Microsoft’s recent move to strictly enforce SPF, DKIM and DMARC authentication is causing widespread delivery issues for legitimate senders, according to many in the industry. Josephine Skinner, Deliverability Engineer at Mailkit/Omnivery has publicly shared its findings and mitigation strategies, highlighting how long-standing DNS resolution problems at Microsoft are now creating significant disruption across the industry. This was also covered by Steve Atkins on the Word to the Wise blog just yesterday, and provides a solid technical take on what is happening.
Microsoft’s DNS Resolution Problems Come to the Fore
Mailkit reports that Microsoft’s DNS lookups have been unreliable for years, often producing false authentication failures. This issue was historically seen in DMARC reports as unexplained DKIM failures—now exacerbated by Microsoft’s tougher enforcement policies.
A key finding is the correlation between DNS record TTL (Time to Live) values and Microsoft’s ability to resolve authentication records correctly:
- TTL of 300 seconds – ~20–30% DKIM failures reported in Microsoft DMARC reports.
- TTL ≥3600 seconds (recommended) – significantly fewer failures.
- TTL of 86400 seconds (ideal for DKIM keys) – best results to date.
Despite this, Mailkit says it is still seeing occasional authentication failures for records with optimal TTLs, indicating that the underlying DNS resolution issue remains unresolved.
SPF Failures Tied to Macros
Microsoft’s DNS caching limitations also appear to affect SPF resolution, particularly when macros are used:
- 1–3% failure rate observed when SPF macros are present.
- <0.1% failure rate for static SPF records with high TTLs (86400 seconds).
This further supports Mailkit’s assessment that the root problem lies with Microsoft’s DNS resolution rather than with senders’ authentication setups.
A Temporary Fix/Workaround: Retry on Tempfails
Mailkit/Omnivery has implemented a temporary workaround to reduce bounce rates. Because their system never sends unauthenticated messages, they treat authentication-related bounces from Microsoft as temporary failures (tempfails) and retry delivery after five minutes.
The results have been striking: once Microsoft successfully resolves the DNS records on the second attempt, bounce rates for Outlook recipients drop to almost zero.
However, Mailkit warns that this approach is a “hack, not a solution.” The long-term impact on sender reputation is still unknown, and Josephine Skinner cautions other ESPs to proceed carefully, particularly if bounce volumes are high.
This fix is in line with what is recommended by Steve at Word to the Wise in the recent post “Don’t Make Your DNS Too Short“.
Call for Industry Collaboration
Mailkit/Omnivery is inviting other ESPs and deliverability professionals to share data and experiences, particularly regarding mail encoding practices and DNS configuration strategies. Skinner hopes an open dialogue will help the industry better understand and mitigate these Microsoft-specific issues.
What Senders Can Do Now
For email professionals affected by these issues, Mailkit recommends:
- Increase DNS TTLs – at least 3600 seconds, ideally 86400 for DKIM keys.
- Consider retrying tempfail bounces – but monitor closely for any reputation impact.
Edited Clarification:
Note that the use of SPF macros do appear to make SPF records harder for Microsoft to cache.
