SPF TXT record with multiple senders - bounce back - spf check failed
Solution 1
Your SPF record looks fine, but we have no way of knowing if you are actually sending the e-mail from an IP address listed in the record (you would need to provide headers and the unobfuscated SPF TXT record). You can look at the headers of the bounced message and compare them yourself.
The include directive resolves properly: spf.protection.outlook.com. 3600 IN TXT "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com include:spf-c.outlook.com include:spf.messaging.microsoft.com -all"
It could simply be a transient issue with a specific recipient MTA.
If you continue having issues you could consider changing your final SPF match to ~all (softfail), although -all is preferable if your SPF records are correct and well maintained.
Solution 2
Page is always helpful for troubleshooting. Mark is right, one would need confirmation of originating address from the headers. Additionally the SPF you shared has one ip4 and one include, is that the actual case? One of the gotchas of 365 is their "includes" responds with additional dns lookups, around 7 or 8 actually.
SPF RFC dictates no more than 10 dns lookups per record(?). So you have your domain [#1], spf.protection.outlook.com [#2] it responds with spf-a.outlook.com[#3], spf-b.outlook.com[#4], spf-c [#5], messaging.micro... has 3 more [#6,7,8,]. So we are upto 8 look ups so far. do you have any other includes for your domain? do they have additional lookups? This issue got us until we consolidated several mail sources into a single relay service.
Related videos on Youtube
06 : 59
06 : 21
02 : 53
02 : 17
01 : 25
Mel
Updated on September 18, 2022Comments
-
Mel almost 2 years
My company uses office 365 for our email, but we also send email from one of our server's IP addresses. My TXT record is:
v=spf1 ip4:XXX.XX.XX.XXX include:spf.protection.outlook.com -all(XXX.XX.XX.XXX is the server IP address that we send mail from)
However, when sending to certain external emails we get a bounce back saying:
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator. <srvexch.network.local #5.5.0 smtp;550 SPF check failed. Sender not authorized>But we don't get it from all external emails - only from some.
I'm new at this, is there something in my txt record that could cause the bounce back?
-
kralyk over 10 yearsWhy wouldn't you relay the email through O365 outbound from your server?
-
-
Mark Sturgill over 10 yearsExcellent point about processing limits. ietf.org/rfc/rfc4408.txt (p. 34) -
Mathias R. Jessen over 10 yearsThe 10 lookup limit applies specifically to 10 MX or PTR RRs per sending host - not a total of 10 lookups per record or host -
Mathias R. Jessen over 10 years@MarkSturgill Well I'll be damned, ignore and carry on please :)
