DNS Query Failed from Microsoft Email Services

Continuing from DNS Query Failed. We are still experiencing the same issue, can’t get Microsoft email services to deliver emails within a reasonable period of time. Its always 8 - 24 hours delayed or never delivered and we observe 450 errors like:
11/26/2021 2:53:45 AM - Server at abcde.com (0.0.0.0) returned '450 4.4.312 DNS query failed

Cant seem to get a support ticket to Cloudflare engineers as well. Can anyone help?

Continuing from DNS Query Failed. We are still experiencing the same issue, can’t get Microsoft email services to deliver emails within a reasonable period of time. Its always 8 - 24 hours delayed or never delivered and we observe 450 errors like:
11/26/2021 2:53:45 AM - Server at abcde.com (0.0.0.0) returned '450 4.4.312 DNS query failed

Cant seem to get a support ticket to Cloudflare engineers as well. Can anyone help?

@MoreHelp Thank you

Can you share the domain?

It is essentially impossible to provide any help in this situation without knowing the domain. In general, Cloudflare is not involved in your email path, other than through DNS.

1 Like

Hi @michael thanks for your reply. The domain is advantt.com.

I fully understand that the only thing Cloudflare does here in this case is DNS but that is exactly what is causing the problem. For some strange reason the Cloudflare DNS servers which the domain is currently on refuses DNS lookups for some Microsoft Email servers and the error returned (when it does return) is as per DNS Query Failed - #9 by Jav.

Can confirm we’ve been experiencing the same problem. The Exchange Online transport rule is pointing to the company’s A record, which is pointing to a CNAME record hosted by Cloudflare. The A record has been occasionally failing the DNS lookup according to the message trace details on the Exchange Online portal.

@MoreHelp Thank you, much appreciated

Sounds like Microsoft has an issue. They should definitely investigate it. The DNS lookup is done by their Exchange MTA using the DNS recursive resolver they maintain.

Their engineers would have access to their logs to diagnose an issue.

2 Likes

From the error messages it seems like their Exchange MTA is trying to resolve the DNS but is unable to, I have a strange feeling there are some blocks on Cloudflare’s side, is there anyone who is able to check this? Specifically for the DNS servers that are hosting the domain in question.

I don’t see many others complaining about this (from searching through this forum) and I’m sure there are tons who hosts domains in CF and have emails going to their domain from Microsoft hosted email services. So I think there is a good chance its isolated.

The Microsoft docs on that error seem to indicate it is an error with a Connector, which is a configuration within an Office 365 tenancy. You redacted the error message above, are you able to provide the actual error message unredaccted?

You do not seem to be using Office 365 for your domain. Is this error being reported by a partner, or do you have another domain that you use O365 on?

Also, your SPF record seems unnecessarily complicated! It currently includes a subdomain within the same domain, which in turn contains 4 individual IP addresses, and two A records, one of which looks as if it is just an alternative name for your MX record. The whole record could probably be shortened to just a direct reference to the 4 IPs. (And the :copyright: year on your homepage could do with an update once a decade or so!)

If this is Office 365 they have thousands of servers and dozens of DNS resolvers. Microsoft would have the details on where DNS resolution failed.

Could Cloudflare be throwing an error on one of its thousands of DNS servers because of rate limiting or another config problem? Yes. But the log data to support that conclusion if true is on Microsoft’s infrastructure to demonstrate that is true… if it is.

1 Like

We are not using Office 365 for our domain. Basically the issue is Microsoft email servers (whether hotmail or O365) sending to us. We have a contact that uses O365 but it doesn’t really matter it happens even for hotmail.com / outlook.com addresses that send emails to us.

Understand on the SPF record but its there for a reason so that other domains can reference the CNAME. But anyways SPF’s really do not matter here, we do not have problems “delivering” our emails we just have problems “receiving” them on from MS hosted email services.

I have a strong suspicion that it could be some form of block from CF because for some strange reason it doesnt happen for other email services like Yahoo, Gmail and self hosted ones, just Microsoft and the whole range of Microsoft email services.

Thanks for the homepage note, will arrange to get that changed but again doesn’t really help here.

Am trying to get a hold of the un-redacted error will drop a copy here once I get an updated one. Don’t seem to have one copy stored lol. But it pretty much just has the email server address and IP. Will drop it here once I get it.

Anyone else has any thoughts? Thanks.

We’re having the same issue. Clients are periodically unable to send e-mail to us despite having the MX record pointed at a CNAME that isn’t being proxied. We were running into different issues with SSL certificate issuance if a CNAME pointed to a proxied record. In that case a IPv6 proxy address was being returned even though the outer most record didn’t have proxying enabled. To fix this all CNAMES that must resolve only to IPv4 point to a dedicated unproxied A record. Unfortunately this hasn’t fixed inbound e-mail bouncing.

For comparative purposes:

3/11/2022 11:44:16 PM - Server at PH0PR17MB5231.namprd17.prod.outlook.com returned '550 5.4.312 Message expired, DNS query failed(ErrorRetry)'
3/11/2022 11:34:15 PM - Server at firefall.com (0.0.0.0) returned '450 4.4.312 DNS query failed [Message=ErrorRetry] [LastAttemptedServerName=firefall.com] [DM6NAM10FT062.eop-nam10.prod.protection.outlook.com](ErrorRetry)'

If anyone has insight that would be great.

If your domain is firefall.com the MX record is invalid. An MX record (in this case mail.firefall.com) must be an A record by RFC. It’s currently a CNAME as you indicated, but that’s not a valid record type for an MX and sending MTAs will on occasion be unhappy it isn’t RFC compliant and fail to resolve it.

Covered in the last ¶ here:
https://www.cloudflare.com/learning/dns/dns-records/dns-mx-record/

3 Likes

You’re very right. Thank you for pointing out that obvious mistake.

1 Like

@cscharff just want to say thank for this. Changed from CNAME to an A record and mails were received within 5 minutes. Really did not think of this. Much appreciated.

Super struggled with this for a good amount of months, really relieved that it’s all ok now. Thanks again.

2 Likes