On 14/05/2025 17.13, Mark Alley via mailop wrote:
It's been mentioned several times here already, but Microsoft has
had known issues with DNS timeouts related to DKIM verification for
a very long time now. You're likely just now experiencing it more
directly with their recent policy changes.
Over 99% of ${dayjobs} DKIM verification failures (numbering in the
millions) are from specifically OLC, outstripping all other DMARC
reporting receivers combined. Even upping TTL has almost no effect
unfortunately.
We've also experienced this, because we host lots of scientific working
group mailing lists, and every so often emails to M365-hosted domains
(who have DMARC "p=reject") just get rejected with something like:
Authentication-Results: spf=pass (sender IP is 2001:708:10:6004::14)
smtp.mailfrom=postit.csc.fi; dkim=fail (no key for signature)
header.d=DOMAIN; dmarc=fail action=oreject header.from=DOMAIN;
compauth=fail reason=000
Even though they certainly have the appropriate DKIM keys in their
(MS-hosted) name service. It turns out Microsoft is aware of this,
but apparently have not made a public ticket about it (this message
from 2025-03-06):
https://forum.dmarcian.com/t/dkim-verification-failures-microsoft-365-exchange-online/2679/2
--
/* * * Otto J. Makela <[email protected]> * * * * * * * * * */
/* Phone: +358 40 765 5772, ICBM: N 60 10' E 24 55' */
/* Mail: Mechelininkatu 26 B 27, FI-00100 Helsinki */
/* * * Computers Rule 01001111 01001011 * * * * * * */
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
