In short, if we send out any email to clients using Microsoft 365 as their email provider containing the textual content "25friday.com" anywhere on the email subject, body or readable attachment (e.g. pdf) the emails fall on a "blackhole" and are neither bounced nor reaching the recipient (they are not in spam or quarantine either).
As you might imagine this is a huge problem for us as email is our primary means of communication with our clients and we need to be careful to never include any mention of our domain in any email we send to them.
For recipients using personal Outlook emails, the emails are received and sent to spam with a spam score of 9 (maximum score).
We've reached Microsoft support and they seem as clueless as we are. They have no idea why this is happening and they are unable to provide any information or progress on the ongoing issue. This has been going on for about a month now.
A few things we have tried:
- We have checked our SPF, DKIM, and DMARC records and they are all set up correctly and passing.
- We have checked our email sending reputation and it is good as far as we can tell.
- We have tried sending emails from different email addresses and domains, but the issue persists.
- We have setup our own Microsoft 365 account to be able to submit false-positive reports on the security portal, but the submissions disappear into the void and we never receive any feedback.
- We have tried some deliverability testing tools and they all report that our emails are being blocked by Microsoft 365, but not by any other email providers.
- We are not on any known/public blacklists
Note that we are using Google Workspaces, but that does not seem to be the issue. The domain itself has been live since 2018 (since the company was founded) and we have never had any issues with email deliverability before. We don't send spam or unsolicited emails. The closest I could think of is a mailing list we have with about 300 subscribers containing mostly client emails but also some emails of people we invite to our events. We send out an approximately monthly newsletter to this list, but we have never had any complaints or issues with it before (we're using Pipedrive for that).
Tangential but I believe that it might be related: if I set my website address as 25friday.com on my LinkedIn profile, the link gets overwritten to a LinkedIn error page. My guess is that since LinkedIn is owned by Microsoft, they are sharing the same blacklist.
Any tips would be greatly appreciated. We're really affected by this and without any recourse to escalate this issue.
Thank you all for the suggestions.
I'm not surprised they also keyword block, because Outlook flags Microsoft's own marketing messages as spam.
There really needs to be some kind of global Digital Bill of Rights which provides legal recourse from these giant sclerotic algo-run oligopolies.
MS, Meta, Amazon, YouTube and Apple all have policies that can nuke SMEs on a whim without consequences, often without even noticing, after their algorithms make a wrong decision about imaginary "abuse".
"Please bear in mind that if you are using a non-standards compliant e-mail service provider such as Microsoft, e-mail delivery may be effected"
I wasn't even sure if the standard specified what to do with undeliverables, but it turns out that RFC 5321, RFC 3461, and RFC 3464 do. TIL :)
I recently helped troubleshoot a similar issue - we were suddenly getting emails disappearing when sending to M365 customers. No spam or quarantine, just disappearing down a black hole like you described. We sent a test message to a M365 customer who could help run the message trace, and we discovered that the SVG logo in our email signature was being flagged as a phishing attack. We had been using this logo for about a year without any issues, but suddenly Microsoft just decided to block it without warning.
On the outside, things look great, looks like to be a good value for the price, but for real, everything is buggy, lot of basic features requires you to manage them with PowerShell commands, there are bugs for years and the support is clueless. For example don't mind using "shared mailbox" or "delegation" without fighting a labyrinth of unexpected behaviors.
For outlook app in itself, you have around 3.5 different versions of it fighting in duel. With the "new" version not necessarily the one to use to have all the paid features, that would be the "classic" version.
With the new or web version, you can't move more than around 100 mails at a time, or more crazy, you can't delete more than 10 contacts in one go...
What amaze me is that all the email/contact/agenda suite looks like semi abandoned when they should make so much money with all the subscription and when everyone is there showing off with billion dollar tech in AI when your basic features are still incomplete and buggies.
“ You are receiving this because you have signed up to be a user of Smart Network Data Services, or a Smart Network Data Services user has requested that this email be sent to this address. Smart Network Data Services is a revolutionary Windows Live Mail initiative, designed to allow everyone who owns IP space to contribute to the fight against spam and protect e-mail as a valued communications, productivity and commerce tool. If you have questions about our privacy policy, please read our privacy statement available at http://privacy.live.com. I
The fix was our own MSFT support case opened via our own E5 subscription which took two weeks to get the app unblocked. To prevent future reports we put a custom hostname on the IdP. So app.example.com now redirects to login.app.example.com
When I test sending a mail to my M365 account with your URL mentioned I find that it gets quarantined (same as if I try to send an email from my M365 account with that URL).
In your M365 test tenant, you should be able to go https://security.microsoft.com/quarantine and see that the emails are getting quarantined, with this information provided as to why:
Detection technologies: URL detonation reputation, Mixed analysis detection
Given that it says "URL detonation reputation" rather than just "URL detonation", that suggests it's using historical information rather than having performed a new test.
This is Microsoft Safe Links functionality - at the very least since you should be able to find the quarantined emails, the headers will contain a correlation ID support can use, although they might not have much power over safe links.
I think it's also possible a large amount of people on Outlook (or LinkedIn?) lost interest and clicked "report spam" because it's quicker and more effective than unsubscribing from most automated messaging.
Edit: another thing I caught O365 doing was rewriting the headers in my email (it didn't like the way my From:-address was structured by my server) and then checked the DKIM headers. Obviously the email they altered themselves didn't pass the DKIM signature check. Worked around it by altering my email client to set the From address in a way that Outlook liked.
1. Rename the company
2. You (or somebody you know) gets a job at Microsoft in the correct team and removes 25friday from the backlist.
I'm guessing at some point the past, there was a large spam campaign that targeted friday the 25th for some reason.
She had to call the bank to find out what the balance is. Of course on their side it looks like the statement was generated and emailed at the normal date.
No, it isn't. It has never been.