Microsoft maintains their own internal blacklists, which are used to reject emails coming from specific IP addresses. Any IPs listed on the Spamhaus blacklist are also blacklisted by Microsoft. As far as we know, this is the only external (DNS-based) blacklist that Microsoft uses. The rest of the blacklisted IPs are based on Microsoft's own criteria. These listings are not very transparent, and unfortunately include a large amount of false positives, as Microsoft will often list larger ranges.
There are two distinct blacklists that Microsoft uses, each for different platforms. One is for OLC (Outlook Consumer), which is used by outlook.com, hotmail.com, live.com, and msn.com. The other is for Office365.
If you receive an error message from Microsoft when sending emails from a server you have with us, please check the error message to find out which blacklist the IP is on. Please make sure your server isn’t sending any spam, and that your IP isn’t listed on any DNS-based blacklists. Please also ensure your emails comply with the Microsoft policies, practices and guidelines found on their website:
https://postmaster.live.com/pm/policies.aspx
Once you have done that, you can follow the instructions below to get your IP delisted.
OLC (Outlook Consumer)
If an IP is listed on the OLC blacklist, then emails from that IP will be rejected with the following error message:
550 5.7.1 Unfortunately, messages from [x.x.x.x] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
Note: there are two error codes that Microsoft uses, S3140 and S3150.
In the past, Microsoft would simply block IPs and even entire subnets, despite not having sent spam, or appearing on any other blacklists, resulting in emails being rejected with the S3140 error.
In the last few years Microsoft has stopped using this method as much, and has started to move towards a throttling limit for individual IPs. This results in the S3150 error, in which all emails are then rejected. This S3150 throttle will automatically be removed after a few days, if there are no more emails being sent to Microsoft OLC accounts (the S3140 error is not automatically removed). This limit is IP specific, and dynamically assigned, and can be (extremely) low for IPs that don’t send many emails to Microsoft OLC accounts.
Side note: The wording that Microsoft uses in the error message has not changed in over a decade, and is precisely written to encompass both single IPs and subnets. The fact is that a single IP is also "a part of their network", even though at first glance it seems to suggest the issue is with a larger subnet (which was sometimes true in the past with S3140 errors, but no longer is with S3150 errors).
It is possible to contact Microsoft and ask for the IP to be removed manually. A (free) Microsoft account is required for this, and while the first automated response will almost always deny the request, following up on the ticket will usually cause a support member to manually remove the IP.
The link to the official Microsoft form is:
https://olcsupport.office.com/
Once you have filled the form out, you should get a response within a few hours with the results of an automated check on the IP.
Unfortunately, this automated check is not very good, and in most cases the result will be one of the following:
"Nothing was detected to prevent your mail from reaching Outlook.com customers" or even
"Not qualified for mitigation".
In those cases, please respond to the email, and provide the information Microsoft requests. When you do so, the ticket will be escalated, and an actual staff member at Microsoft will take a look at the IP. In most cases, they will then manually delist the IP ("We have implemented mitigation for your IP").
If they still refuse to delist the IP, and you’ve only recently been allocated the IP, you can inform them of this. They will then require an email or PDF confirmation from us, the ISP, with information on when the IP was allocated. To request this confirmation from us, please contact our support team by opening a support request via your account, and let us know exactly what Microsoft needs.
In those rare cases where all of the above fails, we can fill out the delisting form for the IP. We don't have any special contacts at Microsoft, but their support will sometimes respond differently to a new delisting request. If that doesn’t work for us either, the only solution is to change the IP.
Office365
For Office365 there are two separate, but linked, blacklists, that result in two separate error messages.
The first error message is:
550 5.7.606 Access denied, banned sending IP [x.x.x.x]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609)
To delist IPs from this blacklist, please fill out the form linked to in the error message:
https://sender.office.com/
The error message also contains a link to the workflow to get the IP delisted:
http://go.microsoft.com/fwlink/?LinkID=526655
If you follow the instructions, the IP should be automatically delisted.
The second error message is:
550 5.7.511 Access denied, banned sender[x.x.x.x]. To request removal from this list please forward this message to delist@microsoft.com. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410)
When you contact the email address mentioned in this message, delist@microsoft.com, you should get a reply within a fews days that the IP has been delisted:
The IP address you submitted has been reviewed and removed from our block lists. Please note that there may be a 1-2-hour delay before this change propagates through our entire system.
Alternatively, the IP might have already been delisted, which will result in the following reply:
It appears that the IP you submitted is not currently listed on any of our block lists. This may be due to an earlier delisting request that has already been processed.
If you continue to receive Non-Delivery Receipts (NDRs), or "bounce messages," that indicate that the IP address is still blocked by our spam filtering system, please forward one of the messages to us and we will investigate further.
In this case, please follow the instructions and forward a recent error message to delist@microsoft.com. Since we don’t have access to your server, we cannot do this for you.
In those rare cases where Microsoft still won’t delist the IP, please contact our support team by sending a request via your account. We don’t have any special contacts at Microsoft, and we can only send an email to the delist address, but sometimes Microsoft will respond differently to different requests. If that doesn’t work for us either, the only solution is to change the IP.
Microsoft Programs
For advanced users, it can be helpful to join two free programs that Microsoft offers for OLC (not Office365): the Smart Network Data Services (SNDS) and the Junk Email Reporting program (JMRP).
Neither the SNDS nor the JMRP allow you to delist your IP; they simply provide detailed information about the traffic on your sending IP, the sending IP reputation with Microsoft, and the user complaint rates.
As Microsoft says, there is no silver bullet to maintaining or improving good IP reputation, but these programs help you proactively manage your email eco-system to help ensure better deliverability to Microsoft users.
SNDS
This program allows you to monitor the "health" and reputation of your registered IPs by providing data about traffic such as mail volume and complaint rates seen originating from your IPs. This data is only provided for IPs which send more than 100 emails per day to Microsoft OLC accounts.
To register, please visit:
https://sendersupport.olc.protection.outlook.com/snds/
You will need to request authorization for the IPs you would like access to. Microsoft uses a combination of WHOIS and rDNS to check who the owner of a particular IP is. In some cases, you will be able to send an email to your own domain to verify ownership. If that is not the case, you can select one of our email addresses to send the verification email to: info@hetzner.com, abuse@hetzner.com, or postmaster@hetzner.com.
Important note: We will only verify ownership if the name you have signed up for in the SNDS matches the name we have on file for your account.
JMRP
This is similar to a feedback loop (FBL), in that it will send you a copy of an email marked as "junk" by the recipient. However, to prevent listwashing, the JMRP will only send a copy of about 1 out of every 1000 emails marked as junk. This limits the usefulness of the JMRP, and means many senders get little to no complaints via JMRP, even though recipients are in fact marking their emails as junk.
You will first need to be authorized for the IP in the SNDS (see above) before you can create a feed for it in the JMRP.
To join, please visit:
https://sendersupport.olc.protection.outlook.com/snds/jmrp
Please note that since we have access to all of our IPs in the SNDS, we can create, change and delete any JMRP feeds for our IPs. At this point in time we don’t have any feeds for IPs belonging to unmanaged servers.