Exchange Online blocked from sending email to AOL and Yahoo
If you're an Exchange Online user wondering why emails to Yahoo and AOL users haven't been getting through, don't worry – it isn't just you. Stricter security rules have tripped up Microsoft's email service.
The issue dates back to the end of February and is related to stricter restrictions implemented by AOL and Yahoo. Microsoft created an advisory — EX719348 — saying it was aware of the issue and was working with an unnamed third-party spam service to determine which range of its IP addresses was causing the problem.
Crooks hook hundreds of exec accounts after phishing in Azure C-suite pond Microsoft uses carrot and stick with Exchange Online admins Want a well-paid job in tech? You just need to become a cloud-native god Deluge of of entries to Spamhaus blocklists includes 'various household names' UK NHS 850k Reply-all email fail: State health service blames AccentureJudging by an update from the UK's NHS, the problem is ongoing. As of March 13, 2024, the NHS posted that Microsoft was continuing to work with the third-party anti-spam service and, "once they have isolated the IP addresses that are causing the third-party anti-spam service to block a portion of Microsoft's email IP address ranges, they will limit the mail flow as a long-term solution to prevent the issue from reoccurring."
Spam-tracking services, such as Spamhaus, maintain spam blocklists (SBL) that can block a given IP address or range from sending mail. The theory is that malicious emails can be blocked from ever troubling users' mailboxes. However, it is also all too easy to trip up and for users to find themselves on an SBL without realizing it until the emails stop being delivered.
While Microsoft works with the unnamed third-party anti-spam service, frustrated users have come up with solutions of their own. One found emails were DKIM signed by the onmicrosoft.com subdomain rather than the actual sending domain. They set up DKIM for the actual sending domain, and all was well.
DKIM – DomainKeys Identified Mail – is used to ensure an email that has claimed to come from a given domain was indeed authorized by the owner of that domain. It is not a particularly new standard, though it is easy to see how email might be rejected if it is not configured and a destination is checking it.
Microsoft noted that the problem "isn't connection method specific and thus occurs in all Exchange Online connection methods." It went on to say: "Affected users receive a Non-Delivery Report (NDR) message that references the third-party anti-spam service name that has added the IP address to their block list."
Microsoft has form regarding IP blocking, although less so when it comes to being on the receiving end. In 2019, it blocked TSO Host's email IPs from sending email to Hotmail and Outlook inboxes, leading one wag to comment, "So, as long as people with TSO mailboxes don't have any friends on Hotmail you're fine. D'oh!"
In this latest case, if you're an affected Exchange Online customer and don't need to talk to anyone using a service protected by the unnamed third party, you'll be fine.
Alternatively, perhaps just pick up the phone and have a chat. ®
