Why does my email from Facebook, that I forward from my outlook.com account, get rejected?


Update on Jan 25, 2017 - Still no timeline on a fix for this, we have repeatedly hit issues. 🙁

Update on June 23, 2017 - See https://blogs.msdn.microsoft.com/tzink/2017/06/22/an-update-on-the-forwarding-email-problem-in-office-365/

Why is my (your) email bouncing when I (you) forward it?

Recently, many people have been asking me why their email from Facebook, that they forward from their outlook.com or Hotmail account to another account, bounces after they forward it? That is:

Facebook -> outlook.com (forward) -> Hotmail/Yahoo/Gmail -> bounces back

Why does this happen? How can you fix it?

It's because of the way we are migrating accounts, plus some older behavior designed to protect the mailbox

A few months ago we announced that Hotmail/outlook.com accounts were being migrated to Exchange Online (EOP). This is not an instantaneous process, it takes a long time to move all of those accounts over and we are not complete. But, this issue of bounced email that is forwarded only happens if your account has been migrated. A migrated account first goes through the old Hotmail infrastructure and then lands in the Exchange Online environment where it re-uses the spam filter verdict that the old Hotmail infrastructure stamped .

Exchange server has a feature wherein it "fixes up" content in a message. This has been around for many years and it's to prevent malformatted data from going into your mailbox where it could cause a corruption problem. So, if messages arrive in a certain way, it converts it to a format it does expect. For example:

Before being fixed: Joe Sender <joesender@example.com>

After being fixed: "Joe Sender" <joesender@example.com>

There are good reasons for doing this, especially in enterprise environments, that I won't get into here. To a human, the message looks identical. But the problem with doing this is that if a message has a DKIM signature, then fixing up the message will break the DKIM signature - even doing something as small as adding quotes around the Display Name breaks the existing DKIM-Signature.

Normally this isn't a problem because Exchange Online verifies SPF, DKIM, and DMARC and stamps the results in the Authentication-Results header [1]. But if the message is forwarded to another mailbox who reverifies the message, it won't pass SPF (because the IP address of the forwarder won't be in the original sender's SPF record [2]), it won't pass DKIM because the message headers and body have changed slightly and the hash doesn't verify, and therefore it can't pass DMARC since the From: domain won't align with either the domain that passed DKIM or SPF.

Non-migrated Hotmail/outlook.com account

2015_05_19_Hotmail_nonmigrated_and_forwarded_intact

Migrated Hotmail/outlook.com account

2015_05_19_Hotmail_migrated_and_forwarded_broken

This wouldn't normally be a problem except when it comes from domains that publish a DMARC record with p=reject or p=quarantine. Most email doesn't but there are a few large senders that do including Facebook (facebookmail.com), LinkedIn, Yahoo, AOL, and soon-to-be Gmail. Since they don't align with SPF/DKIM/DMARC, messages from those domains will bounce if you forward them because they fail DMARC.

🙁

So what can I (you) do?

The good news is that we are fixing this - that is, we are fixing the "fixing up of messages." We are introducing a change in Exchange Online that will stop modifying the contents of messages when they are forwarded out of the system. SPF will still fail, but DKIM will pass. This means that you'll be able to forward email to your heart's content and it will pass DMARC just fine.

I don't have a timeline on this because we've tested this before and had to pull it back because we found problems. But hopefully over the next few weeks this fix will go out worldwide and then this will no longer be a problem.

We ask that you sit tight until then.

Thanks.

 


[1] For a migrated mailbox, Hotmail/outlook.com does its authentication checks and stamps the result in the Authentication-Results header. When the message is sent to EOP, it does its own authentication checks and stamps the result, but they are not used. Instead, Hotmail/outlook.com pushes its authentication checks into its spam/non-spam verdict which EOP re-uses.

[2] Some systems rewrite the 5321 MailFrom so that it does pass SPF, e.g.,

Original SMTP MAIL FROM: <sender@example.com>
Original SMTP RCPT TO: <receiver@contoso.com>

Forwarded SMTP MAIL FROM: <some_hash_receiver_contoso-com@contoso.com>
Forwarded SMTP RCPT TO: <receiver@something.com>

This does pass SPF at the forwarded-to receiver, but since the domain in the SMTP MAIL FROM does not match the From: address - which is not rewritten - it still fails DMARC.


Comments (68)

  1. Hi,
    thanks for your insights into your mail infrastructure. It looks like a mailbox of mine (@hotmail.com) has been migrated to EOP yesterday, because since then the DKIM verification fails.
    Do you have a timeline for me when the “fixing of fixup of messages” will be implemented?

    Thanks a lot,
    Mathias

    1. tzink says:

      Not yet. I haven’t committed to a timeline because it keeps getting rolled back.

      1. Hi Terry,
        since a few weeks passed I thought I should ask again if there are news on this issue? Sorry to bother you with this issue, but my customers are complaining as well. As you can imagine, or maybe experienced yourself, arguing with better or higher security when basic features are not working is pointless.
        – Mathias

  2. Taylor Lilly says:

    Thank you very much for this post. It was very enlightening and turns out may solve a very long-standing problem of mine. For more information, please refer to SRX1310247077ID. This problem has been going on for some time (much longer than June) and affects MANY more venders than just Facebook (Wells Fargo, Apple, USPS, UPS, to name a few).

    I have two Hotmail accounts, one created in the mid-90s, and one created in the early 2000’s. I forward the one from the mid-90s to the newer one and then use the newer one as my general account for logging into my surface, picking up email, etc… I keep the old one because it has accumulated years and years of use as a point of contact for my accounts. Sometime around last August, the older account was moved to a new server, probably as part of the outlook.com upgrade process. When that happened, that account’s ability to forward messages, legitimate and critical messages such as banking notifications and login access notifications, was disabled (probably due the process mentioned).

    Unfortunately, the online forum technical support for this issue was not just woefully lacking, but insultingly naive. Microsoft almost lost a customer as the ability to forward one account to another is a fundamental functionality. Thankfully, both for myself and for Microsoft’s interest in customer retention, this issue was finally bumped sometime in November to a higher technical support authority. At that point, the technician did an excellent job of continuing to look into the problem, testing all of the various possibilities, and finally determining that the problem was, indeed, on the Microsoft server side (not in my spam filter or user error). Unfortunately, he did not have the insight into the server specific engineering to pinpoint the issue. This post seems to have done that. As a quick side note, I have certainly sung the praises of that support engineer to his manager and thank him again here.

    In the meantime, I am now coming up on 10 months of not being able to use my Microsoft Hotmail account in the intended fashion. Note, Hotmail accounts cannot be made into aliases for other Hotmail accounts (a plausible and obvious work-around). I mention this because I am extremely interested in when this update will be enacted. Not being able to forward simple messages such as banking notifications and postage tracking information removes the usefulness of Hotmail.com as a paid for utility (I am a Hotmail plus subscriber). I was told that this was scheduled for the next build of Microsoft Outlook.com. Is there a away online to check the build status of the site to know when this functionality may be fixed and when I may be able to return to forwarding my mail?

    -Taylor

    1. tzink says:

      Sorry to hear this, Taylor. I know it’s annoying (it’s annoying for me, too, because I use email and forwarding the same way everyone else does and encounter this problem).

      No, there’s no way to check the build status. Every time I check to see the status myself, it’s pushed out because of running into an issue that we have to roll back and then fix. The deployment is going slowly, but hopefully it will be done in a few weeks.

    2. Taylor Lilly says:

      tzink, thank you again for your post and for your reply. As the month draws to a close, I would like to check back in to see if the build status has changed. I still don’t see functionality has returned, so I think I can guess at the answer. -TCL

    3. Taylor Lilly says:

      tzink, thank you again for your post and for your reply. As the month now begins anew, I would like to check back in to see if the build status has changed. I still don’t see functionality has returned, so I think I can guess at the answer. -TCL

  3. Robin says:

    I am getting this same problem with an Exchange 2010 server. It is rewriting the To: field on redirects, which breaks DKIM. Is there any fix / patch / settings for Exchange 2010? (I think this blog refers to the hosted service?)

  4. Robin says:

    It’s actually even worse. Exchange redirection is not only rewriting the To: field, but also changing the message body by putting quotes around the charset eg from
    Content-Type: text/plain; charset=UTF-8
    to
    Content-Type: text/plain; charset=”UTF-8″

    which obviously breaks the DKIM signature on the body. Is there any way to get Exchange 2010 to redirect in a DKIM compliant fashion?

    1. tzink says:

      Yes, it’s not just the To: field but is as you mention. And yes, it breaks DKIM.

      In Office 365, we are planning to fix this although every time we start to deploy the fix we hit an issue; we then need to rollback and make adjustments (there are a *lot* of old MTAs that send in strange formats that require content conversion in order to deliver). This pushes out the fix date.

      As far as I know, there is no way to get Exchange 2010 to redirect/forward without modifying the body. The only thing that works is to send the message from an Exchange server that already formats it in the way it expects, so when it does redirect/forward, there is no content that requires modification.

      1. Garry Martin says:

        I keep coming back to this page hoping for a timeframe for resolution, only to find each time that attempts are still being made to implement fixes but are having to be rolled back due to further issues.

        Given this is taking *so* long to resolve, is there no way to provide an “on request” option to reverse the migration so that we go back to the old platform until it is fixed?

        1. tzink says:

          Hi, Garry,

          Apologies for the delay. Believe me, I’m as frustrated as anyone because I head up the email authentication area in Office 365 (and even a little bit in Hotmail/outlook.com) and this message modification undermines our ability to publish stricter auth records in the service.

          But unfortunately, no, you can’t roll back to the previous version.

  5. Taylor Lilly says:

    tzink,

    Thank you again for your post and for your reply. It looks like this issue continues to get a lot of traffic and shared sympathy. I’ve now dealt with this issue for 11 months. So that I’m clear, this issue has been a problem for almost a full calendar year now on the Hotmail domain. Like many, I understand the problem of getting blood from a turnip, so to speak. But I also know that the squeaky wheel gets the grease. So, with August going swiftly by and the 12th month of this issue for my account coming to a close, I would like to check back in to see if the build status has changed. I still don’t see functionality has returned, so I think I can guess at the answer.

    -TCL

  6. Taylor Lilly says:

    tzink,

    This issue has now been a detriment to my ability to work with Hotmail for over a year. Do you have any new information on when this issue will be resolved?

    -TCL

  7. Rafael Cossovan de França says:

    I hit this issue yesterday. At least, now I know what is going on.

    Microsoft should put a warning when users are forwarding their emails.
    This may help a little…

  8. Martijn says:

    Thanks for the clear explanation. This gives me a much better idea of what’s going on.

  9. Nicolas says:

    Hi tzink!

    I know it’s not yet enabled, but just like for you, me and my wife are also affected by this. I’ve considered swallowing the bitter pill and just moving away from our longstanding @hotmail.com addresses and just migrating to a custom domain. But your comments here somehow always make me hopeful that someone is trying to fix it.

    Is there any place we can follow for getting updates on this? Even just a notice that it was rolled forward again, but failed, would sort of make me at ease. Any sort of signal really.

    Do you think it might be fixed by the end of the year (preferably before Christmas)? The missed mails are messing with professional and private life.

    1. tzink says:

      The fix for this is starting to be rolled out, I haven’t been able to test it yet but we’re working on it. Believe me, I get asked about this all the time. It’s as difficult for me as it is for you.

      1. Nicolas says:

        That’s incredibly good to hear!

      2. Ed says:

        Hi can you put the fix on my outlook account please? See the address used for this comment. If not when will all accounts have been updated? Thanks

        1. tzink says:

          The fix will be applied everywhere, it’s not on an account-by-account basis.

          1. Ed says:

            OK great any ideas on roll out date? please let us know the date so we can plan around this. Its the least we deserve.
            thanks

  10. Bruce Gregory says:

    Well, apparently I’m not the only one having this forwarding problem. I’ve had a few instances of important emails not forwarding to my gmail account in the past, but recently I’m not receiving emails from the two banks I deal with, as well as PayPal, Facebook, and a number of other businesses. It looks like I’m going to be forced to change my email address with those companies to my gmail address. I don’t have the time to scrutinize multiple folders from two email providers, let alone scrutinize my Outlook junk email folder for emails that are not junk. Sorry, but if I have to pick one over the other, gmail wins. Hate to see it come to that.

  11. Gary Parker says:

    Any word on when this will be updated? Many of our users have mail set to forward to Gmail, AOL, Yahoo or other free providers. Lately there is a high likelihood that mail sent to any of these people will bounce, especially if the sender was also on one of these providers. Looking at the headers, everything should pass if not for the fixing up process.

  12. Joel Beckham says:

    Hey Terry,

    Thanks for the updates on this. Are the “fix ups” documented anywhere? I’d like to see if we can fix up the messages before we send them so they don’t trigger any changes when passing through exchange.

    Thanks!

    1. tzink says:

      No, they aren’t documented anywhere.

      The easiest way to figure it out is to send a message from Office 365 and observe how it sends the message, and then send the equivalent one from a Gmail account. Look at all the headers and body, and compare differences.

      That’s how I do it.

  13. KitzyKitt says:

    We are having a similar issue, and unless someone sends me the bounced e-mail, we aren’t even aware of what is happening.

    My husband and I share a hotmail account (outlook.com) and those emails are copied and forwarded to his msn account (outlook.com) setup by the outlook.com website. This is frustrating that it is all internal and there isn’t a work around or a timeframe. We also don’t know which email do get forwarded (becasue some do) and which ones don’t (because some contacts let me know that their email bounced back).

    1. tzink says:

      Yes, I understand it’s frustrating. We’ve been trying to roll this out for a long time but keep hitting issues have to delay it. That’s why I don’t put any timelines into the blog posts or comments. When we hit an issue, we halt deployment, fix it, and then continue. There is a lot of legacy behavior that has dependencies on the message fix-ups (that breaks DKIM, but stops other problems).

  14. Collin Anderson says:

    Ok, so what do we do about SPF failures?

  15. Kelvin says:

    Hi there,

    Thanks for your write-up. It’s made its way into the top of Google search results for this issue, which is good.

    Can I confirm whether your team is working on a fix for Office 365 (for Schools)? I forward my school emails to another email provider, which rejects the email due to DMARC being used on the originating sender.

    Many thanks,
    Kelvin

    1. tzink says:

      Yes, we’re working on a fix for all of Office 365. As I said, I don’t have a timeline because every time we have tried to deploy, we’ve hit an issue. We then have to pause (or rollback) and then fix that one. Then we continue. But it’s in progress.

      I understand this is painful for everyone. This blog post is one of the top for generating comments on any of my blog posts, so I get it. I don’t like not being able to forward email, either.

      1. Niels says:

        I have no idea how Microsoft works with update deployment but reading the comments suggests there is a working solution but it can’t be deployed because of other changes. Isn’t it possible for MS to deploy just this fix? I did not receive mails from my bank and several other important companies for months now!

  16. Edward Wilkins says:

    Hello it has been 2 weeks since your last update. Do you have any more information for us yet? When will he next attempt at a fix roll out happen?

  17. JayDub says:

    I missed multiple credit card payments in the last month because the statements via email never got forwarded through Outlook.com. This is infuriating and unacceptable. Back to Gmail I go.

    1. JohnDubya says:

      I just received the first forwarded email through Outlook.com since about two months ago. All emails from USPS have NOT been going through, but this morning, one got through. Hopefully this means the fix is in?

      1. JohnDubya says:

        I wasn’t clear in my last comment. I have not received any email in the last two months – specifically from senders marked as safe in Outlook.com. Just as of this morning, I have received three emails from USPS, none of which have been forwarded for the last two months. When I click to view original in Gmail, it shows “SPF: Fail” and “DMARC: Fail”, so it appears the email headers are still messed up, but they at least got forwarded from Outlook.com to Gmail.

        1. Edward Wilkins says:

          Ah you had my hops up – tested from booking.com (one that i know has the issue) sadly still the same!

          1. tzink says:

            I’ve said it before in the comments and I’ll say it again – literally every time we deploy this, we have to roll it back because of some issue we encounter, so I don’t have a timeline. Turns out there are a lot of dependencies on modifying the message. This is compounded by the fact that I am not driving this change (I just get to respond to everyone’s comments asking about it), and it’s old legacy code that few people are familiar with (is anyone?).

  18. Fingerle says:

    All of my e-mails are still not being forwarded. REI and esty are two off the top of my head. Any updates as to when this will be addressed? I have sent notes to the outlook mail feedback numerous times with no concrete information being returned.

  19. JohnDubya says:

    Terry, sure sorry you are in this position. It’s the double edged sword of communicating problems – customers need to know that you know about the problem, but when you let them know, you have to hear all the blow back and frustration. 🙂

    FYI, the problem has at least improved since last week. I hadn’t received an email from USPS in months, but last week, those emails started being forwarded through my outlook.com account. But still, other emails, like one this morning from GoDaddy, did not get forwarded. It was not marked as being “sent from a safe sender” in outlook.com like the USPS emails had been, so not sure what’s going on there.

    Good luck to you and your team in dealing with this.

  20. Jong N says:

    Thanks for your insight. I have the same issue and emails from the following accounts were not automatically forwarded in my case.
    – usps
    – fedex
    – ups
    – newegg.com

    Most of the other emails are still being forwarded (e.g. Amazon and other retailers).
    Hope this issue gets resolved soon. Thank you.

  21. Gijs says:

    Any update on this issue? Some good end of year news would be great.

    1. Howie says:

      Timing update, please. This has still not been fixed.

      1. Sebastian Young says:

        Yep, would be really great to get an update on this.

      2. elvira says:

        When I forward my incoming emails to my gmail accountant, then all my incoming emails also go into my sent folder. How can I fix this??

  22. JKai says:

    Hi, we are hitting a roadblock now that big financial institutions are actively enforcing SPF/DKIM/DMARC policies….. Any new developments here? It looks like this is a widespread issue across Microsoft Email platforms, but not much movement has been happening with this… Frustrating when you get sold on a product and then discover these highly impactful bugs…

  23. Horst Mehfelder says:

    Have the same issue. Currently only workaround is to set Gmail to load the mails via POP3 from outlook.com, but this can only be a temp solution.. hopefully it will be fixed soon.

  24. Brian says:

    I am still plagued by this problem. Half of my redirected mail gets dumped into Gmail spam.

    Any updates on this?

  25. Ruppert says:

    Terry, it seems as if there are some more problems with the dkim implementation.
    A known problem is sending mail with attachments resulting in failed header.from verification (simply send a mail with attachments from gmail).
    A customer had a serious problem with mail sent to onmicrosoft.com where CC was used and oversigned (to make sure CC was not illegally added). These mails do not pass smtp.mailfrom & header.from verification. You can add nearly all headers you want for oversign, but don’t add CC, this breaks verification. From the RFC there is no reason not to add CC, but there are some good reasons to add CC for oversign. (gmail and port25 rate these mail ok.)
    Maybe you can forward that into the product groups for evaluation.

  26. Henk Jansen says:

    Is there an update about this issue, for example booking.com and netflix mail also aren’t forwarding to a different mailbox.

    1. tzink says:

      We’re working on it. Lots of others have the same problem.

  27. Oou indy says:

    code thanks

  28. Fingerle says:

    Any idea when this is going to be resolved? I am still not getting all of my messages forwarded correctly

  29. Sebastian Young says:

    It’s mad that a company with the resources of Microsoft hasn’t been able to get this resolved in what is getting on for a year. It’s a massive problem for senders who use DMARC, the number of which are increasing all the time.

  30. Andi says:

    the only solution is to deactivate forwarding for now, right? is there any way to get a list of all emails that bounced back? it would be very important, my girlfriend sent some job applications and would need to know if someone just got an error after answering 🙁

    1. tzink says:

      Some people disable forwarding, others import their messages using IMAP/POP3 at the forwarded-to destination.

      1. Andi says:

        what do you mean? do all messages show up when you use pop3/imap? that would be weird…so is there a way to get all messages somehow, even if the sender got an error?

  31. Q says:

    Sorry for bothering,
    Just want to check is this still being worked on ! is there a solution/workaround already ! or is it given up upon !
    Thanks for the GREAT explanation, it’s perfect. I will not have to look deeper into my problem 🙂

  32. Brian says:

    Anything? Any updates at all? This has been dragging on forever. How high is this on the list of bugs to fix? It seems pretty severe, and has been publicly acknowledged by this very blog post for almost a full year.

  33. Phil Sheridan says:

    Discussing Internet security in (mostly) plain English?! Discuss IN plain English and stop with the acronyms! SPF/DKIM/DMARC?!!!! I want my Facebook emails in my inbox, not in my junk folder! I do not want to go to my junk folder every day and check each record and select not junk. How do you not understand this? Why can’t I make all @facebook.com emails go to my inbox?! Your article is lame Terry Zink. Fix it!

  34. Kl King says:

    Given the strict DMARC rules now implemented by some sites, such as yahoo, it is now impossible to constructively use an auto forwarding feature without unintentionally completely blocking emails from some senders. Is this ever going to be resolved? Given that it is to do with how the exchange server is reformatting the header I would have thought that resolving this would be within the capability of Microsoft.

  35. Jon Rice says:

    It looks like we have passed the 1 year mark of the original posting. Is there actually any ongoing effort to remedy this? Is there any update on ETA for a fix for this? We would love not to have to bypass the MS cloud for our users but since store/forward is not successful we are just forwarding at the inbound relay side of the world. Not ideal when we would like to keep all this inbound mail in our MS tenant.
    Any updates would be helpful.
    Jon

    1. Sebastian Young says:

      To me, it seems like Microsoft have given up on it. I hope that’s not the case, because this is a serious issue for senders and receivers alike!

  36. Hi,
    my first posting to this blog article is about to get one year old. But somehow I don’t want to light a candle 😉
    I know it is tiresome, but still: Any timeline for the fix?

    Thanks,
    Mathias

    1. Horst Mehfelder says:

      And one more month… Like to know that too

  37. Frank says:

    This is such a mess, since 3/AUG my hotmail account has stopped auto forwarding/resending my hotmail emails to my gmail/G suite email. Microsoft staff just can’t fix this mess, will not use any of their products in the future if I can!

  38. Tom says:

    This is a disaster, people are going to miss important emails because they trust hotmail’s auto forward function! I just recently found out this when I didn’t receive confirmation email from B&H Photo, and apparently this issue has been existed for over a year! Totally unacceptable to respectable companies.

  39. KRS03 says:

    Here it is August 26th 2017 — Still not fixed.

Skip to main content