Hosting your own email server and getting block list related “Undelivered Mail Returned to Sender” errors (e.g. S3150) for Microsoft hosted email domains like hotmail.com? Read on to find out how to reliably work around this issue quickly.
Well, I would bet everyone who operates his own email server once ran into this problem.
Out of nowhere emails addressed to Microsoft hosted email domains (like hotmail.com, hotmail.de, outlook.com, outlook.de, etc.) bounce back with some kind of spam/block list related error message.
In my case it was:
This is the mail system at host somehost.somedomain.tld. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <email@example.com>: host eur.olc.protection.outlook.com[188.8.131.52] said: 550 5.7.1 Unfortunately, messages from [**.***.***.***] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [DB3EUR04FT004.eop-eur04.prod.protection.outlook.com] (in reply to MAIL FROM command)
It may be different errors in your case. But in my case it was just totally unclear what the problem was. I studied the information Microsoft gives under the link and spent hours trying to figure out what I could do to sort the problem out. But in my eyes I already followed their rules. I am also member of their SNDS (Smart Network Data Service) and JMRP (Junk Mail Reporting Program) and spent additional hours to find useful information there. Nothing. I ended up using this link to open a support ticket: https://support.microsoft.com/en-us/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75. I did that 6 days ago and the problem still persists. None of my emails are delivered to Microsoft hosted email domains. Correspondence with Microsoft so far was super-slow and not helpful at all. Maybe I will do a seperate blog post to document it.
For someone who operates an email server it is a nightmare when legitimate emails can’t be delivered. It’s annoying for the sender as well as for the recipient – something Microsoft doesn’t seem to care of although they are harming their own customers. This is true if it doesn’t work for hours. But gets worse if it takes days or even weeks to solve the problem.
To cut a long story short: we need a workaround that helps instantly without depending on Microsoft’s mercy to help us!
As this happened to me many times and always took many days to sort out I found the following, very reliable solution for me.
Will this guide work for you?
This guide will likely work for you, if
- you have email delivery problems because you are listed on a block list
- you have email delivery problems with Microsoft because you trigger one of their secret spam detection rules
- Microsoft silently drops emails sent by your server
- I’m not kidding: I experienced cases where an email was sent, accepted by Microsoft servers for delivery but then just disappeared. No error message to the sender, no information for the recipient, no information to the postmaster
- you send legitimate non-spam emails
This guide will not work for you, if
- you have email delivery problems that are not related to block lists or spam rejects (e.g. receipient’s mailbox is over quota, email address doesn’t exist, etc.)
- you are really sending spam
- your Postfix server is severely misconfigured (e.g. as an open relay, really allowing sending of spam)
We have to relay our emails through an email server that Microsoft already trusts. In this guide I will use Mailjet for this.
This guide is written for a working Postfix setup.
- You need access to the DNS records of the domain you plan to send emails for because we need to add/modify some TXT records
- You need root access to your Postfix server
For the Pros: This Guide in a Nutshell
If you want to read all details just skip this section and start with Step 1.
But in case you are a professional and know your stuff, this guide maybe far too detailed for you. So here is the short version of it:
- Set up a free Mailjet acoount (step 1)
- Get your SMTP relay credentials and server information from Mailjet (step 2)
- Add DNS record to validate your domain (step 3, step 4)
- Add DNS records (SPF/DKIM) for domain authentication (step 5, step 6)
- Configure Postfix to relay specific recipient domains through Mailjet servers (step 8)
- Test mail delivery (step 9)
Step 1: Setup your Mailjet-Account
- Go to https://app.mailjet.com/signup, enter your email, choose a password, check the “I’m not a robot” checkbox and hit “Sign up!”
- Fill out your profile in the appearing form, and click “Complete Signup”
- Wait for an email of Mailjet and click the activation button
- Clicking the activation link brings you to a welcome page. Click “Get started” in the “Developer” section
- Under “Sending method” choose “SMTP relay” and click “continue”
Step 2: Write Down Credentials and Server Information
- If you followed step 1 you now see a “Configure” section telling you your credentials and server information
- Write those information down, we will need it later
- SMTP Server
In this guide I will use the following credentials/server:
These credentials of course are only placeholders. If referenced somewhere in this guide please replace those with your own!
Step 3: Start Validating your Domain
To be able to send emails for your domain you have to validate it first. Mailjet will not accept emails for domains that you don’t own or haven’t validated. For this you need access to the DNS records of your domain.
- In your Mailjet account visit your “Account settings”
- In the “Senders & Domains” section click “Add a Sender Domain or Address”
- In the “Domains” section click “+ Add domain”
- Under “any@” enter your domain (I will use yourdomain.xyz in this guide)
- Under “Label” enter a label for your domain (maybe your domain name, too)
- Click “Continue”
Step 4: Add DNS Record for Domain Validation
Note: How to add or change DNS records in your case is beyond the scope of this guide. It completely depends on your registrar or maybe it es even a separate service, e.g. if you are using Cloudflare or something.
But it should be very easy to figure out how to add a TXT record to your domain.
- Completing step 3 you now should see two options for validations
- We pay our attention to “Option 2: Create a DNS record”
- Use the information to add a DNS record to your domain. Screenshot on the right shows how it looks in the GUI of my DNS service provider. It will look different in yours.
- After adding the TXT record click “Check now” in the Mailjet GUI
- It may take some time for your DNS service provider to propagate your changes. So you may have to wait and check again multiple times
- If adding the TXT record was successful you receive a success message
Step 5: Start Authentication Setup
Setting up authentication is essential. Many email servers either reject emails or classify them as spam if we don’t set SPF/DKIM up properly. Good news: it is very simple to do with Mailjet. They tell you exactly what to do and even sign (DKIM) emails that you relay through their servers. Here are the simple steps you have to do:
- Completing step 4 you are now on the screen that gave you the success message
- Click “Authenticate this domain (SPF/DKIM)”
- Wait a few seconds and “Click here to refresh” in the “Set up SPF” section
Step 6: Add/change DNS records for Domain Authentication (SPF/DKIM)
- Completing step 5 you should now see information about two TXT entries you have to add/change in your DNS records
- Do those changes with your DNS service provider (I made a screenshot to show how it looks in my case, please use you own data that Mailjet shows to you)
- If you made your changes click “FORCE REFRESH”
- If everything went well you get two success messages like “Your SPF record looks good!” and “Your DomainKey record looks good!”
Step 7: Repeat Steps 3 – 6 for each domain
- If your mailserver is responsible for multiple domains you have to repeat steps 3 – 6 for each of them
Step 8: Configure Postfix to Relay through Mailjet Servers
Login to Your Postfix server
- First of all log in to your Postfix server (maybe via SSH)
sudo cp /etc/postfix/main.cf /etc/postfix/main.cf_bkp_$(date +%y%m%d_%H%M%S)
sudo cp /etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd_bkp_$(date +%y%m%d_%H%M%S)
sudo cp /etc/postfix/transport /etc/postfix/transport_bkp_$(date +%y%m%d_%H%M%S)
sudo nano /etc/postfix/sasl/sasl_passwd
sudo postmap /etc/postfix/sasl/sasl_passwd
sudo nano /etc/postfix/transport
hotmail.com smtp:[in-v3.mailjet.com] hotmail.co.uk smtp:[in-v3.mailjet.com] hotmail.fr smtp:[in-v3.mailjet.com] hotmail.de smtp:[in-v3.mailjet.com] outlook.com smtp:[in-v3.mailjet.com] outlook.de smtp:[in-v3.mailjet.com] outlook.fr smtp:[in-v3.mailjet.com] outlook.be smtp:[in-v3.mailjet.com] outlook.in smtp:[in-v3.mailjet.com] live.com smtp:[in-v3.mailjet.com]
sudo postmap /etc/postfix/transport
sudo nano /etc/postfix/main.cf
[...] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd transport_maps = hash:/etc/postfix/transport [...]
sudo /etc/init.d/postfix reload
- If Postfix reloads without giving an error message you should be done
Congratulations! Your emails to Microsoft hosted email domains should now be relayed through Mailjet’s servers and reach the inboxes of Microsoft users.
Step 9: Test if Emails are Really Relayed, Delivered and DKIM-Signed
Received: from VI1EUR05HT219.eop-eur05.prod.protection.outlook.com (2603:10a6:6:2a::28) by DB8PR03MB5628.eurprd03.prod.outlook.com with HTTPS via DB6PR07CA0066.EURPRD07.PROD.OUTLOOK.COM; Fri, 10 Jul 2020 11:31:12 +0000 Received: from VI1EUR05FT064.eop-eur05.prod.protection.outlook.com (2a01:111:e400:fc12::52) by VI1EUR05HT219.eop-eur05.prod.protection.outlook.com (2a01:111:e400:fc12::232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.21; Fri, 10 Jul 2020 11:31:12 +0000 Authentication-Results: spf=pass (sender IP is 184.108.40.206) smtp.mailfrom=bnc3.mailjet.com; hotmail.com; dkim=pass (signature was verified) header.d=yourdomain.xyz;hotmail.com; dmarc=bestguesspass action=none header.from=yourdomain.xyz;compauth=pass reason=109 Received-SPF: Pass (protection.outlook.com: domain of bnc3.mailjet.com designates 220.127.116.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.104.22.168; helo=o164.p8.mailjet.com; Received: from o164.p8.mailjet.com (22.214.171.124) by VI1EUR05FT064.mail.protection.outlook.com (10.233.243.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.21 via Frontend Transport; Fri, 10 Jul 2020 11:31:12 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:FF778753C27D023279D1606619ACA388E98A135233AC294969D01225BF889963;UpperCasedChecksum:58E61C48B36FD75CFCC9F24BDE894691AB04158A36A474E480B28D3F0CB42A3B;SizeAsReceived:4968;Count:20 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt; d=yourdomain.xyz; firstname.lastname@example.org; s=mailjet; h=message-id:mime-version:from:to:subject:date:list-unsubscribe-post:list-unsubscribe: autocrypt:feedback-id:x-csa-complaints:x-mj-mid:x-mj-smtpguid:x-report-abuse-to: x-virus-scanned:content-type:content-transfer-encoding:content-language; bh=ejeblXPV3PshDlU281l3Kl7YA1WqBqgPvBVNFbTdi08=; b=b/ePYe+dtzB97i/yrc7yehKHmVLXR8bhwvQqOjXEWWwxkBsiDmYtae9oN gkK/dC6Yu2vAJLYomKzlVVIdOGSdGQeevYSmLpfMaaz6RHXEZSb1l+hHrF09 mHnN7au5CO+YbyijGCbWs37r+ctey2BuKrU2FP+Se9o+rh2Hy6X3Uk= Return-Path: 535df2d3.AVYAAAY107kAAAAAAAAAALSfEeUAAYCsO8oAAAAAABRvmgBfCFF_@bnc3.mailjet.com Message-Id: <535df2d3.AVYAAAY107kAAAAAAAAAALSfEeUAAYCsO8oAAAAAABRvmgBfCFF_@mailjet.com>
- Note the references to mailjet servers as well as the added DKIM signature that is automatically added by Mailjet and helps you to pass Microsoft’s sensitive filters
As email delivery to Microsoft hosted email domains is working now you can lean back and sort those problems out without any pressure. This workaround would even work forever.
If your delivery problems are solved you may want to deactivate relaying by Mailjet. But as this kind of problem may reappear at any time it may be wise to keep anything in place and just deactivate the transport rules. This way you can easily turn relaying on and off whenever needed.
To turn relay off, just comment out the transport rules:
sudo nano /etc/postfix/transport
#hotmail.com smtp:[in-v3.mailjet.com] #hotmail.co.uk smtp:[in-v3.mailjet.com] #hotmail.fr smtp:[in-v3.mailjet.com] #hotmail.de smtp:[in-v3.mailjet.com] #outlook.com smtp:[in-v3.mailjet.com] #outlook.de smtp:[in-v3.mailjet.com] #outlook.fr smtp:[in-v3.mailjet.com] #outlook.be smtp:[in-v3.mailjet.com] #outlook.in smtp:[in-v3.mailjet.com] #live.com smtp:[in-v3.mailjet.com]
sudo postmap /etc/postfix/transport
sudo /etc/init.d/postfix reload
Done. Relaying for those domains is turned off now.
If you want to reactivate: just do the same but remove the comment symbol
Limitations of Mailjet Free Plan
The free plan of Mailjet allows to send 6,000 mails per month and is limited to 200 mails per day. It is absolutely perfect for smaller servers with low email traffic. And as we only relay to Microsoft hosted email addresses the free plan may be more than enough for you.
But if you are unsure if this plan is big enough for you or you are in doubt and don’t want to risk email service interruption, just upgrade to one of their bigger plans which are very fair priced (e.g. 30,000 mails/month for $9.95). There is no minimum contract duration and you can leave at any time. So it comes without any risk.
Microsoft’s Email Policies
Of course all email service providers have spam fighting policies in place. We know that. And it is very important. We got it.
But: Microsoft is the only email service provider that causes such massive delivery problems for me that I spent a lot of time to find a solution to work around it. If they start to reject or even silently drop your emails for whatever secret reason you are in serious trouble. Because you know: it will take a long time to get this solved.
Why do I know? I operate multiple servers and each of those ran into the same Microsoft related problems some day. It comes without warning. My last affected email server ran for years without having any problems. But all of a sudden I was placed on one of Microsoft’s block lists for unknown reasons.
I wouldn’t complain if there would be really something wrong with my server setup. I wouldn’t complain if they would protect themselves from real spam sent by my server. I wouldn’t complain if they would tell me what the exact problem is. I wouldn’t complain if other email service providers would also block my emails because there are serious issues. But all this is not the case. The by far biggest part of my email delivery problems was Microsoft related.
Googeling the problems shows me that I am not alone and many operators of (especially smaller) email servers feel the same pain.
This finally brought me to write this article and I really hope it helps some of my fellow sufferers.
Although the problem was always solved by Microsoft and my servers finally were taken from their block lists,
- they never told me what the real problem was, so I will never be able to avoid whatever problems next time
- it always took a long time to solve (days/weeks, not hours)
- they in many cases told me there wasn’t any problem when I opened the first ticket. I had to be persistant and write to them again and again, begging them to throw me a bone
Fortunately I’m now prepared for the next email delivery incident!
Was this article helpful?
Consider buying me a coffee to keep my brain fueled 🙂