When it comes to email you have to be completely ... enthusiastic: "I was following all the best practices with SPF, SKIM, and DMARC."
DKIM. Obviously that was a typo on a forum but you cannot be complacent, ever.
You have missed out DNSSEC (nearly optional), SMTP-TLS and MTA-STS. Does your SPF record end with -all? Does your DMARC record have reporting addresses, does it have: "p=reject; sp=reject; adkim=s; aspf=s" in it?
I also suggest you send marketing emails from a sub domain or a separate domain or move your identity domain elsewhere. A cop out is getting someone else to send your stuff and I do not recommend that - it looks lax and trite.
I run a MS silver (its not Stirling and I'm not proud of it) partner. I recently shuffled our on prem to Exchange online, which at least saved a shit load of vRAM n vCPU on prem and horrendous Windows updates. I do insist on gatewaying all our SMTP via our on prem Exim n RSpamD n that. That means I get to decide where our mail goes and I also have a couple of Dovecots on prem.
I run rather a lot more mail systems than ours too. This works in the UK but I cannot comment on [elsewhere], for obvious reasons.
You've got it - subdomains are sufficient (IIRC). Something like notifications.mycompany.com for the important stuff and news.mycompany.com for the more marketing stuff (and of course someone.else.entirely for the the cold email list "well, surely this one little list couldn't hurt" ... nah, who am I kidding, never use those)
Been through this many times. Have no problems and then all of a sudden, servers get blocked, same misleading error message about it being temporary, same annoying auto response that "we cannot see anything wrong" and same opaque customer services that won't tell you anything.
They even have the cheek to link to a 15 year old guide on email best-practices, it is in equal parts awkward, annoying and incredibly shameful for a large organisation like MS. The fact that SNDS shows all greens seems to mean nothing and clearly they have been instructed not to engage in any conversation about why it is happening and the fact these are servers that are linked to a well-known business with static IPs that have been in use for over 3 years.
The best I can work out is the use of heuristic mail filters that detect anomolies for whatever reason they feel like. Too much email, not enough email, email sending rates that are too erratic, basically what 99.9% of email servers in the world are doing and they decide to block you. I could live with "rate limited" and I could live with "temporary" because I would disable the servers once they got blocked but nope. Just more "we don't give a shit" attitude from Microsoft.
Sadly, I had to accept the inevitable which I had avoided for many years and migrate all of our email sending to Amazon SES because life is too short to send emails to Microsoft.
DKIM. Obviously that was a typo on a forum but you cannot be complacent, ever.
You have missed out DNSSEC (nearly optional), SMTP-TLS and MTA-STS. Does your SPF record end with -all? Does your DMARC record have reporting addresses, does it have: "p=reject; sp=reject; adkim=s; aspf=s" in it?
I also suggest you send marketing emails from a sub domain or a separate domain or move your identity domain elsewhere. A cop out is getting someone else to send your stuff and I do not recommend that - it looks lax and trite.
I run a MS silver (its not Stirling and I'm not proud of it) partner. I recently shuffled our on prem to Exchange online, which at least saved a shit load of vRAM n vCPU on prem and horrendous Windows updates. I do insist on gatewaying all our SMTP via our on prem Exim n RSpamD n that. That means I get to decide where our mail goes and I also have a couple of Dovecots on prem.
I run rather a lot more mail systems than ours too. This works in the UK but I cannot comment on [elsewhere], for obvious reasons.
Marketing should be different IP/Domain from transaction emails.
Have "mycompany.com" and "marketing-mycompany.com"?
How
Most of time, I would use mycompany.com for company stuff and mycompany.net for Application DNS and EMails.
They even have the cheek to link to a 15 year old guide on email best-practices, it is in equal parts awkward, annoying and incredibly shameful for a large organisation like MS. The fact that SNDS shows all greens seems to mean nothing and clearly they have been instructed not to engage in any conversation about why it is happening and the fact these are servers that are linked to a well-known business with static IPs that have been in use for over 3 years.
The best I can work out is the use of heuristic mail filters that detect anomolies for whatever reason they feel like. Too much email, not enough email, email sending rates that are too erratic, basically what 99.9% of email servers in the world are doing and they decide to block you. I could live with "rate limited" and I could live with "temporary" because I would disable the servers once they got blocked but nope. Just more "we don't give a shit" attitude from Microsoft.
Sadly, I had to accept the inevitable which I had avoided for many years and migrate all of our email sending to Amazon SES because life is too short to send emails to Microsoft.