Not exactly on the same topic, but I think it's a good story. When my children were little we'd put them into summer camp. I would send an appointment with "something rather summer camp" from my @live account to my wife on her @hotmail account (you can tell the vintage of us by those, but anyhow). By then both of those were running on Exchange infra. I also had a b-dash@microsoft account at Microsoft which was was sure on Exchange, I wanted to block that time on that email. Well, I'd get these bizarre failures to deliver those calendar that were incomprehensible. I eventually tracked it to not liking "summer camp" in subject line. I changed it to "summer lamp" and they went through. !!! Because I was quite connected to Microsoft ecosystem, I was able to file this in proper raid/product studio repo and get it fixed (never sure of the exact reason though), but for years after that my children always went to "summer lamp" because it was funny that way.
Learned this the hard way. Sent maybe 50 outreach emails from the same domain handling transactional stuff (signup confirmations, notifications). Domain reputation tanked within a week and the transactional emails users actually needed started landing in spam.
The painful part is recovery. You can fix SPF/DKIM/DMARC in an hour but domain reputation takes weeks to rebuild. Microsoft's SNDS portal shows you almost nothing useful while you wait.
Set up the subdomain split from day one if you're a small SaaS. Costs nothing.
But that would mean that users will have easier time filtering out marketing emails! Which marketing department would want that? /s
Yeah, I wish all marketing email would be clearly flagged as marketing. My bank does this and for them, marketing emails are actually more important than transaction emails, because marketing is creating value for them, and transaction notifications are costing them and only create value for me.
You've got it - subdomains are sufficient (IIRC). Something like notifications.mycompany.com for the important stuff and news.mycompany.com for the more marketing stuff (and of course someone.else.entirely for the the cold email list "well, surely this one little list couldn't hurt" ... nah, who am I kidding, never use those)
subdomains are not sufficient, unfortunately. I think the instance I'm thinking of is technically web/https (chrome's site safety feature where you can specify a domain as 3rd party content- so when something gets flagged uour entire domain doesn't get blacklisted)- but it's much easier to just grab another domain
Yep, and no a subdomain does not suddenly insulate your sender reputation.
This BS is pedaled by the email tools who want you to have less friction setting up DNS when onboarding to their tool (less conflicts on a new subdomain).
If you just check the latest version of Google Postmaster Tools, you can see sends from your root domain and subdomain cross-polluting your reputation in Gmail. They aren't dumb.
Plenty of advice here, which I'm certain is well intended, but it feels like we're victim blaming here.
Things like "you cannot mix marketing and transactional email" are good advice, but they do nothing if you're using different subdomains but the same infrastructure (IP address) to send them out.
Microsoft is simply trying to squeeze smaller operators out of the market.
I run an open source project, we send out transaction emails from ome subdomain, and a newsletter to 50K+ subscribers once every 3 months.
I can't afford to pay for different/dedicated IO addresses for each. We use Scaleway for email delivery and it's constant trouble with two providers: qq.com who don't give a damn about non-chinese senders, and Microsoft, who are simply trying to break the ipen internet.
Before, we were on AWS SES. Guess what, we didn't even bother using different subdomains. We also didn't have dedicated IPs. Yet Microsoft did not block us because the sender IP was AWS.
It's pay to play, as simple as that.
Fortunately, we're an open source project, not a business. So when people reach out, I simply explain to them that they have chosen a mail provider that is openly hostile to small volunteer-run projects like us and that that choice has consequences. No emails for you.
IMHO we need to be more vocal about what's really going on here (the rent-seeking on the open internet by big tech), and less victim blaming (what about dns-sec).
Absolutely agreed. These two big corporate players with the biggest market-share are actively ruining the email ecosystem for their profit. I wish people would drop them and stop choosing them. Hopefully, the EU may soon do so.
My email server is permanently flagged as spam in SNDS. No way to unblock it. I've tried everything. Its not sending any marketing or automated emails.
Microsoft just wants you to use O365 and happily blocks a lot of smaller email senders. Not even gmail is that strict. They've only greylisted my server for a few months and then unblocked it fully.
Same experience here. I did everything right and could send email from my VPS to basically any other provider, except Microsoft. I had to give up and use the SMTP proxy provided by my VPS vendor to not have all my emails to @outlook.com or @hotmail.com end up in spam.
When it comes to email you have to be completely ... enthusiastic: "I was following all the best practices with SPF, SKIM, and DMARC."
DKIM. Obviously that was a typo on a forum but you cannot be complacent, ever.
You have missed out DNSSEC (nearly optional), SMTP-TLS and MTA-STS. Does your SPF record end with -all? Does your DMARC record have reporting addresses, does it have: "p=reject; sp=reject; adkim=s; aspf=s" in it?
I also suggest you send marketing emails from a sub domain or a separate domain or move your identity domain elsewhere. A cop out is getting someone else to send your stuff and I do not recommend that - it looks lax and trite.
I run a MS silver (its not Stirling and I'm not proud of it) partner. I recently shuffled our on prem to Exchange online, which at least saved a shit load of vRAM n vCPU on prem and horrendous Windows updates. I do insist on gatewaying all our SMTP via our on prem Exim n RSpamD n that. That means I get to decide where our mail goes and I also have a couple of Dovecots on prem.
I run rather a lot more mail systems than ours too. This works in the UK but I cannot comment on [elsewhere], for obvious reasons.
Been through this many times. Have no problems and then all of a sudden, servers get blocked, same misleading error message about it being temporary, same annoying auto response that "we cannot see anything wrong" and same opaque customer services that won't tell you anything.
They even have the cheek to link to a 15 year old guide on email best-practices, it is in equal parts awkward, annoying and incredibly shameful for a large organisation like MS. The fact that SNDS shows all greens seems to mean nothing and clearly they have been instructed not to engage in any conversation about why it is happening and the fact these are servers that are linked to a well-known business with static IPs that have been in use for over 3 years.
The best I can work out is the use of heuristic mail filters that detect anomolies for whatever reason they feel like. Too much email, not enough email, email sending rates that are too erratic, basically what 99.9% of email servers in the world are doing and they decide to block you. I could live with "rate limited" and I could live with "temporary" because I would disable the servers once they got blocked but nope. Just more "we don't give a shit" attitude from Microsoft.
Sadly, I had to accept the inevitable which I had avoided for many years and migrate all of our email sending to Amazon SES because life is too short to send emails to Microsoft.
edited to add: this was a general MS issue and not necessarily senders having spam/dns/domain issues, which I suppose it why it annoyed mailops so greatly! and of course the long tail of the wider internet
Marketing should be different IP/Domain from transaction emails.
The painful part is recovery. You can fix SPF/DKIM/DMARC in an hour but domain reputation takes weeks to rebuild. Microsoft's SNDS portal shows you almost nothing useful while you wait.
Set up the subdomain split from day one if you're a small SaaS. Costs nothing.
Yeah, I wish all marketing email would be clearly flagged as marketing. My bank does this and for them, marketing emails are actually more important than transaction emails, because marketing is creating value for them, and transaction notifications are costing them and only create value for me.
Have "mycompany.com" and "marketing-mycompany.com"?
How
Most of time, I would use mycompany.com for company stuff and mycompany.net for Application DNS and EMails.
This BS is pedaled by the email tools who want you to have less friction setting up DNS when onboarding to their tool (less conflicts on a new subdomain).
If you just check the latest version of Google Postmaster Tools, you can see sends from your root domain and subdomain cross-polluting your reputation in Gmail. They aren't dumb.
Things like "you cannot mix marketing and transactional email" are good advice, but they do nothing if you're using different subdomains but the same infrastructure (IP address) to send them out.
Microsoft is simply trying to squeeze smaller operators out of the market.
I run an open source project, we send out transaction emails from ome subdomain, and a newsletter to 50K+ subscribers once every 3 months.
I can't afford to pay for different/dedicated IO addresses for each. We use Scaleway for email delivery and it's constant trouble with two providers: qq.com who don't give a damn about non-chinese senders, and Microsoft, who are simply trying to break the ipen internet.
Before, we were on AWS SES. Guess what, we didn't even bother using different subdomains. We also didn't have dedicated IPs. Yet Microsoft did not block us because the sender IP was AWS.
It's pay to play, as simple as that.
Fortunately, we're an open source project, not a business. So when people reach out, I simply explain to them that they have chosen a mail provider that is openly hostile to small volunteer-run projects like us and that that choice has consequences. No emails for you.
IMHO we need to be more vocal about what's really going on here (the rent-seeking on the open internet by big tech), and less victim blaming (what about dns-sec).
Microsoft just wants you to use O365 and happily blocks a lot of smaller email senders. Not even gmail is that strict. They've only greylisted my server for a few months and then unblocked it fully.
DKIM. Obviously that was a typo on a forum but you cannot be complacent, ever.
You have missed out DNSSEC (nearly optional), SMTP-TLS and MTA-STS. Does your SPF record end with -all? Does your DMARC record have reporting addresses, does it have: "p=reject; sp=reject; adkim=s; aspf=s" in it?
I also suggest you send marketing emails from a sub domain or a separate domain or move your identity domain elsewhere. A cop out is getting someone else to send your stuff and I do not recommend that - it looks lax and trite.
I run a MS silver (its not Stirling and I'm not proud of it) partner. I recently shuffled our on prem to Exchange online, which at least saved a shit load of vRAM n vCPU on prem and horrendous Windows updates. I do insist on gatewaying all our SMTP via our on prem Exim n RSpamD n that. That means I get to decide where our mail goes and I also have a couple of Dovecots on prem.
I run rather a lot more mail systems than ours too. This works in the UK but I cannot comment on [elsewhere], for obvious reasons.
They even have the cheek to link to a 15 year old guide on email best-practices, it is in equal parts awkward, annoying and incredibly shameful for a large organisation like MS. The fact that SNDS shows all greens seems to mean nothing and clearly they have been instructed not to engage in any conversation about why it is happening and the fact these are servers that are linked to a well-known business with static IPs that have been in use for over 3 years.
The best I can work out is the use of heuristic mail filters that detect anomolies for whatever reason they feel like. Too much email, not enough email, email sending rates that are too erratic, basically what 99.9% of email servers in the world are doing and they decide to block you. I could live with "rate limited" and I could live with "temporary" because I would disable the servers once they got blocked but nope. Just more "we don't give a shit" attitude from Microsoft.
Sadly, I had to accept the inevitable which I had avoided for many years and migrate all of our email sending to Amazon SES because life is too short to send emails to Microsoft.
Annoyingly, mailop.org list archives are member-only (free to join however).
Mail Archive has the content, though I never much liked their UI. Link to the first message of the most interesting (IMO) thread, though there were others around the same time: https://www.mail-archive.com/[email protected]/msg26087.html
edited to add: this was a general MS issue and not necessarily senders having spam/dns/domain issues, which I suppose it why it annoyed mailops so greatly! and of course the long tail of the wider internet