I have asked @MisterW if he can help folks find the smoking gun showing such failures.  The above is the consequential end point arising from the possibility of either

• something being wrong with Plusnet's DKIM configuration and
• Microsoft failing to do the DKIM inspection proficiently

To follow on from that, there isnt really any information in the NDR to show 'why' the DKIm failed. What would be useful, is to see if its always DKIM that fails, so if anyone gets anything other than 'Spf= Pass , Dkim= Fail , DMARC= Pass'  in the NDR then that would be useful to know.

If anyone out there has access to DMARC aggregate reports (for domains hosted elsewhere) from Microsoft, then information from them would be useful. Personally, I have access to such reports for two other domains, both of which see DKIM lookup failures reported. Since these domains have no connection with Plusnet, it would tend to indicate its Microsoft failing to process the DKIM inspection.  

This is our most recent rejection it is a  : Spf= Pass , Dkim= Fail , DMARC= Pass

I am only able to get the two error files attached to the thread if I regenerate them into a PDF document.

@Tim-J 

I think that was old news before SPF was (re)implemented on every you.plus.com subdomain.

We are now looking at occasional DKIM failures, suggested to be associated with sending to multiple addressees, possibly associated with sending using the Outlook365 email client.

@PhilipHeyes 

Again thank you.  That is (up to a point) very helpful detailed information...

• Email sent from Outlook365 (Outlook 16)
• Sent to multiple addressees one of which was live.co.uk (were any of the others Microsoft addressees)

If you send the same email to just the live addressee does it get delivered?

If you attempt to resend the same email to all addressees, is it delivered?

Do the other addressees receive the email?

Is there the possibility of you attempting to send the same email (addressees / attachment etc) via webmail?  If that is successful, it gives credence to the suggestion that this is (also) email client related.

For the avoidance of doubt - do any of these addressees have email forwarding implemented?  I have seen SRS cause inexplicable mayhem on emails with attachments.

If you send the same email to just the live addressee does it get delivered?  

( Pass, we are sending business emails to Trustees,  even if we could deliver like this it fails to do what is needed i.e. keeping all the folks in one email thread so they can use Reply All and see each other comments on documents , quotes etc )

If you attempt to resend the same email to all addressees, is it delivered?

( It fails in a similar manner with rejections from the some or all of the MS accounts,
we are super reluctant to do this as it irks our customers and still does not reach the MS accounts )

Do the other addressees receive the email?

( Yes, emails are always delivered to all of the non MS addresses regardless of how many MS rejections occur )

Email Client

We do not use Web Mail & really can not use our customers as a test bed.

The same HP Win 11 Laptop & MS Outlook client does send successfully to MS email accounts
when we use an email a/c from a different business domain hosted on 123Reg. 

Forwarding

I am not aware of any email forwarding, we are not seeing responses from unexpected email addresses.

---

@Townman wrote:

...looking at occasional DKIM failures, suggested to be associated with sending to multiple addressees, possibly associated with sending using the Outlook365 email client.

---

The sending client does seem to be implicated in this problem.  Somewhere earlier in this topic I posted about how if I use Outlook 2016 (v2506 from Office Pro Plus 2016, i.e. the latest version of that client) to send to multiple MS accounts the messages bounce but if I use Thunderbird (140.0.1, i.e. the latest version) the messages did not bounce.

NB

1) My PC is running Win 10 Pro patched as far as the June update (the July update won't reach my PC until the end of July)

2) My account is a PN one, i.e. [name}@[account].plus.com

3) Outlook 2016 has been my default client since 2016, it has been flawless until this problem arose.

4) Outlook 2016 is configured to use POP3

5) I installed Thunderbird a few days ago and also set it up to use POP3

6) As far as I can see, the POP settings I'm using for Outlook 2016 are identical to the POP settings I'm using for Thunderbird

@Townman @MisterW @plusnettony If it helps, I can try and repeat this 'TB works while Outlook fails' trick but if I do I won't be able to get copies of the headers of any of the messages that reach MS addresses and the bounces that I get from failures will be no different to examples I've posted previously.

---

@PhilipHeyes wrote:

If you send the same email to just the live addressee does it get delivered?  

( Pass, we are sending business emails to Trustees,  even if we could deliver like this it fails to do what is needed i.e. keeping all the folks in one email thread so they can use Reply All and see each other comments on documents , quotes etc )

Email Client

We do not use Web Mail & really can not use our customers as a test bed.

---

Hi Phillip,

You appear to have a very reproducible and controlled scenario.  I understand the sentiment of not using your customers as a test bed ... the challenge is finding a reproduceable scenario in a situation where the contributing factors are far from clear.

The inference from reports is that it is a combination of...

• Sending from a you@youraccount.plus.com email address
• Using an Outlook365 client
• An email addressed to multiple MS email domain users
• Gives rise to DKIM failures for hotmail and live email addresses
• ... but not for other domain addresses (including outlook.com) also on the send** to list

The questions I asked (if they could be tried) might have narrowed down the variables, but I understand the bigger picture with 'live' clients.  None of what I asked was intended to suggest alternative ways of working (not acceptable) but rather to pin point key characteristics.

** Possibly clutching at straws, but given I have seen such miscreant behaviours before ... are the addresses SENT TO, CC TO or BCC TO?  If BCC TO is there also a TO or CC addressee specified?  I have seen spam indices raised by the absence of a TO or CC addressee.

The target emails are always all in the To: field.

I do see a transmission to an @outlook.com and the failure was : Spf= Pass , Dkim= Fail , DMARC= Pass 
i.e. the same as other MS accounts.


I mentioned before that what fails via Plusnet SMTP server works perfectly via a 123Reg SMTP server.

What I do see as being different is the format of the email for 123Reg is <name>@<company>.co.uk
and the DNS entry is for <company>.co.uk 

But sending from Plusnet servers the the DNS entries for the email appear split
between  <account>.plus.com and .plus.com  

I am no expert on email, so what I see there may or may not be correct or of any importance.

This is another type of email transmission failure, I first reported very recently when it occurred send to a talktalk email and now this one has failed to one destination my father in law and it is a tiscali.co.uk email ( these are ISPs that long ago merged ).  This is an email destination that we have not had issues with in the past 10+ years.

I've highlighted the error message below, this is identical to occurred to talktalk and once again the IP rejected is present in _spf-internal.plus.net.  Even the same server is involved : avasout-ptp-003 [84.93.230.244]

Reporting-MTA: dns; avasout-ptp-003 [84.93.230.244]
Received-From-MTA: dns; [192.168.0.16] [86.30.96.254]
Arrival-Date: Wed, 23 Jul 2025 14:49:19 +0100


Final-recipient: rfc822; xxxxxxxxxx@tiscali.co.uk
Diagnostic-Code: smtp; 550 5.7.1 Connection refused - [84.93.230.244] blocked by Validity - https://senderscore.org/blocklist-lookup/ - OXSEU001_102 - https://postmaster-oxseu.vadesecure.com/inbound_error_codes/#_102

Last-attempt-Date: Wed, 23 Jul 2025 14:49:19 +0100

We have tried to resend the email to my father in law and again have an identical rejection with :

Connection refused - [84.93.230.244] blocked by Validity   just as above.

@PhilipHeyes Looks, to me, like TT are behaving in similar, but slightly different, way to MS  - they appear to be ignoring the fact you are a sub-domain of '.plus.com'.

The required SPF record is found on the <account>.plus.net DNS entry.

Here : nslookup for <account>.plus.net