Emails To Outlook.com Rejected By Faulty Or Overzealous Blocking Rules

Microsoft spent much of the past week rejecting legitimate emails sent to Outlook.com, Live, and Hotmail accounts due to what appears to be overly aggressive IP reputation filtering or faulty blocklist rules. According to The Register, many senders received 550 errors claiming their networks were blocked, preventing delivery of invoices, notifications, and authentication emails. From the report: A block list is a good thing. It helps stem the flow of spam from networks or addresses associated with junk email. However, the confusing thing for our reader is that his company was not on Microsoft's naughty step for email. A look at Microsoft's Smart Network Data Service (SNDS) showed no issues with the IP. "We're also a member of their JMRP (Junk Mail Reporting Program)," our reader added, "which is intended to inform us when people are reporting spam sent from our IPs - except, we never get any reports."

The problem worsened in February. On Microsoft's support forums, users began to complain about similar issues as the IP net presumably widened. One wrote: "We are currently experiencing a critical and recurring email delivery issue affecting recipients at outlook.com, live.com, hotmail.com, and msn.com," and provided a copy of an error that suggested the mail server has been "temporarily rate limited due to IP reputation." The user drily noted, "Although the error indicates rate limiting, in practice no emails are being delivered."

A large number of users, ranging from the administrator of a server sending automated notifications on behalf of Estonian Public Libraries to an email provider for healthcare professionals, chimed in to confirm they too were having delivery problems and Microsoft support was not helpful. [...] Unsurprisingly, our reader spoke on condition of anonymity - nobody wants to be the ISP that has to say, "Yeah, we can deliver your email anywhere but Outlook.com" to customers. We asked Microsoft to comment, but other than acknowledging our questions, the company did not respond further.

comcast

[groobly]

Comcast routinely blocks emails to me from legitimate sources. All these guys are super paranoid because they don't want a big news story that they allowed a billion dollar hack, not to mention the lawsuits.

Re:

[taustin]

Remember Roadrunner? They used to - regularly - both their own servers.

Some people should not be allowed to play with email servers.

Re:

[taustin]

Block their own servers. Sigh.

What if there was an email system spammers hated?

[shanen]

So y'all don't like Comcast? Or is that just collateral hatred of Microsoft? Time for funny?

I categorize my various email accounts by the quality and quantity of spam each one receives. Microsoft is #1 for sex spam, whereas Gmail dominates the fishing crapola, and also wins the volume of flatulence award. And now the google wants to sell me more storage for the garbage that has accumulated? (Is it worth an Ask Slashdot about memory management of google accounts?)

But if we can't solve such a visible and long

Re:

[shanen]

*sigh*

s/fishing/phishing/

Doesn't shock me.

[jd]

Frankly, most email providers do a really really bad job of things. I used to run my own email server, simply because I couldf do a better job even after finishing a bottle of mead than any of the providers out there could do with "highly trained" chipmunks. I probably still could.

Re:

[HiThere]

Maybe, but they'd refuse to forward your messages.

Re:

[Archfeld]

Not chipmunks anymore, thats the problem. They are currently heavily inbred gerbils.

Re:

[jd]

I was afraid of that. Still, it's an improvement over IBM's early electronic mail, which used Josephoartigasia Monesi.

Re:

[azander]

From a ESP (Email Service Provider) standpoint part of the issue is the recipients.

ESP wants to block all of auickbooks@notification.intuit.com because of all the phishing scams, but they can't. Users "need" (I disagree) it because they have multiple vendors who send out their invoices using that exact same address. So these phishing emails get through because someone "needs" their vendors (possibly intentionally) insecure server emailed invoice.

Come on people! Why aren't the vendors using their own emai

Using Microsoft ...

[Anonymous Coward]

.... and you have problems?

You must be new here!

--
You have the right to remain stupid. Doesn't make it a good idea!

Let me guess . . .

[UnknowingFool]

Microsoft entrusted their Outlook settings to Copilot

What actually happened?

[Murdoch5]

First let's acknowledge this hilarious statement: "chimed in to confirm they too were having delivery problems and Microsoft support was not helpful", Microsoft support is useless.

On a serious note, what could they have actually screwed up? Anyone who has administrated an email server, knows all too well, the massive headaches that filtering services cause, that DNS errors cause, that configuration issue causes, and so on. Administering email is a truly terrible, annoying, difficult, rage inducing cluster bleep.

At one company, ~10 years ago, out of nowhere, all our emails to any Yahoo address, went to spam. Our IP reputation was excellent, we had no black marks, weren't on any black lists, and the DNS was correctly configured. The issue ended up being the SPF record in the DNS, and it wasn't wrong, Yahoo just decided, out of nowhere, to reject reading it properly. The fight I had with Yahoo over that issue, lasted weeks, and they kept doubling down that my DNS configuration was wrong. Finally, after reaching who I have to assume was a 70-year-old grey beard, Unix master, he had us email him, and confirmed the parsing engine was configured incorrectly on their side. In 99.99X% of cases it didn't matter, but, we had a secure SPF configuration and the parser tripped up reading it, forcing all our emails to spam.

I'm actually interested to know exactly what went wrong here. It is probably the dumbest possible reason, and out of Microsoft's hands, even at their scale. Email is such a broken global system, that it is remarkable it works at all, and it really doesn't, it's just failing correctly most of the time.

Re:

[drinkypoo]

I'm actually interested to know exactly what went wrong here. It is probably the dumbest possible reason, and out of Microsoft's hands, even at their scale.

It's not impossible, but since Microsoft has fucked up email delivery to themselves by themselves before, the safest assumption is that it's happened again.

Re:

[oldgraybeard]

Not hard! Microsoft put standard rules in place, but forgot to exempt themselves! Most of the spam I get comes from Outlook.com and Google calendars.

Re: What actually happened?

[whoever57]

Microsoft has problems delivering to itself. My company uses Microsoft for email and we have an SPF record that includes the correct Microsoft records, but I get RUA reports that show failed SPF when delivering to another Microsoft "tenant".

Microsoft appears to have different delivery mechanism when delivering to itself, but these are not included in their SPF records

Re:

[Murdoch5]

They certainly could have fired a riffled into the bottom of the boat, but with email, they could have been duck hunting and the trigger changed the firing direction. Usually, I'm hard on Microsoft, but with this, I'm willing to give them the benefit of the doubt.

I've even seen dumb stuff like a company incorrectly flagging an IP, which happened to my current company 6 years ago. I don't remember the name of the offending company, but, they insisted our IP was the bad one, and it was back and forth with

Re:

[tzanger]

Google is like this - their anti spam tools are only available if you *are* sending UCE. The small private domains sending a few hundred to a few thousand emails to gmail addresses annually cannot get access to them.

I have all the things set right: DKIM, DMARC, SPF, IP is in a "good neighbourhood", all the blackhole lists show my IP as clear, yet sending "hey, nice meeting you today, here's my email, looking forward to speaking with you again" type emails to a new gmail address almost always end up in their

Re:What actually happened?

[Murdoch5]

I bet your DNS is correct, that's the most annoying part of it. The first thing everyone blames is DNS, which is fair because it's DNS, and DNS will DNS (yes, I just used it as a verb). When your DNS isn't wrong, and you stop doubting yourself, you can't go anywhere really. You might hit a home run and find out company X blacklisted your IP, so you can get it cleaned up, but outside of that, you can't do anything.

When I was a coop student for a small local IT company, 15 years ago, I remember we had an email issue. My boss, JP, asked me to look into it, but, "It was not a DNS issue.". After a week of trying to hunt it down, I was sure it was a DNS issue, and I asked JP to provide me with access to the Bind server, so I could fix it. The laugh he let out, followed be: "No! You're not touching the DNS, you can only make the problem worse.". The problem was a configuration error from Zimbra (our server) to a Black Berry Enterprise something or other.

Re:

[tzanger]

I'm not sure what it could be -- every testing/checking tool I can find online passes it (and I learned a lot from that, including removing old cyphers), the banners/HELO etc are largely anonymized, yet by and large Google says "yeah nah" to the first few new emails to a new gmail address.

It'd be fantastic if they had a test page where you could send them an email or click a "start test" button and it'd go through and check everything that *THEY* look for, but it feels like they don't have a vested interest

Re:

[McLoud]

Meta does the same to automated whatsapp messaging, you can get blocked even with their test page. One might need to send just very few messages in the first *months* of assigning a number to a automated token to have any hope to not get blocked again

Not today

[Iamthecheese]

On this day of all days, you come to Microsoft and ask that we filter less email. Less. After all the years we have spent building the walls that keep the digital barbarians from trampling your inbox. Do you think the internet is a quiet village street? It is a storm of malware and counterfeit princes waving poisoned links. And the day we unveil machines that can detect deception and separate signal from noise at planetary scale you come before us and ask that the gates be opened wider. You come here, to m

Re:

[VampireByte]

Thank you for your service.

Soon "e-mail" will only be between two ..

[ccr]

.. of the largest providers, aka Gmail and MS (Outlook/Hotmail/whatever domains they have). Maybe Protonmail too, if you are lucky.

Microslop has been blocking wide network ranges for a long time, and probably for good reasons too.. The problem is that there are almost no mitigations. My own server ended up on such blocked range some years ago and trying to rectify it was like talking to a stone wall.

Re:

[PPH]

It's the Walled Garden V2.0. MSN was created when Microsoft figured that they'd scrape up all of AOL/CompuServe/misc business. That didn't work out so well. Now it's inside/outside the castle walls.

The problem is that there are almost no mitigations.

I don't know about Microsoft. But this is the case for GMail. If you are on the inside, you can mail back and forth based upon your "reputation". Problem is: It's too easy to get a GMail address and spam the world. How do they know that someone is not a deposed Nigerian official with funds to move?

Re: Soon "e-mail" will only be between two ..

[jddj]

I agree. This has been going on for years. And there's just no talking to them.

I run a well-secured mail server, don't send spam, eventually had to forward through AWS SES, have working SPF, DKIM, DMARC and sometimes _still_ get 550.

I think they want to push you into a program where they get paid.

What do you want to bet...

[devslash0]

that it's got something to do with AI-generated code?

Re:

[UnknowingFool]

Code? [sarcasm] That is thinking small. Companies need to leverage Copilot to all aspects of the business like settings, processes, decisions, etc. What could go wrong?[/sarcasm]

Just one week?

[tokul]

If you run email servers, you would know how those muppets interpret DMARC and that they break forwarding since at least May 2025.

Outlook for years believed all Yahoo email is spam

[Zontar_Thing_From_Ve]

I have an old Yahoo email address. Why is it not Gmail? Well, I have one of those too, but at the time I got the Yahoo email address, Google limited who got Gmail addresses and it took a while to get one. Yes, it was like 30+ years ago. For years now, on the rare occasions that I need to send email to someone at outlook.com or hotmail.com, I find out that almost every time my email from Yahoo is marked as spam. Usually I have to follow up with the recipient and ask them to check their spam folder for my message. So not really surprised at this article.

Happened to the company I work for

[Coolfish]

Two weeks ago, our emails to Microslop servers started to get blocked. M$ was utterly useless. SendGrid told us that this was happening to a lot of people. Took a few days fighting with M$ support before they finally fixed it for us (with a warning that if we didn't play nice, it could happen again. Our email reputation is like 99.99%) Amazing that they still haven't resolved the issue.

Not news to me

[jenningsthecat]

For a few years now I've found that Microsoft-controlled email addresses frequently bounce emails that I send from my own domain via my hosting provider. I'd be suspicious of my hosting provider's diligence in rooting out spam activity, if it weren't for the fact that I only ever get bounce-backs from Microsoft email addresses.

Replacing this PoS protocol from the steam age ...

[Qbertino]

... is _soooo_ overdue. Can't we just build an alternative to E-Mail already? Seriously, "outdated" is a serious understatement. Let's redo DNS while we're at it, that shit is 2-3 decades overdue for a reimplementation as well.

Hard asymetric encryption, digisig, OIDC Ident/Auth/Auth with anonymous true identity tokes, etc. This isn't rocket science, we know what needs to be done we just need to effing do it already.

Re:Replacing this PoS protocol from the steam age

[Arrogant-Bastard]

Just an offhand question: have you ever tried to design, build, test, and deploy a replacement protocol for anything that's widely used on the Internet?

Hint: it's very easy to rant about. I do it all the time. It is fiendishly difficult to actually do, which I've done once, on the same day that everyone else did in 1983. Note that "everyone else" was a vastly smaller set of people than it is today.

MS is the worst...

[MechanicJay]

MTA to try to deliver mail to.

I frequently have to fill out a form to try to get my mail server's IP off their naughty list. And in every case it's been, "Hey your IP is kinda close to someone else's that was naughty". Really? In world of exhausted ipv4 allocations, when I get to rent a single IP from my VPS provider, you're going to play that game? Give me a break.

Most recently, I had to give up on IPV6 all together has SpamHaus has decided that blocking entire ipv6 /64 networks is the correct course

Wow

[Anachronous Coward]

I wondered why the usual deluge of spam to my ancient Hotmail account slowed to a trickle recently. I figured the spammer had died.

Re:

[toddestan]

I also noticed that the nearly useless Microsoft spam filters have recently started catching at least some of the most obvious spam. Looks like that's going to come to an end soon.

If only it was treated as spam

[Midnight Thunder]

We've run into this misery and had to spend vast amount of hours trying to find solutions. Heck, even legitimate SendGrid emails end up being blocked.

The main issue is Microsoft doesn't even treat these emails as spam, for the user to decide, but instead just sends them into the void.

I've been forced to move off outlook.com

[ianbnet]

I cannot forward receipts from my retro-sexy @hotmail email to @expensify. Outlook informs me that the recipient server has rejected the email for spam policies. Except, it's not the recipient server - it's an intermediary system in outlook.

This was the last straw. Emails that never arrive in either direction, false positives constantly. After 30 years I've started to ditch my hotmail/outlook/live email across the board because they just. don't. work.

And Microsoft won't acknowledge or fix the problem. That's the infuriating part. They just seem to pretend it doesn't exist.

Re:

[wurtel]

If you use a forwarding rule to forward emails sent to your hotmail address, then the sender is still the original address and the final recipient server will reject the email because it doesn't comply with the SPF rules on that original address (i.e. that SPF record doesn't include the hotmail servers).

You state it's an intermediary server in outlook that gives the error: that's correct, that server is talking to the expensify server which rejects the email, so the error is reported by the intermediate.

Re:

[tokul]

Use other forward variant. Muppets can't forward DKIM signed emails without breaking signature.

There's a great irony here...

[Arrogant-Bastard]

Microsoft and Google are now 1-2/2-1 in terms of the absolute numbers and relative percentages of spam/phish/etc. traffic that show up across all the mail servers that I run. Nobody else is even close.

Which means (a) they're doing a terrible job of accurately filtering their inbound traffic and (b) they're doing an even worse job of filtering outbound traffic. And they're doing this despite having more computing resources, more money, and more people than anyone else.

This is not new...

[DewDude]

They've been actively blocking entire ASNs for a while.

My email server bounces anything from them in return. Why would I handle email from microsoft users who won't get mine because I won't let ms host my email?

Chronic problem

[david.emery]

And of course, the response by the IT departments when I've complained to them about this (including universities and companies) was "We can't do anything about it." This is the fundamental problem with outsourcing. Organization disclaim any responsibility for what their contractor does (or does not) do on their behalf.

(My email's domain name is MUCH older than Microsoft.com)

GOOD! I want it worse!

[bussdriver]

I've had trouble with Outlook.com for decades. They blacklist whole IP blocks and to get off the list takes forever to get a human who removes you for a few months; then they put the IP back onto whatever gets the whole block banned again.

I hope they mess with a lot more people so something finally gets resolved. They don't even put you into junk automatically, just completely block blindly.

MS, or an RBL?

[Todd Knarr]

Is MS doing the blocking themselves, or is it an RBL that's doing it? And if an RBL, which one? The MS mail admins can answer those questions easily, and then affected senders can direct their attention to the appropriate target.

Happened to me too

[Vranitzky]

I manage a small email server with a few dozen domains, and about a month ago we had this very issue blocking all our mails. I had to redirect all outgoing emails to outlook and a few other micro$oft domains through a smarthost (and drove me crazy in the meantime, not to mention our customers). I can't wait for everyone to jump from windows to linux (or macOS, bsd, anything), so that they can die the horrible death they deserve!

make sure your SPF, DMARC and DKIM is correct

[wurtel]

Since a short while I've noticed that Microsoft / Outlook is blocking emails where you don't have a correct SPF, DMARC and DKIM configuration going.
Also DKIM needs to be policy "block" or "quarantine", "none" doesn't cut it.

This should only affect sending domains that send (or have sent) more than 5000 emails in a day. We got hit by this after sending out a newsletter (yes, opt-in list).

This policy is apparently quite recent.

Been fighting this for 4+ years

[Cigamit]

I have a small mail server I use for my open source projects. Very little email gets send out. We also own our own /24 hosted in a Datacenter. Microsoft randomly blocks our mail server, not because of its reputation, but because there is an IP "near but outside" our /24 that has a bad reputation. I have went 15 rounds with their Support department who is clueless. When you first report it, they check your subnet and say "we are not blocking any IP in this range" and close the ticket. You then have to

Many of the blocklists are crap

[whitroth]

For example, my emails to the CentOS mailing list on and off got blocked because of a blocklist. "Oh, too many spam come from that mailserver;'s IP".

Which made sense in the 1990s, with most ISPs being small. Now... I pay for hosting. My hosting provider hosts - I was told this by someone from tier 2 support - *millions* of domains. But sure, block all emails from that mailserver, that's sending mail from thousands of domans.

I had to pay more per month to get down to a mailserver that "only" sends out emails

Parity with Google

[radarskiy]

They're just trying to keep up with how badly Google treats non-Google mail.

Spam is fine

[protehnica]

Meanwhile the gambling spam I get from Firebase to my Hotmail address still reaches me at a rate of six emails per day.
The European Union should start fining these companies per volume of spam sent (and accepted).