Summary
Despite correct SPF, DKIM, and DMARC settings, Office 365 may block transactional emails sent via PostMarkApp due to a complex interplay of factors. These include: internal BCL/SCL and PCL scoring that might flag messages as spam or phishing, a compromised customer website, quarantine rules set by the receiving organization, poor IP and domain reputation (potentially influenced by shared IP issues), listing on RBLs like Spamhaus, content triggering spam filters, incorrect reverse DNS (PTR) records, misconfigured authentication protocols, aggressive throttling policies by Office 365, sudden spikes in sending volume, and negative user feedback. Leveraging Microsoft's Smart Network Data Services (SNDS) provides insights into Microsoft's perspective on your sending IP, and proper IP warm-up is critical for new IPs.
Key findings
- BCL/SCL & PCL Scoring: Office 365 assigns internal scores (BCL/SCL and PCL) that can trigger blocks even if authentication passes.
- Internal Quarantine Rules: Recipient organizations can set up custom quarantine rules that block messages regardless of authentication.
- IP/Domain Reputation: A poor IP or domain reputation, impacted by shared IP issues, blacklists, or sending history, is a major factor.
- Content Filtering: Email content that triggers spam filters, even unintentionally, can lead to blocking.
- Authentication Implementation: Incorrect implementation or validation of SPF, DKIM, and DMARC records can lead to authentication failures.
- Throttling: Aggressive throttling policies by Office 365 can block senders exceeding sending limits.
- SNDS Provides Insight: Microsoft's SNDS provides valuable data about how Microsoft views your sending IP and potential issues.
- Feedback Loops: High spam complaint rates can result in blocking, check feedback loops.
Key considerations
- Check BCL/SCL & PCL Scores: Monitor successful deliveries to internal O365 addresses to assess BCL/SCL and PCL scores.
- Investigate O365 Quarantine Rules: Work with recipient IT departments to investigate custom quarantine rules impacting deliverability.
- Monitor IP/Domain Reputation: Proactively monitor IP and domain reputation using tools and services like MultiRBL and Spamhaus lookups.
- Optimize Email Content: Review and optimize email content to avoid triggering spam filters, focusing on formatting, keywords, and image-to-text ratio.
- Validate Authentication Records: Regularly validate SPF, DKIM, and DMARC records using dedicated tools to ensure correct implementation and resolution.
- Monitor Throttling: Monitor sending volumes and adjust sending rates to avoid exceeding Office 365's throttling limits.
- Implement and Monitor SNDS: Enroll in and actively monitor Microsoft's SNDS program for valuable insights and troubleshooting data.
- Warm Up New IPs: Carefully warm up new IPs with gradually increasing sending volumes to establish a positive reputation.
- Check Reverse DNS: Check the reverse DNS and that it has been properly setup.
What email marketers say
11 marketer opinions
Even with correct SPF, DKIM, and DMARC settings, transactional emails sent via PostMarkApp can be blocked by Office 365 due to a variety of factors. These include Office 365's content filtering and custom rules, poor IP reputation (either shared or dedicated), being listed on RBLs, issues with reverse DNS (PTR) records, and the content triggering spam filters. Microsoft's aggressive throttling policies and the implementation and validation of authentication protocols can also play a role. Monitoring sending IP health through Microsoft's SNDS program and warming up new IP addresses are also important.
Key opinions
- Content Filtering: Office 365's content filters and custom rules can quarantine messages, even with proper authentication.
- IP Reputation: Poor IP reputation, whether on shared or dedicated IPs, can lead to blocking by Office 365.
- RBL Listing: Being listed on Real-time Blackhole Lists (RBLs) can cause Office 365 to block emails.
- PTR Records: Incorrectly configured reverse DNS (PTR) records can flag emails as suspicious.
- Spam Triggers: Email content triggering spam filters can result in blocked emails, even with authentication.
- Throttling Policies: Office 365's aggressive throttling policies can temporarily block IPs sending too many emails too quickly.
- Authentication Issues: Configuration errors in SPF, DKIM, and DMARC implementation can lead to failures.
- SNDS Program: Microsoft's SNDS program provides insights into IP health as seen by Microsoft.
Key considerations
- Review O365 Rules: Investigate and address any custom rules or content filters within Office 365 that might be blocking emails.
- Monitor IP Reputation: Monitor both shared and dedicated IP reputation and take steps to improve it if necessary.
- Check RBLs: Regularly check if the sending IP is listed on any RBLs and take action to get delisted if necessary.
- Validate PTR Records: Ensure that the reverse DNS (PTR) record is correctly configured and matches the sending domain.
- Optimize Content: Review email content for spam trigger words, poor formatting, and excessive image usage.
- Gradual Sending: If using a new IP, gradually increase sending volume to avoid triggering throttling policies.
- Validate Authentication: Use tools to validate that SPF, DKIM, and DMARC records are correctly formatted and resolving properly.
- Enroll in SNDS: Enroll in Microsoft's Smart Network Data Services (SNDS) program to monitor IP health as seen by Microsoft.
- Consider Dedicated IP: If deliverability issues persist on a shared IP, consider switching to a dedicated IP.
Marketer view
Email marketer from StackOverflow responds that Office 365 may block emails if the sending IP address has a poor reputation. Microsoft uses various blocklists, and if the IP is on one, emails can be rejected even if SPF, DKIM, and DMARC are configured correctly. Also suggested checking the sending IP against common blacklist databases to ensure it isn't listed anywhere else.
17 Aug 2024 - StackOverflow
Marketer view
Email marketer from EmailOnAcid responds that some issues stem from how the authentication protocols are implemented. Even if they are technically "set up," there may be configuration errors. It recommends using a tool to validate that the SPF, DKIM, and DMARC records are correctly formatted and resolving properly.
13 Aug 2022 - EmailOnAcid
What the experts say
4 expert opinions
Even with proper SPF, DKIM, and DMARC settings, transactional emails sent via PostMarkApp can be blocked by Office 365 for several reasons. These include high BCL/SCL scores (indicating potential spam), suspicion of phishing (PCL score), a compromised customer website serving malware, and factors beyond authentication such as shared IP reputation, content filtering, and user complaints. Microsoft's SNDS program provides valuable insight into how Microsoft views your sending IP and can help identify if your IP is being flagged for spam.
Key opinions
- BCL/SCL Levels: High BCL/SCL scores can lead to emails being deleted before reaching the inbox.
- PCL Score: High PCL scores (indicating phishing suspicion) can cause emails to be blocked.
- Website Compromise: A compromised customer website serving malware can lead to email blocks.
- Complex Filtering: Microsoft's filtering is complex and considers factors beyond authentication.
- SNDS Insight: Microsoft's SNDS provides valuable insight into how Microsoft views your sending IP.
Key considerations
- Check BCL/SCL: Check successful deliveries to your own O365 addresses to determine BCL/SCL levels.
- Examine PCL Score: Examine the PCL score for emails to determine if Microsoft thinks it's phishing.
- Check Website: Check the customer's website for potential compromise and malware.
- Monitor SNDS: Use Microsoft's SNDS to monitor your IP reputation.
- Manage Reputation: Manage shared IP reputation, content, user complaints and spikes in sending volume.
Expert view
Expert from Email Geeks suggests examining the PCL score (phishing suspicion) or checking the customer's website for potential compromise and malware serving, assuming the customer sends opt-in emails.
2 Jan 2023 - Email Geeks
Expert view
Expert from Email Geeks suggests checking successful deliveries to own O365 addresses for BCL/SCL levels. If high (e.g., 9), Microsoft might allow tenants to delete those emails before inbox delivery, requiring improvement of the BCL score or tenant filter changes.
19 Jul 2022 - Email Geeks
What the documentation says
5 technical articles
Even with correct SPF, DKIM, and DMARC settings, transactional emails from PostMarkApp can be blocked by Office 365 due to factors like IP/domain reputation, spam filter settings, email content, spam complaints, DMARC policy rejections due to authentication failures, and listing on Spamhaus blocklists. Microsoft's sender reputation system considers sending volume, content, and user feedback.
Key findings
- Reputation Matters: IP and domain reputation are critical factors, even with proper authentication.
- Content is King: Email content can trigger spam filters, leading to blocking.
- User Complaints: High spam complaint rates can result in blocked emails.
- DMARC Failures: DMARC policies can cause rejections if SPF/DKIM checks fail, even intermittently.
- Blocklist Impact: Listing on Spamhaus blocklists can lead to blocking, regardless of authentication.
Key considerations
- Monitor Reputation: Regularly monitor IP and domain reputation.
- Review Content: Ensure email content avoids spam triggers.
- Check FBLs: Check feedback loops for spam complaints.
- Analyze DMARC: Check DMARC reports for authentication failures.
- Lookup Blocklists: Check if your IP or domain is on Spamhaus blocklists.
Technical article
Documentation from Microsoft Learn explains that several factors can cause emails to be blocked by Office 365, even with correct authentication. These include IP address reputation, domain reputation, spam filter settings, and content of the email itself triggering spam filters.
23 Mar 2024 - Microsoft Learn
Technical article
Documentation from Spamhaus explains that they provide blocklists and reputation lookups for both IP addresses and domain names. If either the sending IP or domain is listed on a Spamhaus blocklist, Office 365 is highly likely to block the emails, regardless of SPF, DKIM, and DMARC.
17 Jun 2024 - Spamhaus
Does UCEPROTECTL3 listing impact email deliverability, especially with Microsoft Office 365?
How can I improve email deliverability with Microsoft and avoid spam filters?
How can I resolve Microsoft Outlook S3140 errors blocking my transactional emails?
How do I resolve a blocked sending IP with Office365 and what steps should I take to ensure transparency?
How do I troubleshoot email deliverability issues with Microsoft Exchange Online Protection?
