Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Microsoft IT

Microsoft Cracks Down On Bulk Email With Strict New Outlook Rules (betanews.com) 60

BrianFagioli writes: Microsoft has officially begun rejecting high-volume emails that don't meet its new authentication rules.

Here's the deal. If you send more than 5,000 messages per day to Outlook.com addresses (including hotmail.com and live.com) and you're not properly set up with SPF, DKIM, and DMARC, your emails may never arrive.

This discussion has been archived. No new comments can be posted.

Microsoft Cracks Down On Bulk Email With Strict New Outlook Rules

Comments Filter:
  • by Anonymous Coward

    The fact that they're allowing 5000 emails to slip through before problems is the biggest concern I have with this as that just seems to be too high.

    Most bad people will simply create multiple accounts and spread them out amongst the different accounts to not be detected.

    They should make the limit like 100 a day or something that is reasonable and in line with the average person's daily email outside of work. Where most people get email but don't send them or most people just respond to the ones they get.

    • The numbers for a casual email user that's legitimate are much lower than 5000 emails per day to a collection of 5000 different people.

      It's simply not reasonable for Microsoft to allow 5000 emails from a single email address If they haven't considered the other operational considerations that are required here.

      This is more likely to be impacting people running their own solutions like a self-hosted Listmonk instance, someone who didn't set up Mailchimp correctly, or a shell script that sends out unauthenticated e-mails as straight SMTP traffic...and it's targeting anyone who sends e-mails to 5,000 outlook.com users in total, not to a single recipient.

  • I get the RUA reports for my company's Microsoft-hosted email. Frequently, email sent from one Microsoft "tenant" to another Microsoft "tenant" fails SPF checks.

    • by kwalker ( 1383 )

      I receive similar reports from them, and the exact same e-mails sent to @gmail.com, @comcast.net, and others do validate correctly, but O365 properties can't. So I'd say this is more of a Microsoft filter problem then anything else.

    • by Holi ( 250190 )

      Are you using oultlook.com for your company's hosted email? If not then YOU have to setup your DNS correctly.

      • by whoever57 ( 658626 ) on Monday May 05, 2025 @04:11PM (#65354305) Journal

        Are you using oultlook.com for your company's hosted email? If not then YOU have to setup your DNS correctly.

        Yes, and yes it is set up correctly. The problem is that Microsoft uses servers not listed in its SPF record (include:spf.protection.outlook.com ) to send to itself.

        As the post above notes: emails sent to other destinations do not fail SPF checks.

        • >The problem is that Microsoft uses servers not listed in its SPF record (include:spf.protection.outlook.com ) to send to itself. If they're DKIM signed, DMARC doesn't require SPF to pass though.
  • by kwalker ( 1383 ) on Monday May 05, 2025 @02:54PM (#65354105) Journal

    That's funny. I run a small family mailing list and I can tell you that O365 doesn't check SPF/DKIM correctly anyhow. I routinely receive DMARC reports from them where they can't validate the exact same code that Google, Comcast, et al can.

    Plus if you don't have SPF/DKIM/DMARC setup, nothing ever makes it to an O365 box anywhere, it just evaporates in their filters somewhere. That was a hoot to troubleshoot.

    • by TheBAFH ( 68624 )
      In my case, the DMARC reports from MS mail services are always marked as spam by Spamassassin because:

      BASE64_LENGTH_79_INF BODY: base64 encoded email part uses line length greater than 79 characters
      MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding
      FORGED_SPF_HELO

      This doesn't happen with any other provider (Gmail's reports are fine).

    • Same for me.

      I have a family/friend mail server setup with proper SPF, DKIM and DMARC where I get reports back, reports I actually look at.

      The strange thing is that the only fail-reports I get are either from servers that have been spammed, i.e. the messages they received did not pass SPF (nor DKIM), or from Microsoft-run servers (outlook.com, hotmail.com and other systems that use Exchange server). Never from Google or Yahoo or any other, non-MS server.

      So, Microsoft get your house in order! Do a proper chec

  • Google and Yahoo! have had the same polilcy for years. I was running a mailing list for an HOA and even at 150 emails spread out over Google, Yahoo!, and Comcast they were being rejected if SPF/DKIM/DMARC wasn't perfect.

    HOWEVER even though I have a business paid Google-served email address I KEEP GETTING SPAM and ALL OF IT comes from Google. So while they're not helpful for others to send mail to their clients, they're more than happy to let their own customers spam their other (including paying customers

  • by zurkeyon ( 1546501 ) on Monday May 05, 2025 @03:02PM (#65354137)
    the 500 million Phishing reports I sent in FINALLY got read? ;-D
  • Here's the deal. If you send more than 5,000 messages per day to Outlook.com addresses and you're not properly set up with SPF, DKIM, and DMARC, your emails may never arrive.

    Being properly "setup" on SPF, DKIM and DMARC isn't the only requirement by MS to drop emails. Another primary requirement is for Microsoft to actually care about their customers' emails and actually deliver them, instead of simply pretending to be an email service.

    So here's my deal to you, Microsoft: you stop dropping valid emails into the void without any warnings/valid reasons, and I won't bring about a class-action lawsuit against you. Deal?

    • Being properly "setup" on SPF, DKIM and DMARC isn't the only requirement by MS to drop emails. Another primary requirement is for Microsoft to actually care about their customers' emails and actually deliver them, instead of simply pretending to be an email service.

      So here's my deal to you, Microsoft: you stop dropping valid emails into the void without any warnings/valid reasons, and I won't bring about a class-action lawsuit against you. Deal?

      My experience has been identical. After being forced onto Outlook for one of my projects I ended up capturing everything before they decide arbitrarily it doesn't even need to go to a spam folder and evaporates them - and send it to a gmail account. But that doesn't help the people I send email to. Spent a weekend setting up the alphabet soup, still MS dumped them.

      I finally set up a groups.io group, which still has some issues, for people suffering from the psychotic message killing.

  • Next (Score:4, Informative)

    by Ol Olsoc ( 1175323 ) on Monday May 05, 2025 @03:22PM (#65354183)
    What is Microsoft going to do about the low volume - like one off - emails that end up in the big bit bucket in the sky?

    After moving me onto Web based outlook, and having stuff mysteriously not appear, I capture all the emails and forward them to gmail before Outlook messes with them.

    I even get people wondering where emails I was sending them went to, my first question is "Outlook your reader?" Most of the time, the answer is yes.

    This was all known long ago with the magic 8 ball toy which keeps telling us "Outlook Not So Good"

    • by kwalker ( 1383 )

      Literally the same thing they've done about it for the last decade: not a goddamn thing.

      What you're describing is exactly what I've gotten out of Microsoft, Comcast, Google, and to a lesser extent other large webmail providers. They do not care about deliverability if you're not signed up with some of their BS partner programs, which are not documented anywhere. If you try, you'll get stuck in bot-hell of generated KB articles that are all fucking wrong.

      • Literally the same thing they've done about it for the last decade: not a goddamn thing.

        What you're describing is exactly what I've gotten out of Microsoft, Comcast, Google, and to a lesser extent other large webmail providers. They do not care about deliverability if you're not signed up with some of their BS partner programs, which are not documented anywhere. If you try, you'll get stuck in bot-hell of generated KB articles that are all fucking wrong.

        My favorite is when their articles do a "how to" and the info is outdated. Referring you to things that don't exist any more because Microsoft moves things around arbitrarily and not always logically. Recently had that with a W11 copy for Parallels on MacOS that Windows refused to authenticate even though I had the receipts. Finally had to go scorched earth and reinstall Parallels and the W11 .iso. Microsoft support was worse than useless. An annoying way to spend a day.

  • Even when doing SPF and DKIM right and sending a few mails per month, they still want you to manually apply for whitelisting if you run an own mail server. Good that not too many people I communicate with use it, because they really do not want your mail if you aren't one of the big players.

    • Really? I've never had an issue. I did have to get my ISP to set up a PTR record for me, but that's the only issue I've had that was outside my direct control.

      • by allo ( 1728082 )

        They have IP ranges they dislike. If you're unlucky your hoster got the IPv4 addresses only recently and then Microsoft does not like your mails. I once had a server with an IP from a block that was reserved for a long time and they blocked everything. Other than some people I never had a problem with Google, though. I think you should have SPF/DKIM/DMARC and then Google is happy. I'd wish it would be that easy for Hotmail/Outlook.

      • by dskoll ( 99328 )

        Also never had an issue. I have SPF, DKIM, FCrDNS and DMARC set up and for bonus points, I also set up DNSSEC.

        The only provider I have deliverability problems with is Apple ("foo@me.com" addresses.) No issues with Google, MSFT or Yahoo.

        • by kwalker ( 1383 )

          Are you absolutely sure about that? Because my experience is vastly different. Even jumping through hoops, setting up crypto verification (SPF, DKIM, DMARC), I routinely get comments from family members that my mail doesn't go through. Sometimes they can find it in their Spam folder, but usually it's just gone, shuffled off to the big /dev/null in the sky. No error, no rejection on my end, just "mail accepted for delivery" from their SMTP gateways, then poof.

          • But you have a valid PTR, right? If the reverse lookup fails, your mail doesn't even get far enough for SPF and DKIM to matter.

            • by kwalker ( 1383 )

              Yes of course. No one allows you to send without a valid and matching PTR record anymore.

          • by dskoll ( 99328 )

            Obviously, I'm not 100% sure that every single one of my emails has made it through, but I can't think of a case where I sent an email that required a response and I didn't receive a response, except to a correspondent who uses Apple's email services.

  • by Arrogant-Bastard ( 141720 ) on Monday May 05, 2025 @03:34PM (#65354223)
    I've been running email systems for a long, LONG time. I'm currently running about three dozen of them, handling email for different operations on different networks using different MTAs on different operating systems. (All open-source of course)

    The anti-spam defenses in place at all of these are extensive and very well-planned, as they should be. They include rules in routers, rules in firewalls, rules in MTAs, and more. All of them are custom-tuned, all of them are monitored on a daily basis, and quite frequently adjusted to deal with emerging threats. As a result of all this effort, almost no spam gets through AND the false positive rate is running at about 4 messages/year.

    And yet...of that "almost no spam [that] gets through", almost all of it is from Microsoft or Google. All of it passes SPF, DKIM, etc. checks: it really is from them. Together these two operations have accounted for roughly 85% of all false negative (e.g., received) spam over the last three years.

    So it's pretty damn arrogant (note my handle, I'm familiar with the concept) of them to make any claims or impose any requirements on anyone, given how miserably they've both failed. What I'd like to see -- but won't -- is both of them turning them attention inwards and reducing their spam output to zero. Then, and only then, will they have any credibility with me. (Don't tell me it can't be done. I've done it, and at some large operations. And I did it without the enormous financial and personnel resources that they enjoy.)
    • Due to the nature of the service, I give them a bit of leeway and instead judge on how fast they respond to abuse reporting.

      • First, let's note that "controlling outbound spam from Microsoft et.al." is not and should not be our problem. It's theirs. They are 100% responsible for that, and it's disingenuous to insist that those of us who don't have billions of dollars and armies and employees do their jobs for them.

        Second, have you checked on their responsiveness to spam/abuse/other complaints sent to their RFC 2142 mandatory role addresses lately? IF you get a response at all, and that's a big if, it's likely to be automate
    • by Tschaine ( 10502969 ) on Monday May 05, 2025 @05:07PM (#65354443)

      If you haven't worked on antispam for a consumer domain like outlook, Gmail, Yahoo, etc, then you likely underestimate just for hard it is.

        It's nothing like antispam for companies that only give email addresses to their employees. The attack volume is magnitudes greater, for both inbound and outbound. There is also a much smaller difference between desired bulk mail (like newsletters) and abusive bulk mail.

      The amount of email that gets blocked at the IP level is staggering, even though connection based filtering has a high bar because it's so hard to troubleshoot.

      It's another world entirely.

    • by MeNeXT ( 200840 )

      This. The only SPAM I get is from MS and Google. The only phishing attempts are from MS and Google. They all have SPF/DKIM.

      If I had MOD points it would be +1 informative.

  • So, if you don't have DKIM, SPF, etc. set up, and you send spam from different IP addresses using different sender domains... how will MSFT know who to attribute the 5000 emails to?

    Seems silly to me. You either demand correct SPF, DKIM and DMARC from all senders, or you don't. Either way, it won't make much difference to the volume of spam.

  • by Tony Isaac ( 1301187 ) on Monday May 05, 2025 @05:00PM (#65354423) Homepage

    For months now, slashdot notification emails have been failing DMARC tests, causing all the emails to go to spam. Pretty annoying!

  • BWAHAHAHA, try just setting it to stop filtering out your OWN EMAILS to me as spam, Microsoft.

Quark! Quark! Beware the quantum duck!

Working...