back to article Exchange Online blocked from sending email to AOL and Yahoo

If you're an Exchange Online user wondering why emails to Yahoo and AOL users haven't been getting through, don't worry – it isn't just you. Stricter security rules have tripped up Microsoft's email service. The issue dates back to the end of February and is related to stricter restrictions implemented by AOL and Yahoo. …

  1. Korev Silver badge
    Coat

    Maybe they confused Hotmail for Hotmale and thought it was porn spam...

  2. Rafael #872397
    Unhappy

    Alternatively, perhaps just pick up the phone and have a chat

    ... talk ... with someone? In real time?

    *shudder*

    1. Andy Non Silver badge

      Re: Alternatively, perhaps just pick up the phone and have a chat

      Or if you need to send them a file, just ensure you and the recipient each procure a device from the museum called a "dial-up modem" ;-)

      1. BenDwire Silver badge
        Facepalm

        Re: Alternatively, perhaps just pick up the phone and have a chat

        Museum? Don't you mean that box of "stuff that might come in useful" in the corner of my office?

        (And no, I'm not joking)

        1. cookieMonster Silver badge
          Thumb Up

          Re: Alternatively, perhaps just pick up the phone and have a chat

          Upvote. And I’m with you on that one. I’ve an old US Robotics in a box in a corner, somewhere.

          For the youngsters here, that’s a dial-modem, the thing that lets you hear the screams on the internet

          1. Dimmer Silver badge

            Re: Alternatively, perhaps just pick up the phone and have a chat

            "I’ve an old US Robotics in a box in a corner"

            Same here. As a test, I handed one to a new employee. I told them I would buy them lunch if they could identify it's use without looking it up.

            He could not.

            - I must be getting old......

            1. WesleyBryie

              Re: Alternatively, perhaps just pick up the phone and have a chat

              Man, I'm not even working age yet and I know what a dialup modem is... just like I know you can still use dialup in 2024 on Windows 11.

              1. azander

                Re: Alternatively, perhaps just pick up the phone and have a chat

                This is assuming you can still get an old fashioned copper land-line. They are no longer available around here. Not even for Fax systems. Best you can do is get a digital line, that's fiber to the RT, then copper to the premises. Dialup doesn't work well over those lines, if at all.

                I happen to work for an ISP, in Michigan USA, that still offers dialup, because some people can't get anything else, and that includes satellite.

                Have a digital line? Best speed we have seen so far is 24K. Most are in the 12 to 14K range.

            2. Arthur the cat Silver badge
              Facepalm

              Re: Alternatively, perhaps just pick up the phone and have a chat

              I told them I would buy them lunch if they could identify it's use without looking it up.

              As remarked elsewhere, once upon a time you had to explain what a video cassette was to old people, now you have to explain them to young people.

      2. PRR Silver badge

        Re: Alternatively, perhaps just pick up the phone and have a chat

        > procure a device from the museum called a "dial-up modem" ;-)

        When I moved to the woods of Maine in 2009, I thought there was data here, but they did not mean "now".

        When we called the telco they got right on it, unlike the TV Cable operator who was and is a bunch of morons. But the telco cables and concentrators were old and tired. I spent the first couple months here at 19,000 baud good days, under 9600 baud other days.

        2009 is not all THAT long ago. And this woods is on the way between two "large towns" (large for Maine).

        Now I have two data offers, but I keep the modem for reasons.

  3. Anonymous Coward
    Anonymous Coward

    Spamhaus and the like can be a pain. When I set up a business about 15 years ago I didn't know much anything about domains. The only address I could get for my company was a .uk.com one so I took it. All was well for a couple of years then we had loads of trouble with emails bouncing due to Spamhaus periodically blacklisting virtually the whole of .uk.com and the impossibility of doing much about it because I was on a secondary domain - a thing I hadn't known or understood when I bought it. When the .uk domain came up I changed to it, only to find out that many mail systems automatically put anything .uk into spam. The .uk problem seems to have settled down now - I have a personal .uk which is sometimes, albeit rarely, problematic for some servers - but our company is on a .co.uk now. Moral of the story is that if you're setting up a company then an available web address name is more important than a snappy company name.

    1. Yorick Hunt Silver badge

      Spamhaus has never blocked domains; it's always been IP-based.

      Frustrating as it may seem to the uninitiated, try being on the receiving end running a mail server receiving thousands of steaming turds from the same compromised sending server.

      If you're ever facing a problem with Spamhaus, complain to the operator of your mail service - they're the only ones who can get rid of the problem (by thumping the offending account).

      1. Anonymous Coward
        Anonymous Coward

        I had a few telecons with my ISP (in the days when they talked on the phone) and they told me that it was uk.com being blacklisted by Spamhaus and there was nothing they could do because they didn't host the main domain. Willing to believe now that they were talking shit.

      2. Anonymous Coward
        Anonymous Coward

        Spamhaus also blocks by domain name:

        https://www.spamhaus.org/blocklists/domain-blocklist/

        1. perkele

          I've found Spamhaus very frustrating...

          Report stuff to them and it seems to never be fixed... e.g. Disney spamming you (proper Disney) and no unsubscribe link [former account holder, not renewed]...

          But they are scared of the Mouse or perhaps he gives them money?

          Stupid spam report form which - if I understand correctly they work on signatures and hashes -- cuts off at a certain size so you can't paste the offending material in. They are (were?) clear they don't JUST want headers and don't even cut off the unwanted... so you can dance several times trimming more and more shit.

          I stopped bothering to report to them, even with maybe 1/3 of my reports allegedly being taken seriously, whatever that means in real life.

  4. Yorick Hunt Silver badge
    Thumb Up

    Coming home to roost.

    Giving every Tom, Dick, Harry, Habib et al a free Exchange account to play with to "trial" the service with a complementary .onmicrosoft.com subdomain was always a recipe for disaster.

    Maybe now that larger mail services have started saying "FOaD" to them, Microsoft might actually start taking their responsibilities seriously?

    1. Agent Zoil

      Re: Coming home to roost.

      I am glad to see someone has enough clout to get Microsnot to actually do something about it. MS has been the biggest spam/scammer source in my system for ages. But as just a drop in the bucket there is no way for little me to get them to give a &$@#.

      The mail headers from the daily poundings I get through MS show this...

      X-Ms-Exchange-Authentication-Results: spf=fail (sender IP is 45.156.21.51) smtp.mailfrom=t6DGGXCf.onmicrosoft.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=t6DGGXCf.onmicrosoft.com;

    2. alanjmcf

      Re: Coming home to roost.

      In the default case email from all ‘vanity’ domains will be DKIM signed with the THING.onmicrosoft.com domain, Google Workspace does something similar. So the receiver will see them only as signed but NOT ‘in alignment’ (eg signing domain isn’t the same as the From domain, etc). With receivers getting more strict, senders need to be fully compliant now.

      Of course, the onmicrosoft sourced emails will be DKIM compliant by default. :-,)

  5. Anonymous Coward
    Anonymous Coward

    I'm sure the two dozen people with Yahoo email will be distraught at this development

    1. Anonymous Coward
      Anonymous Coward

      Sure it's that many?

      1. Paul Crawford Silver badge

        You may laugh...yes, I know now please stop laughing...but I have found my Yahoo spam-sink email has been much less of a crap show than any attempts with MS for a free low-value email address in the past.

    2. Korev Silver badge
      Windows

      I still have mine, I should get around to doing this year's check...

    3. rg287 Silver badge

      You jest, but I recently took over as Membership Secretary for a small sports association.

      Of the 70-odd email addresses in our membership list (told you it was small), the following domains showed up:1

      Gmail: 16

      Yahoo: 11

      btinternet: 10

      Hotmail: 8 (plus an @live and @outlook, so 10 for Microsoft)

      AOL: 6

      Sky: 5

      Plus a smattering of oddballs - protonmail, gmx, tiscali, blueyonder

      I was surprised at quite how many people have custom domains. I know a couple of those are hosted on M365, so chalk up a couple more for MS. Couple of work-looking domains as well (why do people do this?).

      We constantly hear that "mail is just Microsoft vs. Google", but it doesn't seem to be quite the case, at least not for this (admittedly small) sample. At least in the UK, btinternet has a sizeable chunk of the market (at least amongst the older/account-holding demographic. The youth are probably more on the gmail they got when they were 14). Yahoo is surprisingly dominant.

      1. .com and .co.uk addresses are aggregated since we're really talking about providers, even though in actual mail terms they'd be treated as totally separate domains.

      1. azander

        AOL is hosted on Yahoo these days.

    4. PRR Silver badge

      > the two dozen people with Yahoo email will be distraught at this development

      Citation?

      Aside from Yahoo, other mega-ISPs moved their freemail to Yahoo. ATT.NET and WORLDNET.ATT.NET moved to Yahoo a decade ago. Yahoo was semi-successful monetizing portals which AT&T was never good at, so they could do free.

      For much of the decade ATT/Yahoo mail was as good as G-mail, pretty much. (Aggravating but free, so....)

      IMHO MS's mail services are very much worse than Gmail or Yahoo, and have been for a couple of decades.

  6. F. Frederick Skitty Silver badge

    Suspect this is similar to the cock up 123 Reg (now a GoDaddy subsidiary) made when moving their hosted email service to a new system. They didn't even implement DKIM, and every email from accounts that has been moved was blocked when sent to a Gmail email address. Took two weeks to get it sorted.

  7. Rich 2 Silver badge

    AOL

    AOL??? That still exists???

    Actually, Yahoo???….

    1. andy the pessimist

      Re: AOL

      My IFA still uses AOL.com.

    2. John Brown (no body) Silver badge

      Re: AOL

      "AOL??? That still exists???"

      I thought that until a couple of days ago when I noticed two different signed vans, different business, parked next to each other, both with AOL email addresses on the side. :-)

      1. Mike007 Bronze badge

        Re: AOL

        I always laugh at the fact that it cost them hundreds of £ to write "I am not professional enough to invest in an £8/year domain name for my company" on the side of their van...

        One man band with sales@company.co.uk and a memorable phone number with repeating digits on their van? Approved!

        1. Necrohamster Silver badge

          Re: AOL

          Mr. (or Mrs) One (wo)man band's target audience doesn't care that they've got an aol.co.uk email, or that they've had the same phone number since they got his first phone on Cellnet back in the 90s.

    3. Anonymous Coward
      Anonymous Coward

      Re: AOL

      Despite >21 years of trying to get her to change to something else, my wife still uses an AOL email address.

    4. Elongated Muskrat Silver badge

      Re: AOL

      If you've had the same email address for a quarter of a century, you get used to it.

  8. Snake Silver badge

    Yep

    Yes indeed, happened to me just this week with a client. Finally got them to send me an email from their Yahoo account, to which I could respond.

  9. tony72

    One found emails were DKIM signed by the onmicrosoft.com subdomain rather than the actual sending domain. They set up DKIM for the actual sending domain, and all was well.

    Microsoft was prompting to check this back in February, if not before, there was an alert either on the 365 admin centre or the Exchange admin page. I sorted ours on the 13th. No idea if that's actually the "fix", but emails to the one AOL contact that I know about seem to have been getting through fine in the last week.

    1. Justin Pasher

      Enforcing DMARC

      Absolutely. AOL/Yahoo[1] and Google[2] both made announcements about stricter DMARC validation, which requires either SPF or DKIM alignment. SPF alignment can be tricky if you don't have control over the envelope sender (the "internal" address usually used for bounce backs). DKIM alignment requires the signing domain to match the From header. The article itself mentions that someone fixed their problem by setting up proper DKIM signing. It's very unlikely to be IP address based, even though there are miscreants that use Microsoft email services.

      All that being said, Yahoo has always been a joke for email deliverability. Their solution to reducing spam is basically "accept fewer emails." If you are a bulk sender (and sometimes not), they will randomly start throttling you and return a generic "deferred due to user complains" message, which is completely bogus. Anyone that has a Yahoo email address should not expect reliable email delivery.

      [1] https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam

      [2] https://blog.google/products/gmail/gmail-security-authentication-spam-protection/

      1. psychonaut

        Re: Enforcing DMARC

        Exactly this. If they haven't enabled their actual domains dkim on their 365 account and set up the cnames in their dns, along with a proper spf record, with a -all not a ~all and a dmarc record, yahoo and many others will bounce their spam looking emails . I hate yahoo, but this isn't an ms issue or a yahoo issue, this is a "I don't know shit about how to set up 365 properly" issue

  10. Keith Langmead

    Proactive monitoring perhaps?

    "However, it is also all too easy to trip up and for users to find themselves on an SBL without realizing it until the emails stop being delivered."

    However, it's also all to easy to setup monitoring and alerting to check whether your outbound email IPs have appeared on certain SBLs, so you can do something about it proactively!

    Hmmm, maybe that was handled in the past by the same team who tested their patches before they were publically released... so no longer gets done.

  11. Blackjack Silver badge

    People still use Yahoo and AOL emails? I deleted my accounts on those years ago due to safety concerns.

  12. Tron Silver badge

    You really need a plan B.

    Especially for medical stuff. Tech just isn't resilient. These screw-ups will multiply like tribbles when people switch to increasingly less competent staff and then to AI systems, ditching their customer service for bots.

    If you can't work without tech, it is only a matter of time before you are screwed. Have a plan B. Whether you phone or send postcards or accept cash. Have a plan B.

    1. MatthewSt Silver badge

      Re: You really need a plan B.

      That's why so many apps have their own notification/communication methods now. You control both sides of the channel, can monitor delivery, where/when it's been read etc.

      1. john.jones.name
        Mushroom

        no the issue is trusting AV/mailware i.e. .trendmicro.eu

        the problem is they only have 1 MX server and thats prefilter.emailsecurity.trendmicro.eu.150.70.226.147 its borked

        email has failover and preferences for mail exchanging systems only using 1 trendmicro.eu is a bad design it should have a failover on a different domain at the very least...

        even Microsoft know better...

  13. Anonymous Coward
    Anonymous Coward

    Enable DKIM

    I enable DKIM by default now for every domain our clients use in 365. All you need to do is add a couple of CNAMES to your DNS and turn it on.

    Been doing this for the last couple of years. You need DKIM working properly before you look at turning on DMARC.

  14. biddibiddibiddibiddi

    If people are getting NDRs which indicate the anti-spam service that blocked it, why hasn't that become public instead of us reading an article that repeatedly mentions it being an unknown service that Microsoft is talking to? And why is it taking so long to identify the IPs involved? The NDR usually specifically tells you which one.

    1. psychonaut

      There will be a lot of ip addresses, each ndr will only list one, the one it was sent through.

      1. biddibiddibiddibiddi

        Yes but that IP is part of a range. Surely Microsoft can say "Our mail servers use x.x.x.x through y.y.y.y", please allow those through." and the anti-spam provider can scan their list of blocked IPs and uncheck the boxes for all the ones within that range. Surely they don't have a single employee manually looking through a paper list for each IP one by one.

  15. alanjmcf

    Can all folks running Office 365 and have admin privileges check that DKIM is enabled for all their domains. Check each domain in https://security.microsoft.com/dkimv2 is Enabled. If not copy the two DNS records it displays into your DNS, wait a wee while, and click Enable again. See https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide#configure-dkim-signing-of-outbound-messages-in-microsoft-365

    If you’re in Google Workspace (or whatever they call it now), see https://support.google.com/a/answer/180504?hl=en

    The problem here is mail admins who are living in the past and aren’t keeping up to date with email standards, in particular DKIM. We’ve been setting it up for our customers for years, but when we bring new customers on board we find their previous MSP has done nada! Google and Yahoo have started enforcing it on emails they receive, in particular for domains sending more than 5000 emails per 24 hours. https://www.valimail.com/blog/navigating-the-new-gmail-sender-landscape/

    There have been multiple Message Centre posts in Office 365 warning of this. It might end up that Microsoft need to start popping-up warnings in Outlook, or even blocking sending if folks don’t get their fingers out and configure DKIM. I suspect they will also make another sending pool for all domains without DKIM enabled properly, so that their bad reputation doesn’t affect the rest.

    Finally If you’re on your web hosts’s email say, DKIM might well not be supported. That’s the case for LiveMail at FastHosts for instance. https://help.fasthosts.co.uk/app/answers/detail/a_id/3700/~/what-is-dkim-and-can-i-use-it%3F

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like