Contents
Microsoft Outlook.com, Hotmail, and Live.com represent the second-largest mailbox provider for European and North American senders. Microsoft's filtering infrastructure — Defender for Office 365 — operates differently from Gmail and requires a distinct configuration philosophy. Where Gmail prioritises engagement-based reputation signals, Microsoft places significant weight on IP-level history through SNDS and connection behavior patterns.
Outlook Domain Block Configuration
The PowerMTA domain block for Microsoft must cover all Microsoft-managed domains, not just outlook.com. Without mx-rollup, PowerMTA opens separate connection pools per domain and may exceed Microsoft's per-IP connection thresholds.
domain outlook.com {{
virtual-mta-pool microsoft-pool
max-smtp-out tuning 5 # Conservative — Microsoft enforces strictly
max-conn-rate 0.5/s
max-msg-rate 200/h
retry-after 20m
mx-rollup outlook.com
dkim-sign domain="yourdomain.com" \
key-file="/etc/pmta/dkim/yourdomain.private" \
selector="s1"
}}
domain hotmail.com {{ mx-rollup outlook.com }}
domain hotmail.co.uk {{ mx-rollup outlook.com }}
domain hotmail.de {{ mx-rollup outlook.com }}
domain hotmail.fr {{ mx-rollup outlook.com }}
domain live.com {{ mx-rollup outlook.com }}
domain live.co.uk {{ mx-rollup outlook.com }}
domain live.de {{ mx-rollup outlook.com }}
domain msn.com {{ mx-rollup outlook.com }}
domain windowslive.com {{ mx-rollup outlook.com }}
SNDS and JMRP — Microsoft Sender Programs
SNDS (Smart Network Data Services) shows per-IP sending statistics: message volume, complaint rate, trap hits, and traffic light status. JMRP (Junk Mail Reporting Program) provides individual ARF complaint reports per message — essential for real-time suppression.
| SNDS Status | Meaning | Inbox Impact | Action |
|---|---|---|---|
| GREEN | Acceptable complaint rate, no trap hits | Normal delivery | Maintain practices |
| YELLOW | Elevated complaint rate or minor trap hits | Some junk filtering | Investigate; reduce volume 25% |
| RED | High complaint rate or spam source classification | Significant filtering/blocking | Stop sending from this IP |
# Process JMRP feedback loop configuration reports # JMRP sends ARF emails to your registered FBL address # Configure pipe processing in PowerMTA: source jmrp-fbl {{ type pipe command "/usr/local/bin/process_fbl.py --provider=microsoft" }} # FBL script extracts Message-ID, finds recipient, adds to suppression
Microsoft SMTP Error Code Reference
| Error Code | Description | Correct Response |
|---|---|---|
421 4.7.0 RP-001 | IP blocked — reputation policy | Stop sending; check SNDS; do not retry for 4h minimum |
421 4.7.0 RP-002 | Connection rate limit exceeded | Reduce max-conn-rate; increase retry-after to 30m |
421 4.7.0 RP-003 | Sender domain blocked | Check domain reputation; verify DMARC policy |
550 5.7.1 IP blocked | Permanent IP block | Contact Microsoft Sender Support; use alternate IP |
550 5.7.1 DMARC | DMARC policy failure | Debug SPF/DKIM alignment; check From: domain match |
550 5.7.606 | Access denied — banned IP | Submit delisting at sendersupport.olc.protection.outlook.com |
451 4.7.500 | Server busy — temporary throttle | Normal retry at standard retry-after interval |
smtp-pattern-list microsoft-patterns {{
"421 4.7.0 RP-001" retry-after=4h
"421 4.7.0 RP-002" retry-after=2h max-smtp-out=2
"550 5.7.606" bounce type=administrative
"550 5.7.510" bounce type=administrative
}}
domain outlook.com {{
smtp-pattern-list microsoft-patterns
virtual-mta-pool microsoft-pool
max-smtp-out 5
mx-rollup outlook.com
}}
Authentication Requirements for Microsoft Domains
Microsoft enforces DMARC at p=reject for Outlook.com. PTR records are also particularly important — Outlook's filtering checks that the PTR record of the sending IP resolves to a hostname associated with your sending domain. Generic datacenter PTR records receive lower trust scores.
# Required DNS records for Outlook.com delivery yourdomain.com TXT "v=spf1 ip4:185.x.x.0/24 -all" s1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=[YOUR_PUBLIC_KEY]" _dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com" # PTR record: 185.x.x.10 → mail1.yourdomain.com # Verify: dig -x 185.x.x.10
Domain Rollup for Hotmail and Live Variants
Without proper mx-rollup, PowerMTA treats hotmail.com, hotmail.de, hotmail.fr, live.com etc. as separate destinations and opens independent connection pools. Since all these domains resolve to Microsoft's shared MX infrastructure, this produces many more simultaneous connections than Microsoft allows per IP — leading to RP-002 rate limit events.
The rollup configuration consolidates all Microsoft-managed domains under the outlook.com connection pool. PowerMTA then manages one set of connection limits for all Microsoft traffic combined, which is the correct model for how Microsoft actually enforces limits.
Connection Limit Tuning by Volume Tier
# Under 100,000 messages/day to Outlook
domain outlook.com {{
max-smtp-out 4 max-conn-rate 0.5/s max-msg-rate 150/h retry-after 20m
mx-rollup outlook.com
}}
# 100,000 – 500,000 messages/day
domain outlook.com {{
max-smtp-out 5 max-conn-rate 1/s max-msg-rate 200/h retry-after 20m
mx-rollup outlook.com
}}
# 500,000+ messages/day (pool of 6-10 IPs)
domain outlook.com {{
max-smtp-out 6 max-conn-rate 1/s max-msg-rate 250/h retry-after 15m
mx-rollup outlook.com
}}
# Total connections = pool size × max-smtp-out
# 10 IPs × 6 connections = 60 simultaneous connections to Microsoft
Frequently Asked Questions
Operating PowerMTA at production volume?
We manage PowerMTA environments for high-volume senders — configuration, IP warming schedule, daily reputation monitoring, and operational response. Fully managed. No self-service.
