![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 3%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
I have the exact same problem. If Google and everyone else have a higher timeout, why can't Microsoft do the same?
DKIM DNS lookup timeouts causing spam delivery to Hotmail/Outlook despite correct setup
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 44%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rafael
5
Reputation points
I’m seeing that messages sent via Amazon SES to Microsoft domains (hotmail.com, outlook.com, live.com, msn.com, etc.) are consistently landing in spam with this header:
Authentication-Results: spf=pass (sender IP is …) smtp.mailfrom=naoresponda.inchurch.com.br;
dkim=timeout (key query timeout) header.d=inchurch.com.br;
dmarc=pass action=none header.from=inchurch.com.br; compauth=pass reason=100
However, everything on my side is configured correctly and pre‑checked:
AWS SES Easy DKIM enabled with three 2048‑bit selectors.
DNS CNAME records for all three selectors (TTL 300 s) correctly point to *.dkim.amazonses.com (verified via dig +short and online DNSChecker).
SPF published on inchurch.com.br (include:amazonses.com) and on the custom MAIL FROM subdomain naoresponda.inchurch.com.br (v=spf1 include:amazonses.com ~all).
DMARC record (p=quarantine; rua=…; aspf=r; adkim=r) in place and passing (mail‑tester.com shows DMARC “pass”).
Mail‑tester.com reports “Your DKIM signature is valid” and “DMARC passed”.
Other providers (Gmail, Yahoo, etc.) accept the same messages without DKIM timeouts or spam classification.
It appears the Microsoft gateway is performing the DKIM key lookup (CNAME → TXT) and hitting a very short DNS timeout, then flagging the message as spam. I’ve triple‑checked that all CNAMEs and TXT records resolve correctly and quickly, yet only Microsoft domains report dkim=timeout.
Questions:
- Why is this happening only on Hotmail/Outlook, and how can it be resolved?
- Are there known DNS timeout thresholds or resolver settings on Exchange Online / EOP that could be increased or bypassed?
- Best practices for Amazon SES specifically to improve compatibility with Microsoft’s mail chain?
Outlook | Web | Outlook.com | Email
3 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 49%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIT%3C/text%3E%3C/svg%3E)
Ian-T 6,385 Reputation points Microsoft External Staff Moderator2025-07-26T07:26:13.45+00:00 Dear Rafael,
Thank you for reaching out to the Microsoft Q&A Community. I understand you're encountering DKIM query timeouts when sending mail via Amazon SES to Microsoft domains, despite a valid setup. These timeouts may cause legitimate messages to be classified as spam.
Microsoft's Exchange Online Protection (EOP) applies a strict 500-millisecond timeout to DNS queries used for DKIM validation. If the public resolver cannot retrieve the DKIM key within this timeframe—even if the configuration is correct—the result is logged as dkim=timeout, and spam filters may act more aggressively.
This behavior is specific to Microsoft domains. Email services like Gmail and Yahoo generally allow longer DNS resolution times, so the issue is less likely to occur elsewhere.
Recommended Steps to Resolve or Mitigate the Issue
1. Use a High-Performance DNS Provider
Ensure that your domain's DKIM records are served from a DNS provider optimized for global low-latency resolution. Services such as Cloudflare, Amazon Route 53, or ClouDNS offer such infrastructure.
Note: These are external services that are not operated or endorsed by Microsoft.
2. Benchmark DKIM Record Lookup Speeds
Use tools such as dig, nslookup, or third-party DNS performance checkers to measure record resolution times from various regions.
Example tool: DNSPerf
Disclaimer : This is an external site, not operated or endorsed by Microsoft.
3. Simplify Your DNS Record Structure
Avoid deep CNAME chains or record configurations that introduce latency. Verify that each DKIM selector resolves to a TXT record cleanly and quickly.
- Monitor DNS Responsiveness
Consider using scripts or external tools to measure DNS query durations and detect intermittent slowdowns. This can help identify whether your DKIM selectors are resolving within Microsoft’s strict timeout window.
Example tool: dnstracer by Miladbr on GitHub GitHub - Miladbr/dnstracer: A tool to measure and analyze DNS query response times for network performance and latency This is an external resource not operated or endorsed by Microsoft.
This Rust-based utility allows you to:
- Send repeated DNS queries to specific servers
- Measure response times and packet loss
- Compare performance across multiple DNS providers
You can build it from source or use precompiled binaries available in the repository’s releases section.
5. Minimize DKIM Signature Complexity
When possible, avoid sending emails with multiple or misaligned DKIM headers, as these may complicate authentication under timeout conditions.
6. Engage Microsoft Support
If issues persist after optimizing DNS response times, you can raise a support ticket through the following form:
Microsoft Support Request Form
Provide details such as email headers, DKIM setup, and query timing logs to assist in the investigation.
If you need further assistance, feel free to reply to this thread and I’ll gladly continue supporting you.
Warm Regards,
Alice
Microsoft Q&A Support Specialist
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 57.99999999999999%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Alice-N 3,500 Reputation points Microsoft External Staff Moderator2025-07-31T04:03:59.96+00:00 Good day! I hope you're doing well!
It has been a while and i am writing to see how things are going with this issue. Have you had a chance to check the reply provided? Are you encountering any difficulties? Please feel free to let me know if there’s anything I can assist you with.
Warm Regards
Alice
Microsoft Q&A Support Specialist