Website email arrives at Gmail and other domains but not Hotmail.com or Outlook.com

August 26, 2014 161.2k views
jmcd73
By:
jmcd73

I have a domain for example https://example.com website setup on a DO VPS. I have configured the VPS to be the primary MX for the domain and configure what I believe is an appropriate SPF record for it. The VPS is running postfix and can send and receive email for the domain. I can receive email fine to multiple other domains.

I also note that a similar question has been asked before but the work-a-round was performed by the person adding the email address to the safe senders list using outlook.com web interface. This is unsuitable for my purposes because the emails need to arrive at outlook.com or hotmail.com mailboxes without intervening.

Has anyone got any information that could allow me to get to the bottom of why hotmail / outlook.com aggressively blocks valid email while hiding behind many pages of policy documents that don't enlighten me as to why I have an IP address designated as "Not qualified for mitigation".

I have attempted to engage with Microsoft regarding how to go about getting it working but if anyone has any experience with getting a Droplet to email directly to mx*.hotmail.com MX servers and have the email accepted I would love to hear from you.

Log In to Comment
12 Answers
jonasd149aba972df57b07ad6f July 20, 2017

I found this in the microsoft support forum.
The page looks very similar to the sender.office.com page linked above, but requests many more fields. Perhaps this is the updated version of the same service.
https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us&ccsid=635639051175184163

Reply
  • keith7 January 31, 2018

    This form helped me a lot. They got back to me in two days and said I'd been whitelisted: 

    Our investigation has determined that the above IP(s) qualify for conditional mitigation. These IP(s) have been unblocked, but may be subject to low daily email limits until they have established a good reputation.

Please note that mitigating this issue does not guarantee that your email will be delivered to a user’s inbox.

Ongoing complaints from users will result in removal of the mitigation.

Mitigation may take 24 - 48 hours to replicate completely throughout our system.

If you feel your issue is not yet resolved, please reply to this email and one of our support team members will contact you for further investigation.

    Wow, way to go Microsoft!

vps August 26, 2014

Look at the message headers on outlook.com and verify you are getting SPF=Pass

You could also try adding DKIM signing to your email.

Double check your droplet ip hasn't been blacklisted. Not sure if hotmail or outlook check them however. http://whatismyipaddress.com/blacklist-check does a decent job of checking most popular blacklist sites.

Reply
  • jmcd73 September 1, 2014

    So I added DKIM Signing (opendkim+postfix), checked the source headers of the emails when they reach their destination and I get

    From Google: dkim=pass
    From Yahoo: dkim=pass (ok) (generic email get's put in junk folder but arrives)
    From Outlook.com: dkim=pass (Only will arrive at outlook.com if I have already sent an email to the sending address from the outlook.com account, which is useless for a first time visitor to the web shopping cart...)

    All three pass SPF too.

    But still the emails don't arrive in the mailbox or junk folder of the Outlook.com account.

    I have checked the blacklists and the IP isn't listed in any.

    Microsoft "support" is a challenge because they send you massive form letters that have links to many pages of RFC's which serve to confuse further instead of enlightening. I also note that they have a 3rd party whitelist returnpath certification for only 200USD + 400+USD p/a

    The volumes of email I am sending through the domain are so low as to be negligible so the spend is unrealistic.

    I think if I can move the domain to one of the big email providers (such as google mail) and then configure postfix to transport map through their SMTP servers with their SPF/DKIM setup that might fix it. The mega-corps are controlling the internets now.

Sinklar August 26, 2014

I have the same issue with my emails not being delivered to Yahoo email addresses.

I contacted the Yahoo's Customer Care about that and followed their procedure regarding bulk emails (even if I've never sent bulk/mass emails). They answered that the IP of my server is blacklisted.

I checked on multiple blacklist-check tools but none says that my IP is actually blacklisted.

I contacted DO's support and their answer is that there is not much we can do about that, unfortunately. In short:

The biggest issue is "the past history" of these netblocks - before we had even purchased them! We're working with mail providers to get this resolved, but in general a lot of them are slow to change in these situations. Because of this, I do not really have a quick solution for you in this case. You can try getting a new IP but there is no guarantee the issue just won't persist there.

Reply
  • vps August 26, 2014

    Getting de-listed from a blacklist is a major pain. Most legitimate list are not bad but some are impossible. Its like they have God complexes or something.

    Doesn't help if spammers setup shop on DO droplets either. In the past year I have been with DO I have received a few spam messages from other DO customers. Thankfully only a few.

jmcd73 September 4, 2014

Despite my droplet IP Not being blacklisted and getting dkim and spf working. Still no direct email to hotmail.com/outlook.com so I have found a work a round. The folks at mailgun.org have already jumped through the hoops to get email delivered to outlook & hotmail.

So just sign up for an account with them and use the wordpress mailgun plugin (to send email via their HTTP API ) or configure postfix with TLS and an appropriate transport map to submit email to mailguns - trusted-by-outlook email servers.

Reply
  • tlorens November 21, 2014

    I'm having pretty much the exact same issue. I'm able to send to Gmail, Yahoo and a previous provider hosting email for me and a handful of other people. I did get this message when attempting to send to my work account which is an Office360 setup.

    Client host [xxx.xxx.xxx.xxx] blocked using
    FBLW15; To request removal from this list please forward this message to
    delist@messaging.microsoft.com (in reply to RCPT TO command)

    I'm investigating what this is now.

gsucks February 28, 2015

Yay, any news on this?
I don't want big corporations to snoop on my email... is it possible to detect the destination email domain, and use an external provider when I detect mail for outlook, hotmail or yahoo?

Reply
jpbarroso May 26, 2015

Any news? I'm in the same situation. Configured SPF records, dkim keys and only problems with hotmail, live or outlook accounts. My ip is not blacklisted, but doesn't send enough mails to have any reputation and when talk to outlook support, they returned: "ip not qualified for mitigation"
Any suggestion? usually change ip of droplet works? Big corporations with nonsense politics are really a pain...

Reply
jpbarroso May 28, 2015

Any solution like this, relay mails to hotmail with an smpt service like mailgun or similar?
Relay host based on destination MX record:
http://serverfault.com/questions/663418/relay-host-based-on-destination-mx-record

Reply
StanG July 23, 2015

I got the same problem. My droplet is in the AMS3 datacenter, my IP starts with 178.62.226.xxx

I changed my postfix config to send mail to hotmail, live, msn and such via GMAIL with authentication/TLS. It's working now but ...

Caveats:

  • The sender address gets changed to my GMAIL address wich i rather not have
  • I had to lower my security settings on GMAIL account
  • Via the CAPTCHA UNLOCK I had to trigger the allowance of my postfix connecting to GMAIL SMTP with auth/TLS.

Interestingly enough a mailbox (@msn.com) that had a long time ago once received e-mail from this from address (back on other hosting) worked every single time. All other hotmail (etc.) mailboxes that had never received an e-mail from this sender address got bounced with the mailbox unavailable

Reply
micwallace May 19, 2016

I'm facing the same issue. It's quite ridiculous really. I've done various blacklist checks and I'm on none.

Just working my way through this article to solve it:
https://www.rackaid.com/blog/hotmail-blacklist-removal/

This form looks like it may go somewhere but you never know with Microsoft, king of unexpected waiting times:
https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us&ccsid=635992556112449734

Reply
  • DBIT May 29, 2016

    Did you get any kind of reply from Microsoft on this issue?

ChrisMingay June 28, 2016

I'm having lots of fun with this at the moment... I've set up SPF, DKIM, altered the servers FQDN to reflect the domain I am sending mail for and I get the following error from Outlook/Hotmail

Jun 28 10:13:21 main postfix/smtp[28083]: AE01C62D00: to=ADDRESS@hotmail.com, relay=mx2.hotmail.com[65.55.92.136]:25, delay=0.56, delays=0.09/0/0.35/0.11, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.136] said: 550 SC-001 (SNT004-MC1F26) Unfortunately, messages from X.X.X.X weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))

Filled in the form ( https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us&ccsid=635992556112449734 ) and I just got the following response

Note: Errors are unlikely, however, if an error is indicated, please resubmit the specific IP or IP range.

I've just resubmitted, but I expect I will get exactly the same back again. I've never had much luck with Microsoft / Email. I have Office 365 and for about 2 weeks I couldn't actually send out any emails (even from their Outlook web interface). Their response was to ask me to send emails to them from the offending domain... which I couldn't because it didn't work.

Ohhh goody, I have actually had another response

Note: Errors are unlikely, however, if an error is indicated, please resubmit the specific IP or IP range.

Reply
  • ChrisMingay June 28, 2016

    OK... maybe I didn't quite understand the wording of their auto message, but I've since had a proper reply

    **
    We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.

    Conditionally mitigated
    X.X.X.X
    Our investigation has determined that the above IP(s) qualify for conditional mitigation. These IP(s) have been unblocked, but may be subject to low daily email limits until they have established a good reputation.

    Please note that mitigating this issue does not guarantee that your email will be delivered to a user’s inbox.

    Ongoing complaints from users will result in removal of the mitigation.

    Mitigation may take 24 - 48 hours to replicate completely throughout our system.

    If you feel your issue is not yet resolved, please reply to this email and one of our support team members will contact you for further investigation.
    **

    Will give things a trial tomorrow and go from there

engeen September 7, 2016

I'm having a hard time as well. New emails are not bounced, nor do I get an error message in my mail log. Funny thing is, replying to an email sent from a hotmail account DOES work.
So I had a look at the differences in headers. The only field was:

in-reply-to: <AMSPR05MB1163A06679EE051280F0EF78EE20@AMSPR05MB116.eurprd05.prod.outlook.com>

This resulted in the following DMARC report:

<policy_published>
<domain>engeen.nl</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>188.166.43.30</source_ip>
<count>3</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>engeen.nl</header_from>
</identifiers>
<auth_results>
<spf>
<domain>engeen.nl</domain>
<result>pass</result>
</spf>
<dkim>
<domain>engeen.nl</domain>
<result>pass</result>
</dkim>
</auth_results>
</record>

I have no idea what do try next...
Does anyone know of an affordable relay as an alternative?

Reply
admin1addbc12141a260127ef6 January 2, 2017

I've been fighting to get Hotmail to accept our emails for a long time. We go through this process with pretty much every new website or IP address. We have a brand new IP address and server from DigitalOcean, but apparently Microsoft doesn't really give you anyway to reset the history of an IP address. But you might as well try these things:

Just keep on repeating those steps every few weeks. Good luck.

Reply
Have another answer? Share your knowledge.