Usually my nyms works well.
When sending mail, there are few recipients that I can not to reach.
I receive an error message "Mail delivery failed"

SMTP error from remote mail server after end of data:
host eur.olc.protection.outlook.com [104.47.17.97]:
550 5.7.509 Access denied, sending domain [NYMPH.PARANOICI.ORG] does
not pass DMARC verification and has a DMARC policy of reject.

There is a way to avoid this?

On 4/28/24 08:38, Nomen Nescio wrote:
> When sending mail, there are few recipients that I can not to reach.

Are those recipients hosted with protection.outlook.com? Or are those
recipients hosted elsewhere and forwarding to something else hosted with
protection.outlook.com?

> SMTP error from remote mail server after end of data: host
> eur.olc.protection.outlook.com [104.47.17.97]: 550 5.7.509 Access
> denied, sending domain [NYMPH.PARANOICI.ORG] does not pass DMARC
> verification and has a DMARC policy of reject.

This seems like a quintessential problem with -- what I'll call -- old
school mail forwarding. Something that's becoming more and more fragile
every week.

> There is a way to avoid this?

Presuming that you're using your NYM to send to an address that's
forwarding to another address hosted by protection.outlook.com, then no,
not really as this is almost certainly a problem with how the forwarding
is configured.

Read: This is likely not a problem with mymph.paranoici.org.

--
Grant. . . .

On 28 Apr 2024, Nomen Nescio <nobody@dizum.com> posted some
news:3eefa36bac194cfdc279ec566f4a2f95@dizum.com:

> Usually my nyms works well.
> When sending mail, there are few recipients that I can not to reach.
> I receive an error message "Mail delivery failed"
>
> SMTP error from remote mail server after end of data:
> host eur.olc.protection.outlook.com [104.47.17.97]:
> 550 5.7.509 Access denied, sending domain [NYMPH.PARANOICI.ORG] does
> not pass DMARC verification and has a DMARC policy of reject.
>
> There is a way to avoid this?

Possibly not given the nature of anonymous remailers. There are some
challenges because of inbound requirements.

This might be helpful for terminology and an overview how
MS/Azure/Outlook/365 (Whoever they are this year) filter.

https://learn.microsoft.com/en-us/defender-office-365/email-
authentication-spf-configure

Per the error, the addressee you're sending to is in a domain hosted by
MS/Azure/Outlook/365 most likely. This is a picky bitchy bunch and they
will stupidly mimecast flag intra-domain email on occasion requiring a
user to permit one time or all future receipt from the sender in their own
domain. Stupid but it happens.

The email admin responsible for the domain might be able to whitelist
paranoici.org, but that doesn't always work either because of the
additional filtering.

This is an example DMARC DNS record.

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com"

paranoici.org SPF and InARP records.

paranoici.org IN TXT v=spf1 redirect=_spf.investici.org

108.222.167.198.in-addr.arpa IN PTR devianza.investici.org

You'll notice paranoici.org does have an spf record. For many that's
sufficient, but not the Outlook bunch, they want both and they better be
syntactically correct. paranoici.org does not have a DMARC record and
therein is one of the problems. Overall the paranoici/investici.org admin
gets + marks for DNS implementation.

What is DMARC?
DMARC uses Sender Policy Framework (SPF) and DomainKeys Identified Mail
(DKIM) to evaluate the authenticity of email messages. Together, these
tools prevent practices like phishing and domain spoofing.

To resolve this issue, the remailer admin would need to make sure that the
NYMPH.PARANOICI.ORG domain is properly configured for DMARC verification.

They can do this by adding a DMARC record to their DNS zone file. The
DMARC record will specify how Outlook should handle emails that fail DMARC
authentication.

"To solve these problems, senders and receivers must share information
with one another. Ideally, receivers supply senders with reporting
information, while senders tell receivers what to do when they receive
unauthenticated messages."

A personal experience, MS/Azure/Outlook/365 ain't for everybody.

My company runs a monitoring system for many different kinds of compute,
storage, network and SAN switches, old and new. We get a lot of email
every day and some systems tend to blab more than others. Reliable
receipt is important for logging to open calls in a timely manner. A
higher level decision was made to move the inbound email from two internal
servers to Outlook hosting, where it promptly failed for 50% of the
inbound because of filtering (And data mangling) we could do nothing to
influence. After a week of wrestling and failing to resolve the issues,
the mail MX records were pointed back to the original servers where they
will remain.

>
> Are those recipients hosted with protection.outlook.com? Or are those
> recipients hosted elsewhere and forwarding to something else hosted with
> protection.outlook.com?

It is possible that someone of my recipients is forwarding to
something.
I wrote to several people all with the same institutional mail
Example: I wrote to
john@somewhere.net
fred@somewhere.net
lynn@somewhere.net
susan@somewhere.net
bob@somewhere.net

and I obtain the DMARC advice only when I send a mail to Lynn.

On Tue 30 Apr 2024 11:43 am, Nomen Nescio wrote:
>>
>> Are those recipients hosted with protection.outlook.com?  Or are those
>> recipients hosted elsewhere and forwarding to something else hosted
>> with protection.outlook.com?
>
> It is possible that someone of my recipients is forwarding to something.
> I wrote to several people all with the same institutional mail
> Example: I wrote to
> john@somewhere.net
> fred@somewhere.net
> lynn@somewhere.net
> susan@somewhere.net
> bob@somewhere.net
>
> and I obtain the DMARC advice only when I send a mail to Lynn.
>
How much for an ounce?

On 4/30/24 03:43, Nomen Nescio wrote:
> I obtain the DMARC advice only when I send a mail to Lynn

Sounds to me like Lynn is forwarding.

If you do an MX lookup for somewhere.net (`dig mx somewhere.net`) do you
see protection.outlook.com servers listed? Or something else?

I speculate that you'll see something else and that Lynn is forwarding
to something that's hosted with protection.outlook.com.

--
Grant. . . .

On 30 Apr 2024, Grant Taylor <gtaylor@tnetconsulting.net> posted some
news:v0s05j$tdi$1@tncsrv09.home.tnetconsulting.net:

> On 4/30/24 03:43, Nomen Nescio wrote:
>> I obtain the DMARC advice only when I send a mail to Lynn
>
> Sounds to me like Lynn is forwarding.
>
> If you do an MX lookup for somewhere.net (`dig mx somewhere.net`) do you
> see protection.outlook.com servers listed? Or something else?
>
> I speculate that you'll see something else and that Lynn is forwarding
> to something that's hosted with protection.outlook.com.

I don't get that response when I forward to addresses known to be hosted
on domains filtered by protection.outlook.com. But this is Friday and
tomorrow could be different with the policies and practicies of any
organization run by "Indian Technology Professionals".

My sending domain does have DMARC and SPF records.