Addressing Microsoft Mail Flow Issues to Third Party Accounts

Introduction

Microsoft issued an advisory (EX765789) affecting Exchange Online users: "Ensure your email authentication records are set up to avoid mail flow issues to third-party email accounts". Emails to some third-party providers are failing, showing a "550 5.0.350 Remote server returned an error -> 554 Message not allowed" error. This stems from tighter security by these providers, now requiring domains to have a DMARC policy (even if it is p=none initially) as well as DKIM and SPF authentication to combat spam and malicious emails. The issue started on April 3, 2024, at 10:26 GMT+13, with ongoing investigations.

Key Takeaways

• Issue Impact: Failure to authenticate emails with DKIM and SPF and a lack of any valid DMARC record may lead to undelivered messages and NDRs.
• Who's Affected: Organizations using Exchange Online, especially those sending bulk emails to third-party providers.
• Required Action: Verify your DKIM, SPF, and DMARC setup. If your emails are not failing, you're likely unaffected. However, it's prudent to ensure you have DMARC setup and review reports.

Diagnostic Steps

• Check Your Setup: Ensure your mail services have SPF and DKIM correctly configured. If you have a DMARC reporting service like VerifyDMARC, check there first as it will tell you if these are setup correctly for each mail service.
• Setup DMARC: If your domain does not have a valid DMARC record, set one up immediately.
• Check DKIM Setup: Microsoft admins can check DKIM is enabled correctly for each domain here: https://aka.ms/diagdkim

Our Take

We think advisory EX765789 could provide clearer advice, while it doesn't name a particular provider it should note that Google now requires senders who send 5,000 or more messages per day to have a DMARC record setup for their domain, even if it is not set to an enforcement action (p=none) - as well as valid SPF and DKIM setup.

Google Email Sender Guidelines

Bare minimum DMARC record

To setup DMARC in a pinch without any enforcement action or reporting, add this TXT record to your domain DNS manager:

Hostname: _dmarc.yourdomain.com

Type: TXT

Value: v=DMARC1; p=none;

For visibility of mail source SPF and DKIM compliance, sign up for a free trial of VerifyDMARC and use our DNS record generator to start collecting actionable insights.

‍

Summary

This advisory underscores the importance of proper email authentication practices. As an MSP or IT team, ensuring your organization's email traffic complies with the latest security requirements is not just about preventing attacks; it's also about email deliverability.

For those looking to navigate these changes with ease, our DMARC reporting offers a streamlined solution to manage and monitor your email authentication effectively. It shows you at a glance if SPF and DKIM are setup correctly and aligned for DMARC. Sign up for a free trial to get DMARC setup quickly and get emails delivering to inboxes.