How to Deal With the Microsoft Outlook IP Blacklist

In previous tutorials, I explained how you can easily set up your own mail server using iRedMail or Modoboa, and I shared some tips on getting your IP address removed from blacklists. However, some folks have a hard time getting off the Microsoft Outlook IP blacklist, which is used by outlook.com, hotmail.com, live.com, and msn.com mail servers.

Microsoft Outlook typically sends back the following message if your IP address is blocked.

host eur.olc.protection.outlook.com[104.47.22.161] said:
550 5.7.1 Unfortunately, messages from [xx.xx.xx.xx] weren't sent.
Please contact your Internet service provider since part of their network
is on our block list (S3150). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[DB8EUR06FT013.eop-eur06.prod.protection.outlook.com] (in reply to MAIL
FROM command)

As you can see, the whole IP range is blocked. Personally, I don’t think this anti-spam technique should be used due to the collateral damage done to legitimate senders. In contrast, Gmail is much more intelligent in handling IP reputation. You can submit the sender information form to solve this problem. Sometimes Microsoft would unblock your IP address, sometimes your request would be refused.

A surefire way to get your IP address off Outlook blacklist is to get your mail server certified by Return Path. However, this is very expensive. You need to pay a one-time $200 application fee and at least $1,375 license fee per year. I will show you a free way to bypass the Outlook IP blacklist.

Using SMTP Relay Service to Bypass Microsoft Outlook IP Blacklist

You can configure your mail server to relay emails via SMTP relay services. They maintain a good IP reputation, so your emails can get through IP blacklists. There are many SMTP relay services. Some charge a little fee, some offer free quotas every month.

You don’t have to configure your mail server to relay all emails. I will show you how to configure your Postfix SMTP server to relay emails that are sent to outlook.com, hotmail.com, live.com and msn.com email addresses, so you won’t use up the free quota quickly. There are not many people using Microsoft mailboxes these days. Only 6.5% of my subscribers are using hotmail, outlook, live, and msn email addresses.

We can also configure Postfix SMTP server to use multiple SMTP relay services. So if one service provider allows you to send 10,000 emails per month for free, and we use 3 service providers, then we can send 30,000 emails per month for free.

Here I recommend 3 SMTP Relay Services:

  • SendPulse: 12,000 emails/month for free. No credit card required.
  • SendinBlue: 9,000 emails/month for free. No credit card required.
  • Mailjet: 6,000 emails/month for free. No credit card required.

I will show you how to set up each of them with Postfix SMTP server.

Configure SendPulse SMTP Relay

First, create a free account at SendPulse. After that, click the SMTP button in your SendPulse dashboard, then click Get started.

sendpulse transactional campaigns

Next, you need to complete your user profile.

sendpulse user profile

Then you need to wait for SendPulse to review your account. Once your account is approved, you can use SendPulse to send emails. Click the SMTP Settings button in the account dashboard and you have the SMTP settings that you can use in Postfix SMTP server.

sendpulse smtp settings

SSH into your mail server and open the Postfix main configuration file with a command-line text editor like Nano.

sudo nano /etc/postfix/main.cf

Add the following line at the end of this file.

transport_maps = regexp:/etc/postfix/transport.microsoft

Hint

If you use iRedMail, you can find the transport_maps parameter and add the regexp line.

transport_maps =
    regexp:/etc/postfix/transport.microsoft
    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

If you use Modoboa, you can find the tranport_maps parameter and add the regexp line.

transport_maps =
        regexp:/etc/postfix/transport.microsoft
        proxy:mysql:/etc/postfix/sql-transport.cf
        proxy:mysql:/etc/postfix/sql-spliteddomains-transport.cf

Then add the following lines to the end of this file.

# outbound relay configurations
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000

Save and close the file. Next, create the /etc/postfix/transport.microsoft file.

sudo nano /etc/postfix/transport.microsoft

Add the following line in this file. This tells Postfix to use SendPulse SMTP relay if the recipient is a hotmail user.

/.*@hotmail.*/i             relay:[smtp-pulse.com]:587

Save and close the file. The create the .db file.

sudo postmap /etc/postfix/transport.microsoft

Next, create the /etc/postfix/sasl_passwd file.

sudo nano /etc/postfix/sasl_passwd

Add the SMTP relay host and SMTP credentials to this file like below. Replace smtp_username and smtp_password with your own username and password that are given by SendPulse. Note there’s a colon between the username and password.

[smtp-pulse.com]:587            smtp_username:smtp_password

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server.  Change the permission to 600 so only root can read and write to these two files.

sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

From now on, Postfix will use SendPulse SMTP relay to send emails to hotmail users. You need to update your domain name’s SPF record. For example, if your SPF record is

v=spf1 mx ~all

Then change it to the following to allow SendPulse servers to send emails for you.

v=spf1 include:mxsmtp.sendpulse.com mx ~all

Note that if you have already configured DKIM on your own mail server, you don’t have to configure DKIM again in SendPulse, because SendPulse won’t add additional DKIM signature to your emails.

Now you can send a test email to a hotmail.com email address.

Sender Domain is Not Valid?

If you see the “Sender domain is not valid” error when sending emails through SendPulse, that’s because the Mail From: address in your email is different from the Sender Email address in your SendPulse SMTP settings. You need to use the same email address.

sendpulse-smtp-settings-sender-email

Configure SendinBlue SMTP Relay

Create a free account at SendinBlue. Once you complete your user profile, click the transactional tab, you will get your SMTP settings.

sendinblue SMTP relay settings

Note that you might need to contact Sendinblue customer service in order to activate the transactional email service.

Then edit the /etc/postfix/transport.microsoft file.

sudo nano /etc/postfix/transport.microsoft

Add the following line in this file. This tells Postfix to use SendinBlue SMTP relay if the recipient is an Outlook user.

/.*@outlook.*/i    relay:[smtp-relay.sendinblue.com]:587

Save and close the file. The create the .db file.

sudo postmap /etc/postfix/transport.microsoft

Then edit the password database.

sudo nano /etc/postfix/sasl_passwd

Add the SMTP relay host and SMTP credentials to this file like below. Replace smtp_username and smtp_password with your own username and password that are given by SendinBlue. Note there’s a colon between the username and password.

[smtp-relay.sendinblue.com]:587            smtp_username:smtp_password

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Note that you need to click the Senders & IPs tab in your account dashboard to add your domain.

sendinblue add senders and domains

Set Up SPF/DKIM Authentication in SendinBlue

In your SendinBlue dashboard, click your account name on the upper-right corner, then click Senders & IP. Select the Domains tab -> Manage -> Authenticate this domain.

sendinblue authenticate domain

A popup appears. You need to add the first 3 records for your domain.

sendinblue spf and DKIM authentication

Note that your SPF record should also include SendPulse.

v=spf1 include:mxsmtp.sendpulse.com include:spf.sendinblue.com mx ~all

Configure Mailjet SMTP Relay

Create a free account at Mailjet.  Once you activate your Mailjet account, you will need to choose between Marketer and Developer. Here we choose Developer in order to use SMTP relay.

mailjet smtp relay

In the next screen, choose SMTP relay and click the Continue button.

mailjet smtp relay outlook blacklist

Then you will get your SMTP configurations.

mailjet smtp configuration

Edit the /etc/postfix/transport.microsoft file on your mail server.

sudo nano /etc/postfix/transport.microsoft

Add the following two lines at the end of this file. This tells Postfix to use Mailjet SMTP relay if the recipient is a Micosoft live and MSN mail user.

/.*@live.*/i    relay:[in-v3.mailjet.com]:587
/.*@msn.*/i     relay:[in-v3.mailjet.com]:587

Save and close the file. The create the .db file.

sudo postmap /etc/postfix/transport.microsoft

Then edit the password database.

sudo nano /etc/postfix/sasl_passwd

Add the SMTP relay host and SMTP credentials to this file like below. Replace smtp_username and smtp_password with your own username and password that are given by Mailjet. Note there’s a colon between the username and password.

[in-v3.mailjet.com]:587            smtp_username:smtp_password

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Now you should be able to send emails to Microsoft live and MSN users with Mailjet SMTP relay. Click the Add and validate domain button in your account dashboard to add sender address or add your domain.

You also need to update your domain name’s SPF record. For example, if your SPF record is

v=spf1 include:mxsmtp.sendpulse.com +a +mx ~all

Then change it to the following to allow Mailjet servers to send emails for you.

v=spf1 include:mxsmtp.sendpulse.com include:spf.mailjet.com +a +mx ~all

Set Up SPF/DKIM Authentication in Mailjet

In mailjet dashboard, click setup SPF/DKIM authentication. By default, SPF status and DKIM status are both in error. Click manage button and follow the instructions to add SPF and DKIM records.

smtp relay set up SPF and DKIM

After SPF and DKIM records are created, wait a few moments, and refresh the Mailjet web page. Your new DNS records can take some time to propagate on the Internet, depending on your DNS hosting service. If SPF and DKIM records are set up correctly and propagation is complete, Mailjet would tell you that SPF and DKIM records are good.

mailjet spf dkim

Getting Out of the Spam Folder

SMTP relay services can get you around IP blacklists, but that doesn’t mean your emails will be land into the inbox 100%. Your emails might be placed into the spam folder. If you comply with email-sending best practices, your emails will eventually be placed into the inbox folder.

I created a new hotmail.com mailbox as a test. The first 3 newsletters sent from my domain were placed in the spam folder, but all remaining emails were placed into the inbox folder. I didn’t do anything in my Hotmail account. I didn’t open my newsletter or click any links in the newsletter. I simply use best practices to send emails, so Microsoft knows my emails are not spam.

Tips for Staying out of the Microsoft Blacklist

Microsoft may remove your IP address from the blacklist if it found no spam activity from your mail server for a period of time. Here are some tips to prevent your IP address from getting blacklisted again.

  • Don’t send newsletters right away with this IP address to Microsoft mailbox users. You should first send transactional emails to improve your IP reputation with Microsoft.
  • If you send newsletters, be sure to warm up your IP address.

You can log into the Outlook.com Smart Network Data Services to check your IP reputation with Microsoft. If your IP address sends more than 100 messages on a given day, you can click the view data link to see the mail traffic and spam data for your IP address.

microsoft outlook hotmail mail traffic and spam data

Wrapping Up

I hope this tutorial helped you bypass the Microsoft Outlook IP blacklist. As always, if you found this post useful, then subscribe to our free newsletter for more useful tutorials 🙂

Rate this tutorial
[Total: 2 Average: 5]

12 Responses to “How to Deal With the Microsoft Outlook IP Blacklist

  • Owesome tutorial. Thanks !

  • Stenfrank
    7 months ago

    Excellent tutorial, at this moment my IP has just been blocked for no reason.

    I wanted to ask you if I have several IPs, could it be redirected from another IP only emails to hotmail?

    Thank you

  • OwN-3m-All
    5 months ago

    Thanks a ton! Microsoft is a tyrannical organization. They suck so much. They don’t give you a reason for why your IP range is on their blocklist, and when you try to get them to remove your range, they give you no information and deny your request despite the fact that your server is NOT sending spam. My servers adhere to good email policies, and they do NOT send spam.

    Screw Microsoft. They’re worse than Google at this point.

    I guess they’ll just blacklist IP addresses for over 100 years… only hurts them in the end. No one should use a Microsoft email account.

  • Actually, Microsoft, and specifically outlook.com is currently the number one source of SPAM second only to google currently, contrast this with only December where Google was of course the number one spammer, and outlook.com was number 6. I suspect that google has made some changes that make it harder for spam accounts to be setup quickly, hence the transfer to outlook.com but I don’t know for sure. If you’re considering sending bulk email via outlook.com then I wouldn’t bother, we’ve already added penalties just for the domain outlook.com to bias the spam flag and if it continues at this rate we’ll have to increase this.

    Unfortunately, due to the epic levels of spam, sending legitimate bulk email is becoming increasingly hard to do, and I suspect it won’t get any easier.

    • It’s very important to have clean IP addresses for sending legitimate bulk email. Unfortunately, big well-known VPS providers are abused by spammers. They will abuse every VPS provider they can find.

      I think using a managed VPS might be better because the VPS is configured by the technical support staff of the hosting company and if the customer sends spam, it will be stopped very quickly.

      • Actually, IP address is only really applicable for the first hop in the route. That is, if you’re sending through sendgrid for example, they may have IPs blacklisted, but once you’re email is accepted and in transit, it will come to us from sendgrid’s IP’s. I quote sendgrid here because we block any header with sendgrid in it by default, but we also block many others based on headers, not IP. The problem everyone has is that rampant abuse of email bulk senders means that ISP’s (like us) who offer mail filtering and protection, are forced to use recipient reports, content, compliance, reputation, return-path, attachments, pattern, headers, IP’s, DKIM, SPF, DMARC and blacklists, which will unavoidably block legitimate bulk senders who happen to be using the same bulk sending platform.

        The best advice I can give is bulk send from your own domain, on your own IP block, with SPF, DKIM and DMARC, to validated legitimate receipients, and bulk SLOWLY. Sending 10k emails at once sets off alarms all over the place and will not only get your IP flagged but probably contents and headers.

    • If you block every email with Sendgrid headers in it, you are effectively blocking every Sendgrid IP address, right?

      • Yes, sendgrid is a bulk email sender and is one of the bad ones with high levels of spam so its blocked entirely using header checks. This ensures that no email sent through sendgrid reaches any of our customers.

        When we analyse email traffic, we look at a breakdown of the headers, originating IP’s, relay count and various detection flags, as an example; for any one period we may see 10k email’s flagged as spammy either by users, honeypots, or content/ip/reputation blacklists that originate via a_bulk_sender vs a total of 20k from the same sender. That would give them a 50% spam rate and we would probably take the decision to simply block them via headers. We make these decisions daily or sometimes hourly based on trends from many sources.

        Off the top of my head, currently completely blocked are sendgrid, markethub, cloudapp, instillerhq, sparkpost, e-broadcaster, thunder server, emarksman, e-merge, global messenger, mailcast, mailking, massemail, powermailer, quickshot, worldmerge and more, and these change all the time.

        So back to my original point, if you’re going to use a bulk sender, then your email volume is lumped in with everyone else’s, a fair % of which will be spam and if that spam % breaks thresholds, the entire sender is penalised along with all the traffic they relay, and that’s out of your control.

        Use your own domain, own static, own rDNS, setup DKIM, SPF, DMARC and you’re totally in control and can blame no one else for delivery issues.

    • Thanks for your detailed answer. I thought ESPs (Email Service Provider) like Sendgrid is good at controlling spam on their servers, but you changed my view. I have used sendpulse, sendinblue and mailjet, the email deliverability of which is pretty good in my experience. I have never used Sendgrid.

      Back to my original point, if a sender uses VPS (Virtual Private Server) to run a self-hosted mail server, he/she has a dedicated IP address. There are two types of VPS:

      • self-managed VPS: The hosting company only ensure your VPS is online and provides no extra technical help. You are responsible for software installation, setup, optimization, updates, backup, uptime monitoring, and malware scanning.
      • managed VPS: The hosting company ensures your VPS is online and takes care of server management for you. You don’t need to worry about software installation, setup, optimization, updates, backup, uptime monitoring, and malware scanning.

      Instead of using a self-managed VPS, it better to use a managed VPS to run your mail server. This is because managed VPS is configured by the technical support staff of the hosting company and if the customer sends spam, it will be stopped very quickly, so the IP address of managed VPS won’t get blacklisted.

      I run my mail server on ScalaHosting. As you can see from the screenshot below, my mail server’s IP address (130.51.180.110) isn’t on any blacklist.

      mxtoolbox-email-blacklist-check

      And Gmail thinks my IP reputation is high.

      gmail-postmaster-tools-check-IP-reputation

      • I agree, managed is a better option for anyone not intimately familiar with postfix (or sendmail) and DNS all of which can be time consuming to setup correctly and pass all the tests, but once its all setup you can bulk knowing that its your reputation on the line and you won’t be tarnished by other spammers. This should provide the best possible delivery performance to all marketers.

        Final points that you’ve probably already covered;

        • Wash your lists often, deal with bounces automatically and swiftly.
        • rate limit delivery by domain. That is, if you have 10k emails to send to gmail, don’t send them all at once but spread them over time. All good email list handlers offer this setting.
        • setup [email protected] [email protected] mailboxes and handle complaints. If you don’t have these, you’ll soon be on an RFC non-compliant list and will work against you.
        • ALWAYS send from an address that both exists and accepts mail.
        • Format your email’s well. Ensure you have both text and html sections, stay away from linking web resources (they’ll be blocked by most good clients anyway) and don’t get clever with scripting, it’ll mark you down.
        • Check reputation daily, once you start being impacted its hard to recover quickly.
        • Check your server logs daily, secure, audit, httpd, maillog, and update often. linux is great, but a single incorrect setting can result in compromise and all the bad things that happen after.

        I hope this helps, I’ve been as open as I can be, and hope this helps people who are legitimate. For spammers, no matter how smart you think you are, we’re always watching, always adjusting and are very effective at screening it.

  • Zubair Ahmad
    1 month ago

    Thank you so much dear.
    I followed the procedure and it’s working perfectly.
    Thanks once again with love.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded.