I am running my own email-server for some time now. It started out of curiosity and went live after my hosting-provider got hacked several times and I then was sick of it. It’s not as hard as people make one believe when it’s just for a few email-addresses. Still I check the server every now and then.

The setup and what I do in between might be a separate blogpost (or actually several) but today I just want to write about one thing that nagged me really deeply and where the solution was pretty easy. I had to think about it when Rob Allen today wrote about DKIM, SPF and DMARK.

What happened

Whenever I wanted to send an email to an outlook.com (or outlook.de or hotmail.com) address, that email just didn’t get through. It was considered spam and I received a nice feedback in the mailserver-log:

550 5.7.1 Unfortunately, messages from [168.138.253.239] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [BN3NAM01FT059.eop-nam01.prod.protection.outlook.com]

As I run my mailserver on a DigitalOcean dropplet I can imagine that the IP-range is non their radar. But completely blocking it?

There has to be a way around it. I mean, I can’t be the only one running a mailserver on a droplet. Can I? CAN I? 😱

Turned out I had to do a lot of searching the web. And at one point I found a blogpost that mentioned a form where one could enter the IP-address of the droplet and submit that to be removed from the block list.

So I submitted the IP of my server! 🎉

Just to almost immediately receive an email that said

Hi ,
 
Thanks for your patience while we investigated your request.

Below your IP address(es) and their status(es) are listed.

Not qualified for mitigation

xx.yy.zz.aa;

The IP(s) above do not qualify for mitigation.

Please note: This outcome indicates behavior that misses standards; please review Improving E-mail Deliverability into Windows Live white paper for helpful tips.

Still need help?

If you have additional questions, are still experiencing deliverability issues or want further investigation, please reply to this email with the following information and an advocate will respond to you by via email.

    Relevant IP addresses(es)
    Detailed description of the problem you are having
    specific error message(s)


Recommended actions and resources to improve your deliverability:

Maintaining or improving a good IP reputation requires vigilance and oversight with no fail-safe remedy. Please refer to this link for more information Outlook.com Postmaster


Thanks again,

Outlook.com Deliverability Support

Your service request number is 123456789 if you need it.

So. Looks like there is still something missing to make my email-address qualify for mitigation. After all they are talking about “behaviour that misses standards”.

I was at that point pretty fed up. I had implemented SPF, DKIM and DMARK; The server was not on a blacklist; The server uses TLS for sending and receiving emails; DNS entries including the reverse-DNS are all valid; Legal information is available at the vanity-domain*; almost all other providers (including google) accept emails from that server: what does make Microsoft so special?

So another round of searching the interwebs.

And then, after quite some time and on the 3rd page of some obscure looking Microsoft Community Forum I found the answer to life the universe and everthing. And it wasn’t 42!

I got our server unblocked!

Follow the instructions here: https://blog.paranoidpenguin.net/2020/08/outlook-com-is-no-longer-blocking-my-mail-server/

Basically, fill out the support form here:

https://support.microsoft.com/en-us/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75

You will get an automated 'Not qualified for mitigation' email back. You need to then reply to this email with your arguments, and a human operator will then review your complaints and unblock your server.

🤦 Just answer to the automated reply email and present your arguments.

So I did that. In essence I sent them the

I had implemented SPF, DKIM and DMARK; The server was not on a blacklist; The server uses TLS for sending and receiving emails;  DNS entries including the reverse-DNS are all valid; Legal information is available at the vanity-domain; almost all other providers (including google) accept emails from that server: what does make Microsoft so special?

part adding the question what else I had to do to make my server worthy of microsoft considering accepting mail from it. I also added some snarky remarks about the links they have on various “help” pages that all lead to 404 pages…

And after less than 24 hours I received an email that they had implemented mitigation for my IP and that after 24 to 48 hours everything should work out.

So far it still does.

Hope this helps someone else along the way.

Oh. One note though. That just means that outlook.de et al are accepting your email. They might (and most certainly will) still end up in a SPAM folder when the serveradmin doesn’t un-SPAM the email-address. Whyever that is. If anyone has a hint of how to fix that, I’m happy to hear it!

*Having the legal information on the vanity-domain is a requirement for T-Online. Whenever their IT-department detects a new mailserver they manually check the legal informations on the server (or the vanity domain) and if the are not there then they also do not accept emails. So make sure to have legal information available somewhere.