BLOG

Office365/EOP IPv6 changes starting today

Terry Zink at Microsoft posted earlier this week that Office365/Exchange Online Protection will have a significant change this week. Office365 uses Exchange Online Protection (EOP) for spam filtering and email protection. One of the requirements to send to EOP over IPv6 is to have the email authenticated with either SPF or DKIM.  If the mail sent to Office365/EOP over IPv6 is not authenticated with SPF or DKIM, EOP would reject the message with a 554 hard bounce message.  Most mail servers accept the 554 status code and would not retry the message.  After multiple 5xx hard bounces to an email address, many mail servers would unsubscribe the user from future email campaigns.  The update starting today April 24, will change the error status code for unauthenticated mail to EOP from a 554 hard bounce to a 450 soft bounce and a RFC-compliant and properly configured mail server would then retry the message.
Prior to April 24, 2015, EOP responds to unauthenticated mail with a status code of: “554 5.7.26 Service Unavailable, message sent over IPv6 must pass either SPF or DKIM validation”.

Starting April 24, 2015, EOP will respond with “450 4.7.26 Service unavailable, message sent over IPv6 must pass either SPF or DKIM validation”.

This means the sending mail server should retry the message to another MX server and if the sending mail server is dual stacked (sending on IPv6 and IPv4) it will try sending to the IPv6 MX server first then attempt to send the retry to a IPv4 MX server.
If you are sending over IPv6, Office 365/EOP also requires that the sending mail server IP address have a PTR record and if the sending mail server does not, EOP will reply with a hard bounce message of “550 5.7.25 Service unavailable, sending IPv6 address [$SenderIPAddress] must have a reverse DNS record”. There will be no change to PTR requirement for EOP, however all sending mail servers should have a PTR record.

1 comment

  1. Steevo says

    All these complicated changes to EOP, very technical. Hard for civilians to comply with.
    As usual the only senders who will scrupulously comply with all the requirements are spammers. Heh.
    They are always the first to adopt anything that changes in email. SPF, DKIM, you name it, when it had to be implemented they did it first!

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.