Why does my email from Facebook, that I forward from my outlook.com account, get rejected?

Update on Jan 25, 2017 - Still no timeline on a fix for this, we have repeatedly hit issues. :(

Update on June 23, 2017 - See An update on the forwarding email problem in Office 365

Update on Nov 3, 2017 - See A second update on the problem of email forwarding in Office 365


Why is my (your) email bouncing when I (you) forward it?

Recently, many people have been asking me why their email from Facebook, that they forward from their outlook.com or Hotmail account to another account, bounces after they forward it? That is:

Facebook -> outlook.com (forward) -> Hotmail/Yahoo/Gmail -> bounces back

Why does this happen? How can you fix it?

It's because of the way we are migrating accounts, plus some older behavior designed to protect the mailbox

A few months ago we announced that Hotmail/outlook.com accounts were being migrated to Exchange Online (EOP). This is not an instantaneous process, it takes a long time to move all of those accounts over and we are not complete. But, this issue of bounced email that is forwarded only happens if your account has been migrated. A migrated account first goes through the old Hotmail infrastructure and then lands in the Exchange Online environment where it re-uses the spam filter verdict that the old Hotmail infrastructure stamped .

Exchange server has a feature wherein it "fixes up" content in a message. This has been around for many years and it's to prevent malformatted data from going into your mailbox where it could cause a corruption problem. So, if messages arrive in a certain way, it converts it to a format it does expect. For example:

Before being fixed: Joe Sender <joesender@example.com>

After being fixed: " Joe Sender " <joesender@example.com>

There are good reasons for doing this, especially in enterprise environments, that I won't get into here. To a human, the message looks identical. But the problem with doing this is that if a message has a DKIM signature, then fixing up the message will break the DKIM signature - even doing something as small as adding quotes around the Display Name breaks the existing DKIM-Signature.

Normally this isn't a problem because Exchange Online verifies SPF, DKIM, and DMARC and stamps the results in the Authentication-Results header [1]. But if the message is forwarded to another mailbox who reverifies the message, it won't pass SPF (because the IP address of the forwarder won't be in the original sender's SPF record [2]), it won't pass DKIM because the message headers and body have changed slightly and the hash doesn't verify, and therefore it can't pass DMARC since the From: domain won't align with either the domain that passed DKIM or SPF.

Non-migrated Hotmail/outlook.com account 2015_05_19_Hotmail_nonmigrated_and_forwarded_intact

Migrated Hotmail/outlook.com account 2015_05_19_Hotmail_migrated_and_forwarded_broken

This wouldn't normally be a problem except when it comes from domains that publish a DMARC record with p=reject or p=quarantine. Most email doesn't but there are a few large senders that do including Facebook (facebookmail.com), LinkedIn, Yahoo, AOL, and soon-to-be Gmail. Since they don't align with SPF/DKIM/DMARC, messages from those domains will bounce if you forward them because they fail DMARC.

:(

So what can I (you) do?

The good news is that we are fixing this - that is, we are fixing the "fixing up of messages." We are introducing a change in Exchange Online that will stop modifying the contents of messages when they are forwarded out of the system. SPF will still fail, but DKIM will pass. This means that you'll be able to forward email to your heart's content and it will pass DMARC just fine.

I don't have a timeline on this because we've tested this before and had to pull it back because we found problems. But hopefully over the next few weeks this fix will go out worldwide and then this will no longer be a problem.

We ask that you sit tight until then.

Thanks.

 


[1] For a migrated mailbox, Hotmail/outlook.com does its authentication checks and stamps the result in the Authentication-Results header. When the message is sent to EOP, it does its own authentication checks and stamps the result, but they are not used. Instead, Hotmail/outlook.com pushes its authentication checks into its spam/non-spam verdict which EOP re-uses.

[2] Some systems rewrite the 5321 MailFrom so that it does pass SPF, e.g.,

Original SMTP MAIL FROM: <sender@example.com>
Original SMTP RCPT TO: <receiver@contoso.com>

Forwarded SMTP MAIL FROM: <some_hash_receiver_contoso-com@contoso.com>
Forwarded SMTP RCPT TO: <receiver@something.com>

This does pass SPF at the forwarded-to receiver, but since the domain in the SMTP MAIL FROM does not match the From: address - which is not rewritten - it still fails DMARC.

Comments

  • Anonymous
    June 13, 2016
    Hi,thanks for your insights into your mail infrastructure. It looks like a mailbox of mine (@hotmail.com) has been migrated to EOP yesterday, because since then the DKIM verification fails.Do you have a timeline for me when the "fixing of fixup of messages" will be implemented?Thanks a lot,Mathias
    • Anonymous
      June 21, 2016
      Not yet. I haven't committed to a timeline because it keeps getting rolled back.
      • Anonymous
        August 01, 2016
        Hi Terry,since a few weeks passed I thought I should ask again if there are news on this issue? Sorry to bother you with this issue, but my customers are complaining as well. As you can imagine, or maybe experienced yourself, arguing with better or higher security when basic features are not working is pointless.- Mathias
  • Anonymous
    July 01, 2016
    Thank you very much for this post. It was very enlightening and turns out may solve a very long-standing problem of mine. For more information, please refer to SRX1310247077ID. This problem has been going on for some time (much longer than June) and affects MANY more venders than just Facebook (Wells Fargo, Apple, USPS, UPS, to name a few). I have two Hotmail accounts, one created in the mid-90s, and one created in the early 2000's. I forward the one from the mid-90s to the newer one and then use the newer one as my general account for logging into my surface, picking up email, etc… I keep the old one because it has accumulated years and years of use as a point of contact for my accounts. Sometime around last August, the older account was moved to a new server, probably as part of the outlook.com upgrade process. When that happened, that account’s ability to forward messages, legitimate and critical messages such as banking notifications and login access notifications, was disabled (probably due the process mentioned). Unfortunately, the online forum technical support for this issue was not just woefully lacking, but insultingly naive. Microsoft almost lost a customer as the ability to forward one account to another is a fundamental functionality. Thankfully, both for myself and for Microsoft’s interest in customer retention, this issue was finally bumped sometime in November to a higher technical support authority. At that point, the technician did an excellent job of continuing to look into the problem, testing all of the various possibilities, and finally determining that the problem was, indeed, on the Microsoft server side (not in my spam filter or user error). Unfortunately, he did not have the insight into the server specific engineering to pinpoint the issue. This post seems to have done that. As a quick side note, I have certainly sung the praises of that support engineer to his manager and thank him again here. In the meantime, I am now coming up on 10 months of not being able to use my Microsoft Hotmail account in the intended fashion. Note, Hotmail accounts cannot be made into aliases for other Hotmail accounts (a plausible and obvious work-around). I mention this because I am extremely interested in when this update will be enacted. Not being able to forward simple messages such as banking notifications and postage tracking information removes the usefulness of Hotmail.com as a paid for utility (I am a Hotmail plus subscriber). I was told that this was scheduled for the next build of Microsoft Outlook.com. Is there a away online to check the build status of the site to know when this functionality may be fixed and when I may be able to return to forwarding my mail?-Taylor
    • Anonymous
      July 05, 2016
      Sorry to hear this, Taylor. I know it's annoying (it's annoying for me, too, because I use email and forwarding the same way everyone else does and encounter this problem).No, there's no way to check the build status. Every time I check to see the status myself, it's pushed out because of running into an issue that we have to roll back and then fix. The deployment is going slowly, but hopefully it will be done in a few weeks.
    • Anonymous
      July 29, 2016
      tzink, thank you again for your post and for your reply. As the month draws to a close, I would like to check back in to see if the build status has changed. I still don’t see functionality has returned, so I think I can guess at the answer. -TCL
    • Anonymous
      August 07, 2016
      tzink, thank you again for your post and for your reply. As the month now begins anew, I would like to check back in to see if the build status has changed. I still don’t see functionality has returned, so I think I can guess at the answer. -TCL
  • Anonymous
    August 10, 2016
    I am getting this same problem with an Exchange 2010 server. It is rewriting the To: field on redirects, which breaks DKIM. Is there any fix / patch / settings for Exchange 2010? (I think this blog refers to the hosted service?)
  • Anonymous
    August 11, 2016
    It's actually even worse. Exchange redirection is not only rewriting the To: field, but also changing the message body by putting quotes around the charset eg from Content-Type: text/plain; charset=UTF-8 toContent-Type: text/plain; charset="UTF-8"which obviously breaks the DKIM signature on the body. Is there any way to get Exchange 2010 to redirect in a DKIM compliant fashion?
    • Anonymous
      August 11, 2016
      Yes, it's not just the To: field but is as you mention. And yes, it breaks DKIM.In Office 365, we are planning to fix this although every time we start to deploy the fix we hit an issue; we then need to rollback and make adjustments (there are a lot of old MTAs that send in strange formats that require content conversion in order to deliver). This pushes out the fix date.As far as I know, there is no way to get Exchange 2010 to redirect/forward without modifying the body. The only thing that works is to send the message from an Exchange server that already formats it in the way it expects, so when it does redirect/forward, there is no content that requires modification.
      • Anonymous
        August 12, 2016
        I keep coming back to this page hoping for a timeframe for resolution, only to find each time that attempts are still being made to implement fixes but are having to be rolled back due to further issues.Given this is taking so long to resolve, is there no way to provide an "on request" option to reverse the migration so that we go back to the old platform until it is fixed?
        • Anonymous
          August 15, 2016
          The comment has been removed
  • Anonymous
    August 21, 2016
    tzink, Thank you again for your post and for your reply. It looks like this issue continues to get a lot of traffic and shared sympathy. I’ve now dealt with this issue for 11 months. So that I’m clear, this issue has been a problem for almost a full calendar year now on the Hotmail domain. Like many, I understand the problem of getting blood from a turnip, so to speak. But I also know that the squeaky wheel gets the grease. So, with August going swiftly by and the 12th month of this issue for my account coming to a close, I would like to check back in to see if the build status has changed. I still don’t see functionality has returned, so I think I can guess at the answer. -TCL
  • Anonymous
    September 11, 2016
    tzink, This issue has now been a detriment to my ability to work with Hotmail for over a year. Do you have any new information on when this issue will be resolved?-TCL
  • Anonymous
    September 12, 2016
    I hit this issue yesterday. At least, now I know what is going on.Microsoft should put a warning when users are forwarding their emails.This may help a little...
  • Anonymous
    October 08, 2016
    Thanks for the clear explanation. This gives me a much better idea of what's going on.
  • Anonymous
    October 15, 2016
    Hi tzink!I know it's not yet enabled, but just like for you, me and my wife are also affected by this. I've considered swallowing the bitter pill and just moving away from our longstanding @hotmail.com addresses and just migrating to a custom domain. But your comments here somehow always make me hopeful that someone is trying to fix it.Is there any place we can follow for getting updates on this? Even just a notice that it was rolled forward again, but failed, would sort of make me at ease. Any sort of signal really.Do you think it might be fixed by the end of the year (preferably before Christmas)? The missed mails are messing with professional and private life.
    • Anonymous
      October 15, 2016
      The fix for this is starting to be rolled out, I haven't been able to test it yet but we're working on it. Believe me, I get asked about this all the time. It's as difficult for me as it is for you.
      • Anonymous
        October 15, 2016
        That's incredibly good to hear!
      • Anonymous
        October 27, 2016
        Hi can you put the fix on my outlook account please? See the address used for this comment. If not when will all accounts have been updated? Thanks
        • Anonymous
          October 28, 2016
          The fix will be applied everywhere, it's not on an account-by-account basis.
          • Anonymous
            October 29, 2016
            OK great any ideas on roll out date? please let us know the date so we can plan around this. Its the least we deserve.thanks
  • Anonymous
    October 22, 2016
    The comment has been removed
  • Anonymous
    November 11, 2016
    The comment has been removed
  • Anonymous
    November 14, 2016
    Hey Terry,Thanks for the updates on this. Are the "fix ups" documented anywhere? I'd like to see if we can fix up the messages before we send them so they don't trigger any changes when passing through exchange.Thanks!
    • Anonymous
      November 14, 2016
      No, they aren't documented anywhere.The easiest way to figure it out is to send a message from Office 365 and observe how it sends the message, and then send the equivalent one from a Gmail account. Look at all the headers and body, and compare differences.That's how I do it.
  • Anonymous
    November 16, 2016
    We are having a similar issue, and unless someone sends me the bounced e-mail, we aren't even aware of what is happening.My husband and I share a hotmail account (outlook.com) and those emails are copied and forwarded to his msn account (outlook.com) setup by the outlook.com website. This is frustrating that it is all internal and there isn't a work around or a timeframe. We also don't know which email do get forwarded (becasue some do) and which ones don't (because some contacts let me know that their email bounced back).
    • Anonymous
      November 16, 2016
      Yes, I understand it's frustrating. We've been trying to roll this out for a long time but keep hitting issues have to delay it. That's why I don't put any timelines into the blog posts or comments. When we hit an issue, we halt deployment, fix it, and then continue. There is a lot of legacy behavior that has dependencies on the message fix-ups (that breaks DKIM, but stops other problems).
  • Anonymous
    November 22, 2016
    Ok, so what do we do about SPF failures?
  • Anonymous
    November 23, 2016
    Hi there,Thanks for your write-up. It's made its way into the top of Google search results for this issue, which is good. Can I confirm whether your team is working on a fix for Office 365 (for Schools)? I forward my school emails to another email provider, which rejects the email due to DMARC being used on the originating sender. Many thanks,Kelvin
    • Anonymous
      November 23, 2016
      Yes, we're working on a fix for all of Office 365. As I said, I don't have a timeline because every time we have tried to deploy, we've hit an issue. We then have to pause (or rollback) and then fix that one. Then we continue. But it's in progress.I understand this is painful for everyone. This blog post is one of the top for generating comments on any of my blog posts, so I get it. I don't like not being able to forward email, either.
      • Anonymous
        December 01, 2016
        I have no idea how Microsoft works with update deployment but reading the comments suggests there is a working solution but it can't be deployed because of other changes. Isn't it possible for MS to deploy just this fix? I did not receive mails from my bank and several other important companies for months now!
  • Anonymous
    December 07, 2016
    Hello it has been 2 weeks since your last update. Do you have any more information for us yet? When will he next attempt at a fix roll out happen?
  • Anonymous
    December 07, 2016
    I missed multiple credit card payments in the last month because the statements via email never got forwarded through Outlook.com. This is infuriating and unacceptable. Back to Gmail I go.
    • Anonymous
      December 08, 2016
      I just received the first forwarded email through Outlook.com since about two months ago. All emails from USPS have NOT been going through, but this morning, one got through. Hopefully this means the fix is in?
      • Anonymous
        December 08, 2016
        I wasn't clear in my last comment. I have not received any email in the last two months - specifically from senders marked as safe in Outlook.com. Just as of this morning, I have received three emails from USPS, none of which have been forwarded for the last two months. When I click to view original in Gmail, it shows "SPF: Fail" and "DMARC: Fail", so it appears the email headers are still messed up, but they at least got forwarded from Outlook.com to Gmail.
        • Anonymous
          December 09, 2016
          Ah you had my hops up - tested from booking.com (one that i know has the issue) sadly still the same!
          • Anonymous
            December 09, 2016
            I've said it before in the comments and I'll say it again - literally every time we deploy this, we have to roll it back because of some issue we encounter, so I don't have a timeline. Turns out there are a lot of dependencies on modifying the message. This is compounded by the fact that I am not driving this change (I just get to respond to everyone's comments asking about it), and it's old legacy code that few people are familiar with (is anyone?).
  • Anonymous
    December 09, 2016
    The comment has been removed
  • Anonymous
    December 16, 2016
    The comment has been removed
  • Anonymous
    December 17, 2016
    Thanks for your insight. I have the same issue and emails from the following accounts were not automatically forwarded in my case. - usps- fedex- ups- newegg.comMost of the other emails are still being forwarded (e.g. Amazon and other retailers).Hope this issue gets resolved soon. Thank you.
  • Anonymous
    December 28, 2016
    Any update on this issue? Some good end of year news would be great.
    • Anonymous
      January 09, 2017
      Timing update, please. This has still not been fixed.
      • Anonymous
        January 12, 2017
        Yep, would be really great to get an update on this.
      • Anonymous
        January 12, 2017
        When I forward my incoming emails to my gmail accountant, then all my incoming emails also go into my sent folder. How can I fix this??
  • Anonymous
    January 20, 2017
    Hi, we are hitting a roadblock now that big financial institutions are actively enforcing SPF/DKIM/DMARC policies..... Any new developments here? It looks like this is a widespread issue across Microsoft Email platforms, but not much movement has been happening with this... Frustrating when you get sold on a product and then discover these highly impactful bugs...
  • Anonymous
    January 21, 2017
    Have the same issue. Currently only workaround is to set Gmail to load the mails via POP3 from outlook.com, but this can only be a temp solution.. hopefully it will be fixed soon.
  • Anonymous
    January 25, 2017
    I am still plagued by this problem. Half of my redirected mail gets dumped into Gmail spam.Any updates on this?
  • Anonymous
    January 31, 2017
    Terry, it seems as if there are some more problems with the dkim implementation.A known problem is sending mail with attachments resulting in failed header.from verification (simply send a mail with attachments from gmail).A customer had a serious problem with mail sent to onmicrosoft.com where CC was used and oversigned (to make sure CC was not illegally added). These mails do not pass smtp.mailfrom & header.from verification. You can add nearly all headers you want for oversign, but don't add CC, this breaks verification. From the RFC there is no reason not to add CC, but there are some good reasons to add CC for oversign. (gmail and port25 rate these mail ok.)Maybe you can forward that into the product groups for evaluation.
  • Anonymous
    February 08, 2017
    Is there an update about this issue, for example booking.com and netflix mail also aren't forwarding to a different mailbox.
    • Anonymous
      February 14, 2017
      We're working on it. Lots of others have the same problem.
  • Anonymous
    March 01, 2017
    code thanks
  • Anonymous
    March 03, 2017
    Any idea when this is going to be resolved? I am still not getting all of my messages forwarded correctly
  • Anonymous
    March 04, 2017
    It's mad that a company with the resources of Microsoft hasn't been able to get this resolved in what is getting on for a year. It's a massive problem for senders who use DMARC, the number of which are increasing all the time.
  • Anonymous
    March 27, 2017
    the only solution is to deactivate forwarding for now, right? is there any way to get a list of all emails that bounced back? it would be very important, my girlfriend sent some job applications and would need to know if someone just got an error after answering :(
    • Anonymous
      March 27, 2017
      Some people disable forwarding, others import their messages using IMAP/POP3 at the forwarded-to destination.
      • Anonymous
        April 01, 2017
        what do you mean? do all messages show up when you use pop3/imap? that would be weird...so is there a way to get all messages somehow, even if the sender got an error?
  • Anonymous
    April 03, 2017
    Sorry for bothering,Just want to check is this still being worked on ! is there a solution/workaround already ! or is it given up upon !Thanks for the GREAT explanation, it's perfect. I will not have to look deeper into my problem :)
  • Anonymous
    April 13, 2017
    The comment has been removed
  • Anonymous
    April 16, 2017
    The comment has been removed
  • Anonymous
    April 18, 2017
    Given the strict DMARC rules now implemented by some sites, such as yahoo, it is now impossible to constructively use an auto forwarding feature without unintentionally completely blocking emails from some senders. Is this ever going to be resolved? Given that it is to do with how the exchange server is reformatting the header I would have thought that resolving this would be within the capability of Microsoft.
  • Anonymous
    May 24, 2017
    It looks like we have passed the 1 year mark of the original posting. Is there actually any ongoing effort to remedy this? Is there any update on ETA for a fix for this? We would love not to have to bypass the MS cloud for our users but since store/forward is not successful we are just forwarding at the inbound relay side of the world. Not ideal when we would like to keep all this inbound mail in our MS tenant. Any updates would be helpful.Jon
    • Anonymous
      May 30, 2017
      To me, it seems like Microsoft have given up on it. I hope that's not the case, because this is a serious issue for senders and receivers alike!
  • Anonymous
    June 01, 2017
    Hi,my first posting to this blog article is about to get one year old. But somehow I don't want to light a candle ;)I know it is tiresome, but still: Any timeline for the fix?Thanks,Mathias
    • Anonymous
      June 29, 2017
      And one more month... Like to know that too
  • Anonymous
    August 04, 2017
    This is such a mess, since 3/AUG my hotmail account has stopped auto forwarding/resending my hotmail emails to my gmail/G suite email. Microsoft staff just can't fix this mess, will not use any of their products in the future if I can!
  • Anonymous
    August 21, 2017
    This is a disaster, people are going to miss important emails because they trust hotmail's auto forward function! I just recently found out this when I didn't receive confirmation email from B&H Photo, and apparently this issue has been existed for over a year! Totally unacceptable to respectable companies.
  • Anonymous
    August 26, 2017
    Here it is August 26th 2017 -- Still not fixed.
  • Anonymous
    November 12, 2017
    Any update on this?
  • Anonymous
    November 22, 2017
    I am not getting emails forwarded to my Gmail account? When is this going to be fixed?