[mailop] IPv6 addresses for Microsoft Office 365 hosted domains?
Frank Bulk
frnkblk at iname.com
Tue Dec 16 06:41:58 CET 2014
Bernhard,
Thanks for sharing your experience. You may have been able to send email to Google for some days from your IPv6 host without a PTR, but I think that would only go on for a short time. Have you tried sending to Comcast?
>From an ISP perspective, adding in an SPF (or equivalent TXT) record for the IPv6 space of your ISP mail server would not be a hard thing to do. While not all email servers support DKIM, all DNS servers support TXT records.
Frank
-----Original Message-----
From: Bernhard Schmidt [mailto:Bernhard.Schmidt at lrz.de]
Sent: Monday, December 15, 2014 3:53 AM
To: Frank Bulk; 'Dick Visser'; 'Franck Martin'
Cc: mailop at mailop.org; IPv6 operators forum
Subject: Re: [mailop] IPv6 addresses for Microsoft Office 365 hosted domains?
Hi,
> Thanks, Dick and Franck, that URL has some great information.
>
> I'm 99% sure that neither Office365 customer turned IPv6 on and off,
> especially in the same afternoon (that MSDN blog entry notes that the
> customer has to specifically request it), so I'm guessing that
> something happened at MSFT that it accidentally turned on for a while
> for some customers.
I was curious about these rules so I set up a test-account and had
support enable Inbound IPv6 for it. Took them a few days (and a couple
of phone calls, "are you really really sure?") but went quite well
otherwise.
Feel free to write an email to autoresponder at o365.schmidt-it.info .
Despite the name I wasn't able to configure the account to return
anything useful (i.e. full headers) to the sender, so it doesn't reply
at all. You'll need to check your logs for the delivery status. Maybe
I'll get to that later this week, but that would have to be done outside
of O365.
I have done a few tests and for now I do not see any rejects even when
there is neither DKIM nor SPF on the sender domain. Hell I don't even
see a reject on missing PTR.
I also cannot confirm any requirement for SPF/DKIM on Google's side. We
send a lot of email to Google over IPv6, most of it is unsigned. We
"never" had any issues with it. The world is not as black/white as that
M3AAWG recommendation makes us believe.
We don't send a lot of mail to LinkedIn so I cannot say anything about that.
>From my POV, requiring PTR is good and should be done on IPv4 as well.
Requiring DKIM/SPF for IPv6 delivered mail would be a death sentence for
IPv6 on MTAs if you do not fully control all outbound mail (think
smarthost of a university or ISP). And you cannot easily disable IPv6 to
selected destinations.
Best Regards,
Bernhard
>
> Frank
>
> -----Original Message----- From: Dick Visser
> [mailto:visser at terena.org] Sent: Thursday, November 27, 2014 1:02 PM
> To: Frank Bulk Cc: mailop at mailop.org; IPv6 operators forum Subject:
> Re: IPv6 addresses for Microsoft Office 365 hosted domains?
>
> On a related note, I'm in the process of setting up mail for our new
> domain, and Office365 was one of the options. I was surprised to see
> that Office 365 hosted domains have only one MX, which resolves to
> only two IPv4 addresses:
>
> visser at cajones:~$ host geant-org.mail.protection.outlook.com.
> geant-org.mail.protection.outlook.com has address 213.199.154.87
> geant-org.mail.protection.outlook.com has address 213.199.154.23
>
> Both sit in the same network, which seems like a bad idea. Unless
> this is anycast? Can't tell from here.
>
> However, MS seems to have changed things recently:
>
> http://blogs.msdn.com/b/tzink/archive/2014/10/28/support-for-anonymous-inbound-email-over-ipv6-in-office-365.aspx
>
> Better late than never.
>
> The alternative for e-mail is Google Apps, which has IPv6 for years.
>
>
> Dick
>
>
>
>
> On 27 November 2014 at 03:00, Frank Bulk <frnkblk at iname.com> wrote:
>> This afternoon I saw several log messages in our email server's
>> logs in relation to emails our local business customer (who uses
>> our ISP email server) was trying to send to a Microsoft Office 365
>> hosted domain:
>>
>> "[::ffff:12.43.166.xx] Site <target domain redacted>
>> (2a01:111:f400:7c0c::11) said after data sent: 554 5.7.1 Service
>> unavailable, message sent over IPv6 [2607:fe28:0:4000::10] must
>> pass SPF or DKIM validation (message not signed)"
>>
>> The PTR for 2a01:111:f400:7c0c::11 is
>> mail-by26c0c.inbound.protection.outlook.com.
>>
>> But when I check the MX record of the target domain I see there's
>> no AAAA for the <redacted>.mail.eo.outlook.com, just three A's.
>>
>> Fortunately we control our local business customer's DNS and I've
>> added in our email server's DKIM so that future emails, if they
>> were sent over IPv6, should be accepted by Microsoft. Our customer
>> has no SPF record.
>>
>>
>> I also saw two log messages for two Microsoft Office 365 hosted
>> domains: 26 13:30:59.00 [56882563] Failed ::ffff:199.120.69.25
>> <notification+kyg2kgex at facebookmail.com> <target domain1 email
>> redacted> 9259
>> <1502549920004098-1497189607206796 at groups.facebook.com>
>> "[::ffff:199.120.69.25] ubad=0, Site (target domain1
>> redacted/2a01:111:f400:7c10::1:10) said: 550 5.2.1 Service
>> Unavailable, [target domain1 redacted] does not accept email over
>> IPv6" 26 19:04:52.00 [83985160] Failed ::ffff:12.43.166.20 <from
>> redacted> <target domain2 email redacted> 6546
>> <0EBCBB96763E41B2A4CD9A4CD3DD94BE at sp.local> "[::ffff:12.43.166.20]
>> ubad=1, Site (target domain2 email redacted/2a01:111:f400:7c0c::11)
>> said: 550 5.2.1 Service Unavailable, [target domain2 email
>> redacted] does not accept email over IPv6"
>>
>> There's no PTR for 2a01:111:f400:7c10::1:10. I checked the last 7
>> days of logs I only saw these today.
>>
>> It's like Microsoft published some AAAA's for some MX records, but
>> then withdrew them, but not before there were a few failures.
>>
>> Frank
>>
>>
>>
>
>
>
More information about the ipv6-ops
mailing list