Fixing Exim Mail Delivery Failures with Microsoft 365 and DMARC Enforcement
Mail delivery issues can suddenly appear on newly deployed servers even when the same configuration worked on older systems. A common scenario involves cPanel/WHM servers using Exim together with Microsoft 365, where messages are rejected due to DMARC enforcement or fail to route correctly.
Problem Overview
On new servers, outgoing system emails may fail with errors such as “undeliverable domain” or DMARC rejection. In some cases, messages appear to be accepted temporarily but later bounce back. This inconsistency is typically caused by incorrect routing configuration in Exim combined with strict mail authentication policies.
Key Symptoms
- Messages marked as undeliverable locally (fail_remote_domains)
- DMARC failures or rejections by the destination server
- Different behavior between servers with similar setups
- Logs showing router decline or incorrect routing decisions
Root Cause
The issue is usually not DNS or Microsoft 365 itself, but incorrect Exim routing configuration.
- Smarthost configuration is present but incorrectly formatted
- Exim routers decline routing due to syntax errors
- Messages fall back to fail_remote_domains
- Strict DMARC policies reject misaligned messages
One critical detail is the format of the smarthost route. Exim requires a space-separated route definition, not a colon-separated one. A small syntax mistake can cause the entire routing system to fail.
Correct Configuration
Code:
smarthost_routelist=* domain-name-mail.protection.outlook.com
smarthost_auth_required=0
send_via_smart_host=1Apply Changes
Code:
/scripts/buildeximconf
/scripts/restartsrv_eximVerification
Code:
exim -bt your@email.comExpected result:
Code:
router = lookuphost
transport = remote_smtp
host = aior-com.mail.protection.outlook.comThen test sending:
Code:
echo "test" | mail -s "test" your@email.comSuccessful delivery will show:
Code:
250 2.6.0 Queued mail for delivery
CompletedMicrosoft 365 Integration
For stable delivery, configure a mail flow connector in Microsoft 365:
- From: Your organization
- To: Office 365
- Authentication: By IP address
Add all sending server IP addresses to the connector.
Why This Fix Works
- Forces all outbound mail through Microsoft 365
- Ensures SPF and DMARC alignment
- Prevents direct delivery from server hostnames
- Eliminates routing fallback errors
