The comment about a Plusnet 'sub domain', this is a unique dimension of difference from our other email addresses.  

For the property units we have under management emails are also sent from the same laptop / MS Outlook client via gmail.com and <company domain>.co.uk (123Reg) & these both work, regardless of destination & regardless of the number of emails in the To: field.

We have just sent two email transmissions that included  hotmail email addresses and both
are rejected with Dkim=Fail for KEYLINE.PLUS.COM

This set me to look at the SPF / DKIM / DMARC and I found the link below that reports

1) I do not have a DKIM entry

2) the DMARC has two warning

https://easydmarc.com/tools/domain-scanner?domain=keyline.plus.com

I hope the URL continues to work as I don't know what to make of this,
if the URL does not the response is attached as a PDF



Reporting-MTA: dns; avasout-peh-002 [212.159.14.18]
Received-From-MTA: dns; Clarelaptop [86.30.96.254]
Arrival-Date: Thu, 24 Jul 2025 12:53:19 +0100


Final-recipient: rfc822; xxxxxxx@hotmail.com
Diagnostic-Code: smtp; 550 5.7.515 Access denied, sending domain KEYLINE.PLUS.COM doesn't meet the required authentication level. The sender's domain in the 5322.From address doesn't meet the authentication requirements defined for the sender. To learn how to fix this see: https://go.microsoft.com/fwlink/p/?linkid=2319303 Spf= Pass , Dkim= Fail , DMARC= Pass [PAXP251MB0580.EURP251.PROD.OUTLOOK.COM 2025-07-24T11:53:21.437Z 08DDCA8640F1FA3A] [BL1PR13CA0231.namprd13.prod.outlook.com 2025-07-24T11:53:21.488Z 08DDCA5D5A57EF01] [MN1PEPF0000ECDB.namprd02.prod.outlook.com 2025-07-24T11:53:21.492Z 08DDC69E4AE89F4C]

Last-attempt-Date: Thu, 24 Jul 2025 12:53:21 +0100





Any guidance on the meaning, relevance of this is gratefully received.

Hi Phillip,

As I found out a few weeks ago, a little knowledge can be damn right dangerous!

DMARC is at the domain level (not sub-domain level) and has a policy to do nothing in the event of failure.  Not dictating a decision and leaving that to the receiving server seems like a reasonable option.

DKIM needs a selector - the site you used has no way of knowing what that selector should be so it is ASSURED to fail ... the scam being is that you panic and go to THEM to fix what is probably NOT a problem.  Note that the belly-ache that the DMARC notification email address is not theirs.

If you want to do a meaningful inspection, use this service - Learn and Test DMARC - very sweet!

For checking DKIN you need to know Plusnet's selector ... which can only be found in an inbound email's header ... for example...

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@plus.com header.s=042019 header.b=JSb3kuWz;

Only with the use of the above, you can check your DKIM record... 

Use Network Tools: DNS,IP,Email and the domain level DKIM key of plus.com:042019

DKIM and DMARC at the top-level domain has served well for years.  The fact that what we have works with some addressee services and not others does rather point to issues (or at least different implementation configurations) with the target services.  The issues remain under investigation.  User experience diagnostics have been sent to Google.  Personally I have not been able to reproduce the DKIM failure you are encountering ... and one must be mindful of the known issues with Microsoft's DKIM verification process.

Any guidance on the meaning, relevance of this is gratefully received.

It means the easydmarc scanner only checks the specified domain. It doesnt check for DKIM records on the parent domain i.e plus.com.

Plusnet implements DKIM (and DMARC) at the plus.com level specifiying 'relaxed' mode 

For the technical details, see RFC 7489 §6.3, which in turn references §3.1.1. In particular, §3.1.1 states:

To illustrate, in relaxed mode, if a validated DKIM signature successfully verifies with a "d=" domain of "example.com", and the RFC5322.From address is "alerts@news.example.com", the DKIM "d=" domain and the RFC5322.From domain are considered to be "in alignment". In strict mode, this test would fail, since the "d=" domain does not exactly

match the FQDN of the address.

So the email DOES meet the SPF,DKIM and DMARC requirements.

The problem is the Microsoft routinely fail to correctly process DKIM by failing DNS lookups of the DKIM keys. 

Thank you for the explanations .... this is why I asked for guidance, I have zero experience as an email administrator.

But I do note the rejection is directed at KEYLINE.PLUS.COM & not at PLUS.COM

Regarding :

The problem is the Microsoft routinely fail to correctly process DKIM by failing DNS lookups of the DKIM keys. 

This I feel the need to challenge, because we can reliably send emails from gmail.com and <company domain>.co.uk
we do not get any rejections regardless of the types or numbers of destination including to any type of Microsoft emails.

I would concur with that challenge if every email sent from here to there hit a DKIM failure, but that is not the experience.

Similarly I might concur if one could be assured that email sent from the other email services are going over the same internet peering routes and are arriving that the same MTA for processing - no one can be certain of that.

For example, the MX for hotmail.co.uk is eur.olc.protection.outlook.com

Doing a DNS lookup for that returns a multitude of IP addresses...

Addresses: 52.101.68.9
52.101.68.28
52.101.68.26
52.101.68.19

Addresses: 52.101.68.4
52.101.73.9
52.101.73.17
52.101.73.5

Addresses: 52.101.68.1
52.101.68.9
52.101.73.29
52.101.68.38

Addresses: 52.101.68.24
52.101.73.14
52.101.73.31
52.101.68.13

Addresses: 52.101.68.9
52.101.73.3
52.101.73.23
52.101.68.19

There is a venerable farm of servers running what appears to be a single service.  Would not take too much effort for some to be configured inconsistently, possibly not accessible over some peering routes from some providers.

What works some of the time should work all of the time for a constant input.  I think that we can be assured that Plusnet is not being variable around what is being sent out ... so one has to conclude that Microsoft is being variable in how it is processing what is coming in.

It would be really great if one could identify a use case where IF...

1. I send from this email address
2. Using this email client
3. To this / these addressee(s)
4. I ALWAYS encounter a failure

Until there is a water tight use case for which (4) is the outcome, we are looking at logical explanations for the perceived experience.  If 1, 2 and 3 are constant and 4 is variable ... then logic really does point to inconsistency within (4).

Changing (1) and not getting (4) does not really prove anything in the absence of being assured that the routing to the other service hits the same mail processing servers.

One should not confuse a service with servers, even though the terms are used interchangeably.  A service is generally delivered using a farm of individual servers, built individually, one hopes to the same configuration, none of them having faults, within themselves or their connectivity.

---

@Townman wrote:
...

It would be really great if one could identify a use case where IF...

1. I send from this email address
2. Using this email client
3. To this / these addressee(s)
4. I ALWAYS encounter a failure

Until there is a water tight use case for which (4) is the outcome...

---

Umm, have I not posted several times now that IF:

1. I send from [name]@[myAccountName].plus.com
2. Using Outlook 2016 (from Office 2016 Pro Plus v2506)
3. To [name]@live.com and [name]@outlook.com, i.e. I put both of those addresses in the 'To' field at the same time
4. I ALWAYS encounter a failure, the two bounces I get always say 'Dkim=fail'

Or is that not what you mean?

This I feel the need to challenge, because we can reliably send emails from gmail.com and <company domain>.co.uk
we do not get any rejections regardless of the types or numbers of destination including to any type of Microsoft emails.

I appreciate that scepticism. However ,as I've said previously , I see dmarc aggregate reports from Microsoft for other domains. , they often have dkim 'temperror' failures. If you were to look at dmarc reports for your company domain you would likely see similar. For domains not classed as bulk senders ( by Microsoft) mail is still accepted because they allow either dkim or SPF to fail. For a domain classed as a bulk sender the Microsoft insist that both dkim & SPF must pass!!+

I appreciate all of your continued time and attention on this matter.

Our multi destination email failure rate to Microsoft addresses continues at 100% via Plusnet
and perhaps that is worth a few observations...

I wonder if there is a problem with the configuration of our Plusnet account mainly
because I repeatedly see KEYLINE.PLUS.COM  reported in the DKIM rejection files.

"KEYLINE" is an old account opened around 2004 initially as an 512/256 ADSL fixed speed connection.

KEYLINE became an eMail only A/C around early 2018 after Virgin Media offered a new 100Mbps service via RFoG.

As there is still no FTTC or FTTP in our street from Openreach - we remain unable to return to Plusnet / BT / EE.

I did offer to pay to keep the Plusnet emails alive but that was repeatedly declined.

So the crunch is our account is 20+ year old and perhaps it is a very unloved account,
could it be our configuration lacks something critical that other active Plusnet broadband accounts have ?

I am very happy to migrate to Greenby and back to a funded email service.

But it has to work without the current failures to Microsoft and latterly sending single emails to Talk Talk & Tiscali fails too.


Philip

Phillip,

Is the 100% failure to the same email addresses?

Does sending to single addressee also fail?

Do these emails have a specific reply to address?  Is it the same as the sending domain?

The age of the mailbox is not likely to have any material concern.

For the avoidance of doubt, is your connection to the SMTP server authenticated?  I’m presuming that given you are a business, you are not connected to Plusnet’s network.

Again clutching at straws, are you sending from the default mailbox or a secondary mailbox?

@plusnettony 

Is there anything you can think of which might explain the reported experience, which we have missed?  Is there sufficient information here to look at the mail logs which would be helpful?

When we send to our customers there are typically 5 or 6 email destinations and it is
the same trustees with Microsoft accounts repeatedly failing to deliver.

As a test, I just sent a single email just to my son, he has hotmail.co.uk account and in 15+ mins I have not had a rejection so it looks to have delivered.  He is on business in Italy, so I do expect any reply.

We do not set a Reply address.

Using Reply writes back to the originator in the normal manner.  


For all our email accounts we connect to all SMTP servers with same credentials as for the POP3 / IMAP server
and we send via SMTP via port 465 to be 100% sure of using encryption.  

The single email message to my son's hotmail.co.uk worked & his unexpected reply came back to me.

Really odd then.

Not a 100% failure.

Starts to play into the space of playing “games” with emails which look as though they are from a mailing list with no unsubscribe option.

Sorry I think I’ve asked, but I’m down the pub on the phone and it’s easier to ask again than look: are the addressees TO or bcc’d?  The latter wound hide from the hotmail service that you are sending to multiple addressees.

Reading Microsoft’s bulk sender “rule book” it is not clear at what point they will enforce the use of unsubscribe links.

A key consideration of this working from elsewhere is the scope of the bulk sender assessment.

Hope Tony has some insight,

The email did work when a single Microsoft destination is involved, that was the case that is noted as being resolved.

Our emails addresses are always in the To:     

We are writing the a body of charity trustees and they are all required to read / review / approve  the materials.

If BCC was used that would be of no use, the trustees would not be able to Reply openly sharing their comments or approvals.

Regarding the bulk sender, we are not a bulk sender perhaps averaging 5 emails a week per trustee body, these are emails about property management or repairs or residents, almost never have any links, only a very simple text signature with Name and Contact details, may have small word documents or occasional images of items in need of repair.

I am not getting back rejections about spam / bulk sending & I did not think that was the use of DKIM.

Regarding Unsubscribe from trustee emails, the only practical option is to resign as a trustee,
processing these emails / documents is the trustees main job, delivering the material to the trustees is our job
& what we are paid to do.  Hence it remans a concern that what has worked so well for man years is not a problem.