freiheit🤖<p>Bit of "fun" with O365 email for us this week...</p><p>Background: Our main email domain's MX records are on-prem servers that do a bunch of things, and email for our O365 domain relays through them. These on-prem MX servers have been dual-stack (ipv4 and ipv6) for many years now.</p><p>Not sure exactly when MS made various changes, but our example-com.mail.protection.outlook.com records have both ipv4 (A) and ipv6 (AAAA) addresses. </p><p>And they enforce that email they receive has to be via a "trusted connector" for your domain, pass SPF, or pass DKIM.</p><p>> 450 4.7.26 Service does not accept messages sent over IPv6 [dead::beef::1] unless they pass either SPF or DKIM validation (message not signed)</p><p>But O365 doesn't yet support adding ipv6 IPs/ranges to the trusted/connector list.</p><p>So, suddenly email sent to us without DKIM signatures was getting stuck in the MX server queues.</p><p>Our temporary workaround is we added egress firewall rules on the MX servers themselves blocking SMTP to 2a01:111:f400::/48 and 2a01:111:f403::/48 (the published ranges for their MX servers). Not ideal, but at least mail is flowing again.</p><p><a href="https://hachyderm.io/tags/sysadmin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sysadmin</span></a> <a href="https://hachyderm.io/tags/devops" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>devops</span></a> <a href="https://hachyderm.io/tags/syseng" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>syseng</span></a> <a href="https://hachyderm.io/tags/devoops" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>devoops</span></a> <a href="https://hachyderm.io/tags/email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>email</span></a> <a href="https://hachyderm.io/tags/smtp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>smtp</span></a> <a href="https://hachyderm.io/tags/o365" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>o365</span></a> <a href="https://hachyderm.io/tags/m365" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>m365</span></a></p>