Outlook MTA-STS policy failing

Hi all!

We’re seeing an increased amount of policy errors with Outlook. I just wanted to check in if someone else here also sees these:
KumoMTA internal: failed to connect to any candidate hosts: MTA-STS policy for outlook.com. is set to enforce but the current MX candidate outlook.com. does not match the list of allowed hosts. MtaStsPolicy { mode: Enforce, mx: [\"*.olc.protection.outlook.com\"], max_age: 604800, fields: {} }

It’s a regular @outlook.com email.

The policy on https://mta-sts.outlook.com/.well-known/mta-sts.txt returns:

version: STSv1
mode: enforce
mx: *.olc.protection.outlook.com
max_age: 604800

outlook.com mail is handled by 5 outlook-com.olc.protection.outlook.com.```

To me it is not really clear why this would fail.

That error message is saying that the effective set of MX records resolved for outlook.com included outlook.com which does not match the MTA-STS policy published by that domain, which requires *.olc.protection.outlook.com (it is a deeper match than is possible with just outlook.com).

It sounds like perhaps the MX lookup failed and we’re using a fallback to the outlook.com A record.

Are there DNS related errors in your diagnostic logs or otherwise throughout your DNS infrastructure?

There are a number of prometheus metrics with a dns_mx_ prefix that might add some color to understanding what is happening.

Yep, checked the logs and it seems like it indeed fallbacked to outlook.com. Prior to these connection logs I don’t see anything out of the ordinary.

Eventually the message was sent some hours later.

I do see a bump in failed MX lookups yesterday, all instances had it. Got something to dive in Thanks for the hint, did not know it fallbacked