Is anyone using an Outlook account for Bitwarden passwords? Bitwarden is not sending verification codes to Outlook accounts. I even try to get support using my Outlook email and they don’t respond. When I use my Gmail account everything is working. How can I get the attention of Bitwarden to look into this problem? This is pretty bad if you are using Outlook. Any help appreciated. Thank you.
Hello @Smoulder and welcome to the forum.
Honestly I do not think that e-mails are not being sent but that for some reason they do not reach your inbox. Did you check the spam folder?
If the e-mails are rejected by Microsoft’s servers, the sender at Bitwarden should receive an error message but I do not know if those are monitored.
Your best bet is to contact the support with another e-mail address.
1 Like
Hello and welcome to the community!
You should contact support using the reachable Gmail email, also providing them with the Bitwarden Outlook email address, and explaining your situation.
Hi @marlin . Yes, I checked my inbox and my junk folder. I always keep my junk folder empty and always monitor it.
Microsoft made some changes recently where they are requiring bulk email senders to be registered properly. If you are not registered, they will not send the email to the recipient. For me this is not only impacting Bitwarden but other places I need emails from. So, I’m trying to work through this.
I’ve tried contacting Bitwarden support but then they tell me to create a support ticket with my Bitwarden account email. When I do that with my Outlook account, I never get a response email. When I do it with my Gmail account, I get full communication but then they won’t talk to me because it’s not my Bitwarden account email. I’m afraid to change emails because they might require me to respond from my Outlook and might cause me to lose everything.
It’s looking like this new security that Microsoft has introduced is causing the problem. Bitwarden should comply to their requirements for their customers.
I can try adding the verification code email sender to my “safe senders” and see if that somehow fixes it. I would doubt it because it’s not even making it to my junk folder. Do you have the sender address for verification codes?
Here I have to disagree. Microsoft is blocking perfectly valid e-mails for no reason. This medium was not meant for any pre-registration procedures.
What if Google is next requiring such a registration? And then Yahoo, AOL, Apple, …? The Bitwarden developers can do better with their time than filling out forms.
In my opinion it is up to the customers to abandon such services, there are other pretty decent e-mail providers out there.
Hi Martin. You can disagree all you like but unless someone can come up with another probable cause I’m going with Microsoft security updates. I have 2 Bitwarden accounts, one for personal, and one for business. I can’t get verification codes sent to either when I could in the past. If it means anything from a credibility standpoint I am a 35 year professional IT developer with decent understanding of registrations and networks.
It’s quite possible Google and others may follow. Who knows.
Yes, I can abandon Outlook but it took me 2 years to get off it from Gmail. I’m not really interested in doing that again. It was a very painful experience but I do get far far far less junk and spam to my Outlook than with Gmail. So the move has been worth it IMO. I could spend time switching to another provider but then they may require the thing then I’m back in the same boat.
Why not just get Bitwarden to investigate this issue and see what’s happening? That seems to be the better solution. From a company standpoint to register with “safe sender” registries seems like the thing to do.
I just read the article you provided and I could not find any information about a mandatory registration for high-volume senders. Where do you get this information?
Right now they require SPF, DKIM and DMARC correctly configured. If this is not the case for Bitwarden, this is of course something they should fix.
From a company standpoint to register with “safe sender” registries seems like the thing to do.
The next obvious step here is: “Nice service do you have there, would be a shame if your customers cannot reach ours. Unfortunately, registration is no longer free…”
Per the blog entry that @Smoulder linked, Microsoft is not requiring “pre-registration” specific to them. Rather, they are demanding compliance with some fairly routine email “security” configurations (SPF, DKIM, and DMARC) that effectively document which servers are permitted to send emails from the domain in question. And yes, these are being widely adopted across the industry so if compliance is not there overall deliverability will suffer.
Notably, Google has had the same requirement since 2024.
If you do wish to change the email you use to login to and communicate with Bitwarden, your concern can be largely mitigated by first creating a “zip” export of your vault.
Unfortunately, Bitwarden emails do sometimes seem to have problems with these:
Yes, I saw that too, see my response above. I do not know what @Smoulder meant by “registered properly”.
1 Like
Yes. I plan to do an export as I can get to my passwords through a different machine. However, not getting the validation code I cannot move to my new work machine.
Per the article if any of this is not “registered properly” then the email may not make it to the recipient. These are things that Bitwarden should check to be in compliance.
-
SPF (Sender Policy Framework)
-
Must Pass for the sending domain.
-
Your domain’s DNS record should accurately list authorized IP addresses/hosts.
-
-
DKIM (DomainKeys Identified Mail)
- Must Pass to validate email integrity and authenticity.
-
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
- At least p=none and align with either SPF or DKIM (preferably both).
Okay, so we are talking about configuration rather than registration. Sorry for being nitpicky here. 
And yes, correct configuration of the e-mail server is up to Bitwarden.
However, not getting the validation code I cannot move to my new work machine.
I changed the e-mail address of my vault a few days ago and I cannot remember a required confirmation to the old address. So I would suggest to perform a backup of your vault and just try to change the address.
I agree with everything you’ve said, however, how on Earth do you get Bitwarden’s support to look into the issue? They barely respond to my support ticket. They end up going to just what you said with export, delete your account, and recreate. Why not just look into the issue and fix it?
Possibly, you could try reporting this as a bug (“Issue”) in Bitwarden’s Server repo on Github. Use your Gmail account to obtain a verification code, then paste the full email headers into a tool like mxtoolbox.com or appmaildev.com for analysis. Instructions for how to copy the full email headers are available here.
Post any SPF/DKIM/DMARC errors from the tools into your bug report, and explain the issue with Microsoft’s new blocking policy.
1 Like
This conversation seems highly related to another ongoing conversation, for which @grb has a pretty good guess, “My understanding is the automated Bitwarden emails have invalid DKIM hashes, which cause some email service providers to reject the messages”. There is also a link in it to a GitHub bug report that indicates the issue is being looked into.
The linked Github issue seems to be specific to Android, so unless @Smoulder is also experiencing this issue only on Android, it would still be worthwhile to open a new issue in the bitwarden/server repo.
5 posts were merged into an existing topic: 2FA deeply broken - recovery key doesn’t recover
Microsoft Outlook blocked all emails from support at the time. I never received an email from their email address. To this day, I still haven’t figured out why MS does this.
Unfortunately, I had to change my address.
I have been able to access my web vault now (long story).
I tried changing my email address to a gmail one. This received a verification code so I was able to complete the process.
However, when I tried to log in again and was challenged for an email verification code, my gmail DID NOT RECEIVE the code.
So it’s a very specific part of the process that is broken.
1 Like
That aligns with the DKIM theory. It is not unusual for different “applications” to use different DKIM keys. For example, my employer has one for Salesforce and a second one for O365.
It may well be that registration uses one DKIM key, support uses a second, email-MPLS uses a third and NDLP uses a fourth. And perhaps this fourth key is defective.
I have found that bug reports work best if I can either provide independent evidence of what is going wrong, beyond just my observations. This is particularly true when reporting an interoperability issue with a 3rd party product (Zoho/O365). This is why @grb was suggesting that if you could somehow run an analyzer on one of the emails you were not receiving at Zulu, it would create some evidence to back up the theory and maybe result in support escalating your ticket.
1 Like