Managing Exchange Online Sender Protection Framework Records (SPF)
As an Exchange Online administrator you may know that you are only able to create 2 or so SPF include entries for your customer domain. Creating any more and you may find that receiving mail servers doing SPF security record checks fail to accept the incoming mail. This is due to the total number of include: entries being more than 10. The SPF RFC states that a maximum of 10 SPF include entries are supported and after that Mail Servers are unable to process these entries, therefore not able to accept the message.
Background
Microsoft’s Exchange Online Services, through the Outlook.com namespace, already has 8 SPF include entries and these + the include entries in the customer domain’s SPF file are combined to process incoming mail messages. When the amount of include entries are greater than 10, the Mail server will not accept the mail.
Outlook.com SPF Record Entries
| Prefix | Type | Value | Description |
| + | include | spf-a.outlook.com | The specified domain is searched for an ‘allow’. |
| + | include | spf-b.outlook.com | The specified domain is searched for an ‘allow’. |
| + | ip4 | 157.55.9.128/25 | Match if IP is in the given range |
| + | include | spfd.outlook.com | The specified domain is searched for an ‘allow’. |
| + | include | spfe.outlook.com | The specified domain is searched for an ‘allow’. |
| + | include | spff.outlook.com | The specified domain is searched for an ‘allow’. |
| + | include | spf-a.hotmail.com | The specified domain is searched for an ‘allow’. |
| + | include | _spf-ssg-b.microsoft.com | The specified domain is searched for an ‘allow’. |
| + | include | _spf-ssg-c.microsoft.com | The specified domain is searched for an ‘allow’. |
| ~ | all | Always matches. It goes at the end of your record. |
Resolution
Designate a subzone like marketing.contoso.com for any mailing services you may need, then split the SPF records this way. Contoso will have 9 include records total between Outlook.com and contoso.com, which is under the 10 entry limit and recipient mail servers will accept the mail, if being sent by one of the entries listed in the SPF record(s).
- contoso.com
“v=spf1 ip4:69.212.255.130 include:outlook.com –all” - marketing.contoso.com
“v=spf1 include:FQDN include:FQDN –all”
Mail that comes directly from Exchange Online uses @contoso.com, while mail that comes from their marketer uses @marketing.contoso.com (or something similar). This is more secure because it specifically designates a zone for 3rd parties who communicate as them on their behalf.
Update
A new SPF (spf.protection.outlook.com) has been created that only references the O365 IP ranges. This new SPF will begin to show in the Microsoft Online Portal UI (MOP) for managing domains in the next few weeks (~end of November 2012) and from that point forward, both Office 365 and Office 365 Preview tenants will see the new SPF as the value to include into the SPF for their domains. This means all new and existing tenants (14 and 15) should be using the new SPF entry, which will cut down the total number of SPF record includes, keeping the total entries to less than 10 due to RFC. Note that based on the below resource, the SPF include limits are based on NAMES/FQDNs as the receiving mail server will only take 10 names, which resolve to IPs which are collected and used for review. If using one FQDN include and 9 other IP address include entries, the SPF effectively has 1 entry and is counted against the SPF include entry limit.
Resource:
SPF Permanent Error: Too many DNS lookups: http://community.office365.com/en-us/f/148/p/870/7485.aspx?pageindex=1
Ryanph 