SPF Alignment failures on outbound email
Posted by Chewie8083@reddit | sysadmin | View on Reddit | 8 comments
Hi,
We are experiencing a number of DKIM/SPF Alignment failures when sending to hotmail/Outlook domains, and it's driving me insane currently.
If I look at the Header analyser in MXToolbox, it shows an SPF alignment failure for '52.101.71.109'. Our SPF Record includes spf.protection.outlook.com, which includes the IP range +ip4:52.100.0.0/15. The above IP is within this range, but we're still failing here? Our alignment in the DMARC record is relaxed for SPF and DKIM.
schwertmaggi@reddit
Does the From Header have the same (organizational) domain as the MAIL FROM? That's what alignment refers to in the context of DMARC.
If there is no MAIL FROM (such as in a DSN, out-of-office reply etc.), the From header needs to be aligned with the EHLO hostname of your sending MTA. If that isn't possible, you need to DKIM sign your mail, including DSNs.
Chewie8083@reddit (OP)
Hi,
They do match yeah. I made a change a few days ago that seemed to resolve this issue for \~24 hours, and now we're seeing bounces again.
I removed DKIM signing on the default signing domain in 365 (we sign DKIM with Mimecast) and as mentioned, this stopped any failures. However, as of yesterday, we're seeing failures again. A user will send \~30 emails to hotmail/outlook users, most of them will arrive successfully, and a few will fail with a DKIM failure?
However, when I look at the headers, SPF and DKIM are passing? I'm still getting the 5.7,515 error. How is this possible on a batch of emails all sent at the same time from the same user via the same method?
schwertmaggi@reddit
Do the rejected messages contain non-ASCII characters? I remember there being some problems with that due to Mimecast not supporting 8BITMIME.
Try sending a message with a special character like ß and one without to aboutmy.email or the like and see if the DKIM signature survives.
This was more a problem with Postfix sending to Mimecast, rather than EXO sending via Mimecast, but it's worth a try.
Cormacolinde@reddit
Make sure your records for SPF, DKIM and DMARC have a TTL of 3600 or more. there’s been transient issues with Exchange Online recently due to short-lived records.
Anxiety_As_A_Service@reddit
It’s not. Your SPF CIDR is inside 52.100 and the IP you shared is 52.101.
Plus_Ad_5348@reddit
monoman67@reddit
doesn't /15 mean the range is 52.100.0.1 - 52.101.255.254 ?
freddieleeman@reddit
What’s the authentication result? If it’s a tempfail, it’s likely on Microsoft’s side. Check out this deep dive for more details: https://www.uriports.com/blog/outlook-com-dkim-temperror-in-dmarc-reports/
Next, run your setup through LearnDMARC. If everything passes there, you’ve done what you can. To help reduce tempfails, bump the TTL on your DKIM and SPF records to at least 24–48 hours.