Few months ago I blogged about the limitations that the recommended SPF record for any Exchange Online customer brings (you can find the post here). Sadly, things have changed for the worse – Microsoft have updated the SPF records on one of the included domains and in result now the recommended SPF record consumes 10 of the 10 allowed DNS lookups. This in turn means that if you have business need to add any on-prem or 3rd party emailer, you MUST use the subdomain workarounds or simply include IP ranges instead.
As far as I can tell, the change has happened recently. The overall structure of the SPF record is the same as before:
Non-authoritative answer: spf.protection.outlook.com text = "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com include:spf-c.outlook.com include:spf.messaging.microsoft.com -all"
The frontbridge part also stays the same:
Non-authoritative answer: spf.messaging.microsoft.com text = "v=spf1 include:spfa.frontbridge.com include:spfb.frontbridge.com include:spfc.frontbridge.com -all"
The trouble is that spfa.frontbridge.com now includes two PTR lookups:
Non-authoritative answer: spfa.frontbridge.com text = "v=spf1 ptr:protection.outlook.com ptr:messaging.microsoft.com ip4:22.214.171.124/25 ip4:126.96.36.199/24 ip4:188.8.131.52/25 ip4:184.108.40.206/24 ip4:220.127.116.11/25 ip4:18.104.22.168/25 ip4:22.214.171.124/24 -all"
I’m sure Microsoft had their reasons for updating this, the end result however puts us in a difficult position. Plus they have already promised to actually work to REDUCE the number of lookups so that we don’t face issues. I guess it’s time to remind them and put some pressure over all available channels…
Seems that somebody heard our cries and the current SPF is reduced to 7 lookups.
Seems that they have switched to using PTR, bringing the number of lookups down to 3. Thanks to Joe Sutherland for sharing this, the original post is in the comments below 🙂