Hotmail.com, or Msn.com or Live.com I highly encourage it - MS has made a lot of lives difficult with their email policies, including NerdAdmin's here.
I had to stop using Office365 for business because it kept doing this same thing. I disabled every spam, and protection I could find, and enlisted the help of support. Some legitimate email would simply never arrive and they couldn’t explain why. It seems there are layers of protection, some with no logging (available to the tenant admin) to troubleshoot, it became a huge waste of time, negating the purpose of using a cloud service. In the end I moved to a different service provider and never had the problem again.
On the opposite side, I found Microsoft Azure to be one of the biggest sources of spam on the internet. I have blocked them completely on my private mail server.
This sounds similar to my experience with Microsoft based email (Outlook, Hotmail, Live, custom 365 domains) I eventually decided to route Microsoft hosted emails over Amazon SES instead of a VPS hosted Postfix setup. This did help a bit. The fact that all other email providers work perfectly fine and Microsoft is the problematic one I think signals an issue with their spam filtering.
Yeah, these problems are consistent with Microsoft email. I've been using Sendgrid to send emails for our SaaS and some customers who use Microsoft email don't receive transactional messages at all. There's nothing you can do about it.
Also, seen this happen with other apps too. Transactional messages don't arrive on Microsoft email addresses.
It's common knowledge that Microsoft considers everyone to be spammers until proven innocent. Getting to a point where your mails end up in the recipients' inboxes is a long path -- Microsoft doesn't care if you set everything up perfectly, as spammers can do the same -- and one has to provide them with enough data to learn to trust one's IP's/ranges/domains.
Contacting Microsoft means you have to go through a difficult dance through multiple canned replies, multiple escalation requests, and being lucky enough to get someone to actually escalate.
Silently dropping emails isn't Microsoft-specific, though. It's quite common to have a Postfix/Amavis setup set to discard spam over a certain spam score threshold.
So, basically, email lacks an ACK mechanism.
Couldn't a matrix client with email and asynchronous features be a drop-in replacement for email ? Wouldn't that be a killer product ?
SPF, DKIM, and DMARC are not to core to email protocols if I understand correctly.
There shouldn't be a way for a matrix a client to delete a message sent to another client to keep with the email usage and expectation. So matrix messages wouldn't necessarily be used as email text messages but attached documents to messages would carry email that a client would store and archive.
These details about the proprietary "SmartScreen" were really useful.
We have been sending login code emails via AWS SES and have had a lot of issues with Hotmail/Outlook.com not delivering them.
My takeaways: 1) There's a risk that a shared IP system like AWS SES will get blocked by SmartScreen based on emails someone else is sending. 2) We really should look at the contents of our (trivial) transactional emails, too.
I've never hit this with GMail, but I've hit this repeatedly with outlook.com/hotmail.com accounts. There's a persistent 20% chance of any given email to my accounts being dropped silently.
It's been enough of a headache that I haven't been able to migrate off GMail and that's frustrating as hell. Especially with important medical emails..
Microsoft is also the only server operator that will randomly block me. Since I don't host any customers I have decided to simply not care about them and their customers - if someone using microsoft's email services isn't able to get email from me, it's their problem.
I can only confirm that out of all the email providers, Microsoft is the most tedious, non-standard and brutal when it comes to dropping email.
I'm coming from the perspective of a community site owner that pushes out email notifications to its members. Nothing spammy, all emails are opted-in and essential for the basic functioning of the community. They may be as simple as "person X liked your post". It's purely functional email. Plain text, no links, images, nothing. The entire site is non-commercial.
Further, the domain from which it is sent is well established (14 years old) and never used for sending out spam. It also has implemented all the best practices, like DMARC, SPF, the like.
It's not in the gray zone by any stretch of the imagination. It's as clean as it gets. Yet still, as random as the weather, it's always hotmail.com and live.com users complaining about email not arriving. It's not in their spam folder, it's just not there at all.
I never face this issue with any other email provider, only Microsoft.
There's no help at all regarding what triggers it, other than the standard document listing best practices I'm already following. They do have some tools to analyze issues, but guess what, only available for high volume email pushers.
There's also a public tool to check blocklists, some of which are shared between email providers, yet even when not blocked anywhere, you're still blocked at Microsoft.
So after all this self-analysis, I've learned to raise the ticket. Admittedly, occasionally they admit it was a false positive, and then lift the ban. But they never fix anything structurally, it's an issue that keeps coming back. It's maddening.
Since I'm in the mood of self-pity, I'll add to this Microsoft-specific problem by mentioning that it's hell to push out email in general for small websites.
For example, besides the functional email notifications, there's also an opt-in weekly newsletter. It's found deeply within user's personal settings, so those finding this setting and enabling it, surely want it.
Within the range of a few hundred to a few thousand subscribers, now you have a signal problem. A handful of users may no longer want the newsletter and do not unsubscribe (which is easily done from the bottom of each email). Instead, they may delete it, report it as spam, block the sender.
These are convenient to do from an email client, but the problem is that I never see their desire to unsubscribe. I'd gladly honor it. What happens instead is that in the case of low volume, just a handful of these negative signals may push all of your email into the spam folder.
Technically this is incorrect. It's not spam. The user opted in, the contents of the emails are not spammy, and the user never indicated to not want them anymore. But email providers don't care, it's all spam now.
To resolve this, I compare last activity on the site with the user's opt-in status, and auto unsubscribe everybody not recently active, regardless of whether they want this. This significantly reduces the chance of users flagging the email as unwanted in their email client. At the same time, now I have users complaining their newsletters aren't coming.
Bottom line: you can't win. With the best of intentions, fully wanting to comply with every technical and legal guidance in the book, it still does not work.
Does setting up MTA-STS have any effect on deliverability? I can see in my webserver logs that both Microsoft and Gmail/Google are checking the MTA-STS settings at regular intervals.
Despite all the outrage, there is also this:
"As far as I know, emails from my business custmers are branded, formatted following best practices, have unsubscribe links and a valid contact footer."
In other words, his customers are sending out the type of emails that actually require unsubscribe links. You know, _spam_. So maybe it isn't Microsoft who is the bad guy here?
When these long-winded issues arise, you need to call people up. Email clearly isn't working.
You'd be surprised (or not) by the difference verbal communication makes, not only do your verbal expressions translate better, but the tone of voice may (or not) instill trust in the person on the other end.
The general problem is by no means unique to Microsoft.
Misconfigured email servers, with spam filters and SPF/DKIM setups being the most common issues, drop emails far more often people tend to realize.
Kudos Nerd Admin epic post and work through
Hashtag MeeToo
I had this problem repeatedly with both Google and Microsoft, though never at the same time and never, so far as I could tell, for the same reason.
Everything was set up properly. The domains I hosted had IPv4 and IPv6 addresses with forward and reverse DNS matching exactly. SPF was set perfectly, according to multiple test sites. DKIM was always used and always validated, again according to multiple test sites. I even signed up for a DMARC endpoint account at report-uri.com.
Didn't matter. Messages would be spontaneously rejected, sometimes in mid-conversation (this happened to my wife quite a lot). Other times, the remote end would claim to accept the message and then it would disappear into the great bit bucket in the sky. It would be like this for a day or two then spontaneously go back to working.
I finally gave up and switched entirely over to Fastmail awhile back. No more delivery problems, but no more self-hosting my own e-mail, something I'd done for twenty years prior (my domain is older than Mozilla and Google).