UK Fintech — Deliverability Recovery After Shared IP Blacklisting and DMARC Enforcement

Case Study · Fintech · United Kingdom · 2024

How a London-based FCA-regulated fintech platform recovered from a Spamhaus CSS listing on co-tenant shared IPs that produced a complete delivery failure at Microsoft and Yahoo — restoring compliance email within 5 days, reaching DMARC p=reject within 12, and migrating 6 million monthly messages to dedicated infrastructure within 3 weeks.

IndustryFintech / FCA-Regulated
CountryUnited Kingdom · Western Europe
Volume1.2M users · 6M messages/month
Duration3 weeks emergency recovery

A London-based fintech platform serving 1.2 million users across the UK and Western Europe operates retail banking adjacencies, payment services, and an investment account product regulated by the Financial Conduct Authority. Email is not a marketing channel for this business; it is regulated communication infrastructure. Account alerts that confirm or contest unrecognized transactions, fraud notifications that ask the user to verify a flagged movement, regulatory disclosure communications that the FCA requires reach the customer within defined windows, and statement-availability notifications that anchor the user's expected schedule for periodic regulatory documents. Each of these message classes carries a specific regulatory or contractual expectation about delivery; none of them tolerate failure quietly.

In December 2023, the platform suffered a complete delivery failure at Microsoft (Outlook, Hotmail, Live) and Yahoo. Internal monitoring detected the outage within hours and traced the cause to a Spamhaus CSS listing on two of four shared IPs operated by the platform's then-current ESP. The listed IPs were co-tenant infrastructure that the platform did not control and could not directly remediate; the listings had been triggered by another tenant on the same shared pool whose sending behaviour produced spam-trap hits over a sustained window. Approximately 31% of the platform's user base — those with primary mailboxes at Outlook, Hotmail, or Live — were unreachable at the moment that account alerts and fraud notifications became most operationally urgent during the year-end transaction surge. The compliance and risk team escalated to executive level within the first business day; legal counsel was engaged to assess regulatory exposure within the second.

Presenting Problems
  • Complete delivery failure at Outlook, Hotmail, and Live (approximately 31% of user base in the UK and Ireland) following Spamhaus CSS listing of co-tenant IPs
  • Yahoo delivery blocked for users on Yahoo and AOL mailboxes (representing an additional 8% of the base, weighted toward older customer segments)
  • Spamhaus CSS listing on shared infrastructure beyond the platform's ability to remediate — the listed IPs were not under the platform's operational control
  • DMARC policy at p=none — no enforcement, no aggregate-report processing, exposing the domain to spoofing during the heightened reputation crisis
  • DKIM at 1024-bit, below the current ISP recommendation of 2048-bit minimum and well below the standard the platform's regulatory documentation claimed it operated at
  • FCA-regulated communications failing to reach customers — initial legal review identified seven message categories with regulatory delivery expectations that were not being met for the affected user segment
  • No infrastructure separation between transactional, regulatory, and marketing email — all four ESP IPs were shared across all message classes
  • No ongoing visibility into per-ISP delivery rates, blacklist status, or authentication failure patterns at the operational layer; the platform's deliverability dashboard provided only aggregate inbox placement averaged across all destinations

The immediate priority was restoring delivery for compliance-critical messages — fraud notifications and transaction confirmations specifically — to a known-clean sending path. This had to happen in parallel with engaging Microsoft and Spamhaus on the underlying listing, because remediation of the shared-IP listing was outside the platform's direct control and would unfold on third-party timelines that could not be relied on for compliance windows.

  1. Day 1–2: Emergency clean-IP relay provisioning

    Provisioned 2 dedicated IPs on clean infrastructure with no prior sending history and no association with the listed shared pool. Authentication baseline configured immediately: SPF restricted to the new IPs explicitly listed, DKIM rotated to 2048-bit with a dated selector, DMARC at p=quarantine for migration safety. Within 48 hours of provisioning, the platform's two highest-priority message categories — fraud notifications and time-sensitive transaction confirmations — were routing exclusively through the clean IPs. Users at Outlook and Yahoo began receiving these specific message classes again within hours of the cutover.

  2. Day 3–5: Microsoft Postmaster engagement and SNDS enrollment

    Submitted Microsoft Smart Network Data Services (SNDS) enrollment for the new dedicated IPs. Engaged Microsoft Postmaster directly to document the situation: the legacy IPs were co-tenant shared infrastructure under a separate operator's control, the listed IPs had been retired from the platform's sending path, and the new dedicated IPs were under sole platform operation with full authentication. Microsoft confirmed acceptance of the new IPs within 72 hours of SNDS enrollment, and inbox placement at Outlook, Hotmail, and Live moved from zero to operational baseline.

  3. Day 5–7: DMARC progression with aggregate-report verification

    Moved DMARC from p=none to p=quarantine pct=10 on Day 5 and began collecting aggregate reports actively. Reports surfaced three legitimate sending sources that had not been authenticated under the platform's SPF or DKIM configuration: a legacy CRM that sent appointment reminders, a customer support tool that replied as the platform's domain, and an EU subsidiary using a separately-configured SMTP path. All three were either properly authenticated under the platform's SPF/DKIM configuration or migrated to authenticated sending before DMARC progression continued.

  4. Week 2–3: Full migration to dedicated infrastructure

    Migrated the full 6 million monthly message volume to dedicated infrastructure across 6 IPs with strict traffic separation: 2 IPs reserved for transactional and regulatory traffic (compliance pool, never paused or degraded under any operational condition), 3 IPs allocated to account-based marketing campaigns (subject to standard reputation management), and 1 IP reserved for warming when new domains or IPs would be added in the future. DMARC reached p=reject on Day 12 after aggregate reports confirmed full authentication coverage of legitimate sending sources.

Delivery Rate by ISP — Emergency Recovery Timeline

Percentage of messages successfully delivered (not deferred or blocked)
Outlook/Hotmail — Before 100 Outlook/Hotmail — Day 5 100 Yahoo — Before 100 Yahoo — Day 7 100 Gmail — Unaffected 100

Moving from p=none to p=reject in a regulated financial services environment required careful sequencing. A misconfigured DMARC enforcement that blocked legitimate email would compound the delivery problem rather than solve it, and in this regulatory context any loss of compliance communication during the migration window carried its own exposure. The progression was paced against aggregate-report data rather than against a fixed calendar — each advance to a stricter policy required confirmation that no legitimate sending source was failing alignment.

# DMARC record progression: # Day 1 (already existing): v=DMARC1; p=none; rua=mailto:dmarc@company.com # Day 5 (after alignment verified for transactional sources): v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@company.com # Day 8 (third-party sources remediated): v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@company.com # Day 12 (full enforcement): v=DMARC1; p=reject; rua=mailto:dmarc@company.com; ruf=mailto:dmarc-forensic@company.com # SPF — updated to include only dedicated infrastructure IPs v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 ip4:203.0.113.20 ip4:203.0.113.21 ip4:203.0.113.22 ip4:203.0.113.23 -all
DMARC aggregate report finding: During the p=none monitoring phase we identified three third-party services sending email on the platform's domain without proper authentication: a legacy CRM that sent appointment reminders, a customer support tool replying as the platform's domain, and an EU subsidiary using a different SMTP configuration. None of these had been documented in the platform's vendor inventory; their existence was discovered only through DMARC aggregate report analysis. All three were remediated before advancing to p=reject, preventing a post-enforcement delivery disruption that would have caused exactly the kind of legitimate-mail rejection that DMARC misconfiguration is most associated with.
100%
Compliance email delivery
restored within 5 days
p=reject
DMARC enforcement achieved
within 12 days
0
Regulatory communications
missed post-Day 5
3 wks
Complete migration from
shared to dedicated

Technical Assessment: Infrastructure Layers Examined

The infrastructure assessment for this engagement covered four layers that are typical for any emergency-recovery engagement in regulated financial services: authentication configuration (SPF, DKIM, DMARC alignment), IP reputation status (Postmaster Tools, SNDS, multi-list DNSBL check), PowerMTA configuration review (per-ISP domain blocks, throttle settings, bounce handling, FBL processing), and operational practices (list hygiene cadence, bounce processing latency, monitoring coverage). All four layers had material findings that contributed to the ease with which the original Spamhaus CSS listing produced a delivery crisis.

Spamhaus CSS Listing Mechanics

The Spamhaus CSS (Composite Spam Score) listing is one of the more consequential reputation actions a sender can experience because it is treated as authoritative by Microsoft and most major mailbox providers. The CSS listing typically follows a sustained pattern of spam-trap hits or recipient complaints from a specific IP, and it can be triggered by a single tenant's behaviour even on a shared pool serving dozens of unrelated senders. For the platform, the listing was not actionable — the IPs were not under the platform's control, the contributing tenant was not identifiable through the ESP's customer-facing interface, and the remediation timeline depended on a Spamhaus delisting request that the IP operator (the ESP) needed to file rather than the platform itself.

This is the structural risk of shared IP infrastructure that becomes visible only after the failure mode has occurred. The platform's marketing language for the ESP product had described "managed deliverability" and "carrier-grade infrastructure", but the actual operational reality was that any single tenant on the shared pool whose behaviour deteriorated could produce a listing event affecting every other tenant. The migration to dedicated infrastructure removed this dependency entirely: the platform's reputation became a function of the platform's behaviour alone, observable in real time and remediable through the platform's direct action when needed.

Authentication Issues as the Highest-Priority Finding

Authentication was the most consequential pre-existing weakness. The DKIM key in use was 1024-bit, below the current ISP recommendation of 2048-bit minimum and well below what the platform's regulatory documentation claimed for its sending infrastructure. DMARC was at p=none with no aggregate reports being collected or reviewed, meaning the platform had no visibility into authentication failures or unauthorized sending sources. The combination created an environment where reputation signals were degrading without detection and where unauthorized senders (including the three third-party services discovered during the p=none monitoring phase) had been sending unauthenticated mail on the platform's domain for an indeterminate period before the engagement.

Infrastructure Rebuild: Configuration Decisions

IP Pool Architecture

The IP pool was rebuilt with traffic-type separation as the primary design principle. Transactional and regulatory traffic was assigned a dedicated 2-IP pool that was never shared with campaign or marketing traffic under any operational condition. This separation ensured that campaign performance issues — elevated deferral rates during high-volume sends, complaint-rate spikes from a particular campaign segment — could not create queue delays or reputation degradation that would affect the delivery of compliance-critical messages. The architecture is a direct expression of the principle that regulatory communications carry asymmetric risk: a deferred fraud notification has compliance and operational consequences that a deferred marketing message does not.

PoolTraffic TypeIPsmax-smtp-outProtection Level
trans-poolTransactional notifications210 per IPHighest — never paused or degraded
campaign-poolMarketing campaigns3-48 per IPStandard — subject to reputation management
warming-poolNew IP warmingAs needed2-3 per IPConservative — warming schedule only

PowerMTA Domain Block Configuration

ISP-specific domain blocks were configured for each major destination based on the published expectations and observed behaviour of each receiving infrastructure: Gmail (max-smtp-out 8, retry-after 15m), Outlook (max-smtp-out 5, retry-after 20m, calibrated more conservatively given the recent reputation incident at Microsoft), Yahoo (max-smtp-out 6, retry-after 15m), and ISP-specific configurations for the European providers serving the platform's continental customer base — GMX, Web.de, T-Online (Germany), OVH (France). Each block included mx-rollup directives to prevent connection-count multiplication across MX host variants that would otherwise cause a single recipient domain's MX redundancy to register as multiple-sender behaviour at the receiving infrastructure.

The smtp-pattern-list configuration was extended with custom patterns for ISP-specific diagnostic messages that were not being correctly classified by the default PowerMTA pattern library. These custom patterns ensured that permanent failures (invalid addresses, domain-level blocks) were bounced immediately rather than retried, that greylisting responses from European ISPs were handled with appropriate retry intervals, and that ISP-specific deferral patterns (Outlook's "421 4.7.650" requesting reduced send rate; Yahoo's "421 4.7.0" for connection-rate enforcement) were classified correctly and produced the appropriate per-IP throttle adjustments rather than continued queue retries that would compound the deferral signal.

Authentication Upgrade

DKIM keys were rotated to 2048-bit RSA on all sending domains. The rotation followed the zero-downtime procedure: publish the new public key under a new selector, wait 48 hours for DNS propagation across the major recursive resolvers (longer than strictly necessary, but appropriate given the regulatory environment), update PowerMTA signing configuration to sign new traffic with the new selector, verify the new selector appearing in Authentication-Results headers at major receiving ISPs, then retire the old selector after 7 days during which both keys remained published to handle any cached lookups. DMARC progressed from p=none through p=quarantine to p=reject over the 12-day emergency window — a faster progression than would be appropriate in less urgent circumstances, but justified in this engagement because the alternative was continued exposure during the regulatory delivery crisis.

Gmail Inbox Placement
Before
62%
After
93%

Seed test improvement
Deferral Rate
Before
14%
After
2.8%

All major ISPs
Hard Bounce Rate
Before
3.2%
After
0.7%

Gmail
DMARC Alignment
Before
88%
After
99.6%

All domains

Operational Monitoring: What Changed Permanently

Daily Postmaster Tools and SNDS review. Google Postmaster Tools and Microsoft SNDS are now reviewed at the start of every business day by the platform's deliverability operations team. Any metric drift — sender reputation moving from High to Medium at Gmail, IP reputation moving from Green to Yellow at Microsoft SNDS, complaint rates above the 0.05% threshold the team treats as the leading indicator — triggers an investigation within 4 hours. For a regulated platform where delivery failures carry compliance consequences, the review cadence had to match the stakes; weekly aggregate reporting that the previous ESP arrangement had provided was incompatible with the response time the platform's risk function required.

Continuous DNSBL monitoring across 50+ providers. The platform's IPs are monitored continuously against more than 50 DNSBL providers including Spamhaus (the source of the original incident), SORBS, Barracuda, Invaluement, and the major regional blacklist operators serving European ISPs. A new listing on any monitored DNSBL produces an alert within 15 minutes. Most listings are false positives or short-lived listings that resolve within hours; a small number warrant immediate investigation. Continuous monitoring converts what was previously an unknown into a known operational state — the platform either has clean reputation or it knows immediately when that ceases to be true.

Monthly configuration review against ISP requirement changes. Major mailbox providers periodically update their bulk-sender requirements, sometimes with public announcements and sometimes with quieter behavioural changes. The platform's operations team reviews per-ISP requirement changes monthly and adjusts configuration to remain ahead of enforcement deadlines. When Gmail and Yahoo announced their February 2024 bulk sender requirements (mandatory authentication, low spam rates, easy unsubscribe), the platform's infrastructure was already operating at the required standard — the review cycle had identified and addressed each requirement months before the enforcement deadline rather than as a reactive scramble during the deadline window itself.

"In financial services, an undelivered fraud notification is not a deliverability metric — it is a compliance event. The Spamhaus listing exposed how little we actually controlled about our communications infrastructure when it came down to remediating an emergency. The dedicated migration meant that the next time something goes wrong, it goes wrong on infrastructure we operate, with monitoring we control, on a timeline we manage. The 12-day p=reject milestone was important, but the operational discipline that came with it — daily monitoring, continuous DNSBL checks, monthly configuration reviews — is what makes the position sustainable rather than just recovered."

— CTO, UK Fintech Platform

The technical changes in this engagement were straightforward. The more significant work was establishing the monitoring discipline that prevents the gradual drift that caused the original problems — an infrastructure that meets today's ISP requirements but has no ongoing review process will fall behind those requirements within 12-18 months.

— Cloud Server for Email Infrastructure Team

Shared infrastructure carries a class of operational risk that is not visible during normal operating conditions and becomes acute precisely when the recovery options are most constrained. The Spamhaus CSS listing was triggered by a tenant the platform had no relationship with, on infrastructure the platform did not operate, with a remediation path that depended on third-party action the platform could not compel. For regulated communications — financial services, healthcare, legal, any sector where delivery failure has consequences beyond marketing performance — the structural argument for dedicated infrastructure is not about marginal deliverability optimization. It is about ensuring that when reputation incidents occur, the remediation path is under the operator's direct control rather than dependent on the cooperation of co-tenants and third-party operators.

The DMARC progression in this engagement compressed work that would normally take months into 12 days because the regulatory exposure made the alternative untenable. The same DMARC progression in less urgent circumstances should be paced more conservatively, with longer aggregate-report observation windows at each policy level, because the goal is not to reach p=reject quickly — it is to reach p=reject without causing the legitimate-mail rejection that DMARC misconfiguration is most associated with. The pacing in this case was justified by the specific circumstances; it should not be read as a general recommendation for emergency DMARC progression in environments where the calendar is more flexible.