Tell HN: Expect you may have to write off Microsoft if you self host email

50 points by jimmaswell ↗ HN
I've had this IP for almost a decade. It's not on spamhaus, DKIM and SPF are correct, and I've signed up for MS's Junk Mail Reporting Program and Smart Network Delivery Services. They still reject my mail with

> Unfortunately, messages from [45.55.34.226] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.

I went through their support channels and they were completely useless.

> Thanks for your patience while we investigated your request.

> Below your IP address(es) and their status(es) are listed.

> Not qualified for mitigation

> 45.55.34.226;

> The IP(s) above do not qualify for mitigation.

> Please note: This outcome indicates behavior that misses standards; please review Improving E-mail Deliverability into Windows Live white paper for helpful tips.

...

> What standards are missing? DKIM and SPF are passing and I got the IP taken off of Spamhaus recently. Other email servers like gmail aren’t finding an issue.

...

> Your IP (45.55.34.226) was blocked by Outlook.com because Hotmail customers have reported email from this IP as unwanted. One possible explanation for this is the automatic forwarding of unfiltered inbound messages, including unwanted messages, to Outlook.com/MSN addresses.

> Please confirm that your emails comply with Hotmail’s technical standards.

> For more detailed information about best sending practices to Outlook.com users, please review Outlook.com Enhanced Deliverability white paper.

...

> I’ve ensured there is no open relay, and I’ve only tried to send messages to my own Hotmail address so far. There are no other user accounts on this email server, just me.

> I’ve also signed up for the Junk Mail Reporting Program/Smart Network Data Services with that domain/IP. I don’t see any incidents there.

> Around what day/time was email reported as wanted?

...

> Thank you for contacting the Outlook.com Deliverability Support Team.

> As previously stated, your IP (45.55.34.226) do not qualify for mitigation at this time. I do apologize, but I am unable to provide any details about this situation since we do not have the liberty to discuss the nature of the block.

> At this point, I would suggest that you review and comply with Outlook.com’s technical standards.

> We regret that we are unable to provide any additional information or assistance at this time.

I've gone through all the links they sent me and nothing is wrong with my email server. It's impossible that I could have ever sent spam. They just decided they don't like me for no reason and I don't get to send them mail.

29 comments

[ 5.6 ms ] story [ 71.5 ms ] thread
In the university, we had some luck telling the students to send us a message from their hotmail/live/outlook/whatever address. This adds our address to some special secret list for that account, and our messages (usually) reach them. (It may fail. It may fail. IWOMM. YMMV. Sorry, but this is not a foolproof solution, just a hack. Sending email to new people is still difficult/impossible.)
They are notorious for this and you are not the only. Not that others are far better but MS absolutely is the worst at this. Don't even get me started on their "Windows defender" flagging websites as dangerous.
Yeah, Microsoft is always a pain in the ass when you're self-hosting email, that's why I just don't bother.
It's because the IP is on DigitalOcean - a hotbed for spam and malware. I wouldn't bother self hosting e-mail any more because you'll come across most providers just not accepting your messages. Sucks, but is what it is.
FWIW I send email from DigitalOcean. And you are mostly right.

If you are lucky you will get rejections. Most will just accept and put in spam which is better because the receiver can correct it, but worse because they will probably never see it and you won't know.

Some inbox providers like Google, FastMail, Proton Mail and others will track your domain reputation if you are sending enough (~1 message per day seems fine) and once you have built domain reputation they will accept from DigitalOcean with no issue.

But you can't rely on sending messages to new inbox providers. They reasonably treat mail from DigitalOcean IPs as suspect until they have enough other evidence.

I would say "switch to Vultr - it's what I use and I have no problems at all" but considering what it takes to even spin up e-mail servers, let alone get them to be functional, secure, reliable, and allowed, ... you are in a tight spot there
Even with 'just' a custom domain tied to a 3rd party email provider, with all the usual security stuff (DKIM, etc.) configured, my emails and emails addressed to me sometimes are marked as spam or disappear.
>It's not "your" IP address, it's DigitalOcean's IP address. And DigitalOcean is unwilling or unable to police their IP address space, so you've been lumped in with the other bad actors inside 45.55.0.0/16.

It's not an arbitrary search space, it's usually a /24 to easily disqualify noisy neighbors and in addition the reputation of ips registered in the ARIN record. I would urge everyone to register any IP block they use that's more than a /29. To the end of this story, I have successfully sent email to microsoft servers from my /27 and /28 because (a) the /24 i'm on is not spammy and (b) my entire netblock is not spammy.

But even then I get certain random companies/universities that will flat out reject my email because I'm not going through one of the big 5 mail senders. I gave up, still host my own email but relay my mail through an O365 exchange server

The problem is Microsoft is unwilling to unblock you even if you contact their support and jump through all the hoops to show you aren't a bad actor. They are of course incentivized to do this by cost cutting and in the hopes people will use their service rather than self host.

I don't want to further incentivize their behavior so I refuse to use them. All my self hosted emails go to Apple and Google inboxes just fine.

In theory the network should respect each IP address as if it is held by a separate entity, who should be judged as an individual and not as part of a group.

In practice, due to bad actors, almost all internet services will in fact discriminate against you if your neighbors are (or have been) assholes. Sometimes they even discriminate against your IP address because they have PTSD about a different address that looks like your address.

What can we do? Not a lot. If the customers of MSFT don't care enough to complain that email is not being delivered to them, MSFT doesn't care either.

The bad services sell use of their address space for next to nothing and turnover of their addresses is high. When they don't address abuse reports, or even if they do yet their addresses continue to act like whack-a-mole, there's good reason to tar them with the same brush.
Microsoft is a pain in the ass regardless - they block my email delivery from SimpleLogin. From their own servers.
I know people are saying it’s your isp and that is a possibility but IMO ms is being too harsh here. First let me say at least they have a support department unlike gmail. As for your isp I honestly don’t get a significant amount of spam from digital ocean or many of these vps systems so I don’t think it fair to say that is the problem right away ( this is spam only not ssh brute force scanning which I don’t track ). I get significantly more spam from aws, gmail and Microsoft itself - I’m personally annoyed that these providers are too big to block but have no issues blocking other ips with no ability to resolve it. Sorry I have nothing to add to help resolve this. A month ago there was a post on a similar issue but with gmail. At this rate the response will be the problem is you are running your own email server and should pay for delivery.
Personally, it's par for the course. $largeplatformcompany thinks they don't have to accomodate corner cases, and the world allows them to continue doing so. Sad, but true. Nothing will change on this front until there is sufficient public outrage to result in new government regulations.

Yeah, I don't think that will happen any time soon.

So exactly what are these providers going to do when they start receiving email over IPv6?

It’s not exactly like you can black hole that many IP addresses.

Will it get worse? Probably. Email server hosts will all probably have to manually vet each other instead of being an open protocol by default.

What a catastrophe. Email outside of major providers today is basically unusable as a first-class user.

I assume it'll just get doubly encrypted and signed and signatures will be white listed at that point.
IPv6 actually makes it easier to block spammy providers, because IPv6 address space is less fragmented.

Digital Ocean (like most providers) has fewer, larger IPv6 blocks than they do IPv4 blocks:

https://bgp.he.net/AS14061#_prefixes

https://bgp.he.net/AS14061#_prefixes6

The overall number of IPv6 networks—despite containing many orders of magnitude more hosts—is fewer than under IPv4:

https://bgp.he.net/report/prefixes

This works out to not needing as many rules when you want to block traffic.

Will the email providers setup email servers listening on IPv6?
I have the same problem. I use a different email account if I absolutely must send to a Microsoft account (for my benefit). If not, I just don't bother replying after it bounces. Now it's my problem and Microsoft's users' problem.
I ended up setting up a gmail account just for this domain and routing outgoing mail through it. If you set it up right it still has your self hosted email in the From: field and replies go back to it, so it's pretty much transparent. Not optimal but easiest solution. I can send to hotmail just fine now and gmail doesn't go to spam anymore.
Exactly this. I self-host and blanket block a bunch of hosting providers because I get 100% spam from them. Just a few hosting providers that seemingly are unable to police their address space seem to be responsible for a big proportion of it.

If sending outbound email it's important to use a provider that itself has a good reputation. Just trying to develop a reputation for your own range isn't sufficient if your supplier has a bad reputation.

I've had the same issue.. I had to mitigate every few weeks.

Strange thing was, I'm 100% sure I didn't send any spam and my server was in a subnet with legit stuff only.

The only time I actually got through to someone at MS they said the issue was that I didn't send enough email to build up 'reputation' or whatever. It was indeed a small personal server with 4 users. As with yourself my SPF and DKIM was all A-OK and I only had issues with live.com and Hotmail. Not with corporate O365 users.

In the end I gave up but it's sad MS are breaking email this way.

If you are serious about self hosting email then buy a static IP address from a reputable vendor. Rotating ones from a cloud host are going to be flagged for spam on every service.
I still want to host my own incoming mail server for my domains but because sending is becoming harder and harder, can anyone recommend a service where I can relay my outgoing to mail to?

Some cloud providers now even block port 25 outgoing so you can't even send mail out directly anymore.

How many email boxes do you have, and what's your value of your time, and your value of money, and whats your personal privacy policy? Because Gmail will let you send mail via their SMTP server if you want to send as someone you're authorized to send as, if that's compatible with your privacy policy. If you value your time, then MailChimp or something similar like MailerLite work, but cost money. If you don't mind paying some money but more importantly, can spend a lot of time setting it up manually (including warming up an IP), then you can setup AWS SQS/SNS + Lambda to send email. That's a bunch of work if you're not getting paid for it though.
gmail's what I ended up doing. The email still presents as coming from my domain, replies go back to it, and I could switch out for another relay any time, so it's good enough.
There are not that many relay servers. I had better luck with using an external SMTP server and adding the SPF and DKIM appropriate records to my dns. Personally I use postmarkapp with credits, but my second choice was SMTP2GO which has a free tier.
You can use Sendgrid as a SMTP relay host. You can even buy reserved IP addresses for that to segment your traffic.
> I do apologize, but I am unable to provide any details about this situation since we do not have the liberty to discuss the nature of the block

This is what I find infuriating about Microsoft/Google.

It's like a judge not saying what you're being charged for, just that you're going to jail.