Looks like you are probably sending from a domain email address, and you have no SPF record ( in fact a DNS lookup is failing for your domain ) or DKIM. Hence outlook.com is thus treating it as spam.

I have an SPF record. They appear to have a DNS lookup problem, or perhaps too short a time out.

Seems its not an uncommon problem https://techcommunity.microsoft.com/t5/outlook/received-spf-temperror-protection-outlook-com-error-i...

Hi Ken,

---

@kjpetrie wrote:

I had previously used the PN relay on the basis an ISP's server would be more reputable than a private one on a customer's line. It seems that has now changed with the requirement for evermore rigid verification schemes.

---

Is that really the right conclusion here?  From your headers (which alludes to the linked to article) ...

Received-SPF: TempError (protection.outlook.com: error in processing during
 lookup of redacted: DNS Timeout)

Is this really anything to do with an ISP's server's reputation or more probably just failures within Microsoft's infrastructure?

DNS timeouts are nothing to do with the ISP's server's reputation, but everything to do with the receiving service's infrastructure and configuration.  There is a possibility that MS's DNS services were (are ?) subject to DOS attacks which can render unpredictable DNS performance.

The linked to article references a large number of .au TLDs being blighted by this issue - I trust that you are not suggesting that all those services in .au land are less "reputable" that a private one?

One of the posts on there suggested that different outcomes were being experienced depending on if the sending server was using IPv6 or IPv4, the latter being more "reliable".  Running your own service on a Plusnet line assures that you will be seen as IPv4 ... could that contribute to the better experience?

The SPF lookup timeout proved to be a red herring. The real problem as I have established by experimentation sending mail to my own Outlook account, is that Outlook seems to treat any message without valid DKIM as spam and dumps it in the recipient's Junk folder. Since I was sending from my own domain through a third party's (PN's) server I could not control DKIM and therefore could not pass DKIM. The fact PN's server as a known provider should be more reputable than one on a customer's IP (as most spambots would be) has insufficient weight to overcome that action and the only way I could set up DKIM for my own domains was to use my own servers.

In fact, in order to achieve a DMARC pass for all three domains I have had to set up three separate instances of Postfix to get the Envelope From to match the Header From because Postfix seems to set the former at start-up rather than submission. That's arguably correct if we think of the Envelope From as equivalent to a Postmark and the Header From as the sender's letterhead.

My mail now passes both DKIM and DMARC in addition to SPF and goes to the user's Inbox rather than Junk so companies like BG and Ofgem are getting my mail again.

That's what matters to me as the sender.

One of DKIM or SPF should be sufficient.

• @account.plus.com has DKIM
• @yourowndomain.co.uk hosted on Plusnet (NS with Plusnet) can have SPF - there is a means of injecting the TXT record documented around this forum
• @yourowndomain.co.uk using a DNS elsewhere but sending via Plusnet's SMTP server can have a SPF record set up as documented around this forum

Out of your experience, are you of the opinion that Outlook has now become totally draconian requiring BOTH DKIM and SPF?

I just ran a test sending from my hosted domain to my Outlook mailbox and encountered no issues - SPF=pass, DKIM=none (fail).

Authentication-Results: spf=pass (sender IP is 84.93.230.244)
 smtp.mailfrom=<redacted>.me.uk; dkim=none (message not signed)
 header.d=none;dmarc=bestguesspass action=none
 header.from=<redacted>.me.uk;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of <redacted>.me.uk
 designates 84.93.230.244 as permitted sender)
 receiver=protection.outlook.com; client-ip=84.93.230.244;
 helo=avasout-ptp-003.plus.net; pr=C

Without DKIM I would get:

Authentication-Results: spf=pass (sender IP is 84.92.47.176)
 smtp.mailfrom=<redacted>.org; dkim=none (message not signed)
 header.d=none;dmarc=permerror action=none
 header.from=<redacted>.co.uk;compauth=fail reason=001
Received-SPF: Pass (protection.outlook.com: domain of <redacted>.org designates
 84.92.47.176 as permitted sender) receiver=protection.outlook.com;
 client-ip=84.92.47.176; helo=<redacted>.co.uk; pr=C

.... many irrelevant lines...

X-Microsoft-Antispam-Mailbox-Delivery:
    ucf:0;jmr:0;ex:0;psp:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000305)(920221119095)(90000117)(920221120095)(90005022)(91005020)(91035115)(9050020)(9100341)(944500132)(2008001134)(2008121020)(4810010)(4910033)(9610028)(9560006)(10180021)(9320005)(9245025)(120001);RF:JunkEmail;

The body was:

"Hallo,

Just testing, so sending this message of a sensible length as a test to
see whether all goes well. I do not expect it to reach my inbox but we
shall see."

So SPF wasn't enough in that case.

Does the following difference offer any insight?

You...

 header.d=none;dmarc=permerror action=none
 header.from=<redacted>.co.uk;compauth=fail reason=001

Me...

 header.d=none;dmarc=bestguesspass action=none
 header.from=<redacted>.me.uk;compauth=pass reason=109

TBH I do not know where DMARC enters into the equation, but I get "bestguesspass" whereas you get "permerror".  Also I get compauth pass, whereas you get a fail.

Is your connection to the Plusnet SMTP server authenticated?  It is not essential if you are connected to the network, but if you are, it adds weight to being a proven user.

I have no idea why the dmarc was different. I had no DMARC record at the time that was sent; I didn't even have a DKIM record.

I suspect there's an element of machine learning involved - the more it's used to accepting mail from a particular source the more it is likely to do so, and vice versa, but who knows? I did run another test a few minutes ago sending  through the PN server with exactly the same configuration and this time it was accepted, so I think the fact I've set things up to pass more tests and it's accepted lots of my mail as legitimate has got it into the habit of accepting what it previously was in the habit of dumping into Junk, even when those credentials are not provided.

Perhaps it's a bit like a credit rating - if you've never had a loan it's hard to get one because you have no record.

In fact, MS do advise their users to mark wanted mail as "not spam" to teach the system, so that does suggest it learns what to do. Of course, that assumes users check their Junk folders, which businesses redistributing the Inbox to various departments won't do.

what's really going wrong here, I think, is that tools developed for the consumer/personal market are now being adopted by business to save having their own IT people setting up servers, and they're not designed for business needs.

This looks like it might give some clue https://support.clickdimensions.com/hc/en-us/articles/360042239312-Implicit-Authentication-for-Micro...

Interesting!  That leads to soup to nuts here - Anti-spam message headers | Microsoft Learn

Reason Codes

• 001: The message failed implicit authentication (compauth=fail). This result means that the sending domain didn't have email authentication records published, or if they did, they had a weaker failure policy (SPF ~all or ?all, or a DMARC policy of p=none).
• 1xx or 7xx: The message passed authentication (compauth=pass). The last two digits are internal codes used by Microsoft 365.

It is not clear to me how I get Implicit Authentication, but @kjpetrie does not.  The following is my SPF configuration:

"v=spf1 a mx include:_spf-internal.plus.net include:_spf-internal2.plus.net ~all"

As I read the above, that SPF should get me a 001 [as it is "a weaker failure policy (SPF ~all ..."] not a 109 pass, due to soft fail and no DMARC record (p=none).

However, this seems murky to me...

• bestguesspass: Indicates that no DMARC TXT record exists for the domain exists. If the domain had a DMARC TXT record, the DMARC check for the message would have passed.

I wonder what criteria beings about the assessment that something which does not exist, if it did exist would have created a good outcome.  Is this the email / spam management implementation of Schrödinger's cat syndrome (the DMARC record is not there, but be deemed valid if it were regardless of its absence)?

Black arts space this, but I am not complaining that it works!

It looks as if MS have quietly merged Outlook.com with Office 365, thus extending the policy to all mail they receive, but there does seem to be a bit of heuristics involved as well, just to fuzz the edges a bit. I do now have a DMARC policy, but it's currently none, though it looks as if I need to up it to reject if things are to keep working in the future.

Good find, MisterW. That explains something of what's going on and confirms that in general DKIM verification is needed, but DKIM can only be set up for a domain if the domain owner also controls the MTA and can configure it to sign mail with the domain's key, so private people with their own domain can't use it if they use a third party server, and DMARC requires Envelope and Header Froms to match, so can't be used with a third party server at all.

The key differences between personal and corporate recipients is people generally have a good idea who their friends are and usually don't want mail from people they don't know, whereas companies want the general public to contact them because they're prospective customers. They don't want people blocked because they're unknown because that's blocking initial contact. They would want other techniques to reduce spam, like content analysis or origins on blocklists. So tools designed for one won't work for the other.

I wonder how long it will be before they realise their 'cheap' solution to e-mail is actually losing them business?

As for establishing whether DMARC would pass, that's easy: DMARC passes if SPF and DKIM both pass and Header and Envelope Senders match. Since Outlook already has that information it can calculate the result and set the policy to its default without needing the DMARC record. The DMARC record exists to suggest other policies for failures, which the recipient is free to use or ignore.

"As for establishing whether DMARC would pass, that's easy: DMARC passes if SPF and DKIM both pass and Header and Envelope Senders match. Since Outlook already has that information it can calculate the result and set the policy to its default without needing the DMARC record. The DMARC record exists to suggest other policies for failures, which the recipient is free to use or ignore."

That then makes me wonder how you@account.plus.com or me@mydomain.co.uk can every get stuff into Outlook from relay.plus.net without a DMARC record:

• you@youraccount.plus.com has DKIM but not SPF so both cannot pass
• me@mydomain.co.uk as hosted on Plusnet has (can have) SPF but not DKIM so similarly cannot pass both

Therefore the presumption stated above is not capable of being fulfilled to reach a best guess pass - the best that might be achieved is SPF or DKIM pass with header and Envelope Senders matching.  The later part of that leads me to think about testing "send on behalf of" aka an alternate identity!

The option of the receiver to ignore DMARC then is very similar to SPF which if even checked by the receiver might still be ignored.