[dns-operations] Cannot send mail to outlook.com due to olc.protection.outlook.com configuration issues

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Oct 6 18:34:32 UTC 2023 

On Fri, Oct 06, 2023 at 11:08:39AM -0700, Craig Leres wrote:

> I routinely find messages stuck in my sendmail queue with the error,
> "Deferred: Name server: outlook-com.olc.protection.outlook.com". This system
> uses unbound (with DNSSEC validation enabled -- perhaps not relevant) and
> the only way I was able to get one message I really needed to deliver was to
> temporarily aim resolv.conf at the google public dns resolver.
> 
> outlook.com has a MX to outlook-com.olc.protection.outlook.com and the NS
> records for olc.protection.outlook.com are in o365filtering.com which has
> "issues":
> 
>     https://dnsviz.net/d/o365filtering.com/dnssec/
> 
> An easy way to provoke this is to send a message to test at outlook.com.
> 
> This has been broken for months and there are an impressive number of
> domains that use outlook.com for their mail...
> 
> Rather than go down the rabbit hole of trying to engage msnhst at microsoft.com
> (which itself is broken for me) perhaps someone on this list can poke the
> right person at microsoft?

While the nameservers behind that domain have various unfortunate
limitations, they're minimally usable, and you should be able to
resolve the A/AAAA records of the MX hosts with no issue.

What specific problems is your unbound running into.  I also use
"unbound" and do not run into substatial issues with that domain:

    $ dig -t a outlook-com.olc.protection.outlook.com

    ; <<>> DiG 9.18.14 <<>> -t a outlook-com.olc.protection.outlook.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63936
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1400
    ;; QUESTION SECTION:
    ;outlook-com.olc.protection.outlook.com.        IN A

    ;; ANSWER SECTION:
    outlook-com.olc.protection.outlook.com. 300 IN A 52.101.73.0
    outlook-com.olc.protection.outlook.com. 300 IN A 52.101.11.6
    outlook-com.olc.protection.outlook.com. 300 IN A 52.101.8.37
    outlook-com.olc.protection.outlook.com. 300 IN A 52.101.11.5
    outlook-com.olc.protection.outlook.com. 300 IN A 52.101.73.27
    outlook-com.olc.protection.outlook.com. 300 IN A 52.101.42.12
    outlook-com.olc.protection.outlook.com. 300 IN A 52.101.73.31

    ;; Query time: 119 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
    ;; WHEN: Fri Oct 06 14:32:53 EDT 2023
    ;; MSG SIZE  rcvd: 179

So long as you don't try to look up TLSA records, or insist on using
EDNS(0), even after a FORMERR response, you should be fine.

-- 
    Viktor.

More information about the dns-operations mailing list