0

The email address of the sender of our newsletter is used for phishing purposes. We do have a valid SPF record (ends with -all) and dmarc on our domain (confirmed by mxtoolbox.com : every checks are green/good). However, some hotmail.com and yahoo subscribers are receiving the bad messages.

Delivered message header example (replaced my domain by mydomain.com):

Received: from AM0EUR02FT053.eop-EUR02.prod.protection.outlook.com
 (2603:10a6:203:a3:cafe::24) by AM5PR0602CA0015.outlook.office365.com
 (2603:10a6:203:a3::25) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.17 via Frontend
 Transport; Thu, 18 May 2023 20:00:29 +0000

Authentication-Results: spf=fail (sender IP is 74.220.218.251)
 smtp.mailfrom=mydomain.com; dkim=none (message not signed)
 header.d=none;dmarc=fail action=quarantine
 header.from=mydomain.com;compauth=fail reason=000

Received-SPF: Fail (protection.outlook.com: domain of mydomain.com does not
 designate 74.220.218.251 as permitted sender)
 receiver=protection.outlook.com; client-ip=74.220.218.251;
 helo=outbound-ss-2173.bluehost.com;

Received: from outbound-ss-2173.bluehost.com (74.220.218.251) by
 AM0EUR02FT053.mail.protection.outlook.com (10.13.55.226) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6411.14 via Frontend Transport; Thu, 18 May 2023 20:00:28 +0000
X-IncomingTopHeaderMarker:
 OriginalChecksum:DA2D70975B34AF56A4C6BB7C8F702F23F79F3DC78ECCEAF1A0837B45D961804C;UpperCasedChecksum:C8456286D1E9561E0C8180B32877B9F796154342C827979774F79B83E92CE58D;SizeAsReceived:2147;Count:30

Received: from cmgw14.mail.unifiedlayer.com (67-20-127-198.unifiedlayer.com [67.20.127.198])
      by soproxy8.mail.unifiedlayer.com (Postfix) with ESMTP id C2B028048C4A
      for <[email protected]>; Thu, 18 May 2023 20:00:27 +0000 (UTC)

[...]
X-SID-Result: FAIL
X-Microsoft-Antispam: BCL:4;

X-Microsoft-Antispam-Mailbox-Delivery:      abwl:0;wl:1;pcwl:1;kl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;psp:1;auth:0;dest:I;OFR:TrustedSenderList;ENG:(5062000305)(90000117)(90012020)(91020020)(90015022)(91040095)(9050020)(9100338)(2008001134)(4810010)(4910033)(8820095)(9610025)(9525003)(10145022)(9439006)(9310011)(9220031);

[...]

All SPF/dmarc/etc tests fail but the message is still delivered in the inbox. Why is Hotmail letting them through?

Thanks,

7
  • Could have multiple causes, but these are the most common: a) Recipient safe listed the newsletter email address or your entire domain, b) Although DMARC suggests to quarantine, Hotmail will actually deliver to Junk, because of absence of quarantine functionality, c) mailbox or forwarding rules overwrite the initial Junking. Have you checked these options with the recipients?
    – Reinto
    Commented May 23, 2023 at 14:49
  • 4
    We're not Hotmail support and therefore cannot answer this question as to why they delivered the email to the recipient. Reach out to Hotmail support and ask them for a definitive answer.
    – joeqwerty
    Commented May 23, 2023 at 14:55
  • 1
    I agree we're not Hotmail support (or Yahoo for that matter), but still believe the question is valid on why (multiple) big MSPs are delivering emails to Inbox while they are clearly failing DMARC authentication. In the real world I see many newsletters advising their recipients to safe list their address "to never miss a thing". In my opinion DMARC should overwrite Safe Listing. Would you agree @joeqwerty
    – Reinto
    Commented May 24, 2023 at 13:40
  • @Reinto the point is though, that we don't know why Hotmail delivered the email to the recipient and there's no way for us to find out, therefore this question can't be answered here. We can speculate, but that would just be... speculation.
    – joeqwerty
    Commented May 24, 2023 at 14:40
  • 1
    @Reinto I edited the question with the X-Microsoft-Antispam-Mailbox-Delivery header. I guess that user had added the sender address in Trusted senders. Because of this, Outlook skips the SPF/dmarc/dkim auth checks. Thanks for your input.
    – sglessard
    Commented May 26, 2023 at 15:13

1 Answer 1

1

It is common for newsletters to request for recipients to add the newsletter email address to the address book or safe senders list. This practice actually creates a hole in the SPAM filtering policies (for many of the larger Mailbox Service Providers) as safe listed addresses are generally delivered into the Inbox, overruling email authentication results.

In the example email from Hotmail, even though the Spam filtering there is not well-documented, we can tell from the naming of the tags what is happening:

  • abwl:0 - Address Book White Listing = False
  • wl:1 - White listing = True
  • pcwl:1 - Personal Contact (?) White Listing = True
  • dwl:0 - Domain White List = False
  • auth:0 - Authenticated = False
  • dest:I - Destination = Inbox (as opposed to dest:J for destination = Junk)
  • OFR:TrustedSenderList - Override Reason = address on Trusted Sender List

Above interpretation could be wrong on some of the tags, but I hope we can agree on the reason for why these emails sometimes end up in the Inbox folder, while you would have expected these to be Junked or Quarantined: User added address (or domain) to address book or Safe Senders.

Not the answer you're looking for? Browse other questions tagged .