I got this delivery result all of a sudden from MS
Authentication-Results: spf=fail (sender IP is x)
smtp.mailfrom=y.z; dkim=pass (signature was verified)
header.d=y.z;dmarc=pass action=none header.from=y.z;compauth=pass
reason=100
Received-SPF: Fail (protection.outlook.com: domain of y.z does not
designate x as permitted sender)
The email had gotten a SCL of 9 so that went straight into the recipients SPAM folder
overriding the SPF record to not use mx but use ip4:{server ip} does pass the MS checks and results in the same email getting an SCL score of 1.
I am not sure what changed.
Can anyone have any tips on how to stabilize the situation? why did mx in the spf record not work?
Afaik, the default SPF record in Mail in a Box is "v=spf1 mx -all", which should work if you’re sending mail directly from your box, and if you let the box handle the DNS for all the domains hosted on your box.
However, issues like this, except of course when they’re caused by bugs at Microsoft can occur if you’re sending mail through an external relay service, in which case you need to include their servers in the SPF record:
@ IN TXT "v=spf1 mx include:_spf.externalmail.com -all"
Or if you’re using external DNS and sending from a subdomain, in which case I’d say you need separate records for the subdomain, which should probably look something like this:
@ IN MX 10 box.domain.net.
subdomain IN MX 10 box.domain.tld.
@ IN TXT "v=spf1 mx -all"
subdomain IN TXT "v=spf1 mx -all"
dkim._domainkey IN TXT "v=DKIM1; k=rsa; p=MII..."
dkim._domainkey.subdomain IN TXT "v=DKIM1; k=rsa; p=MII..."
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@domain.tld"
_dmarc.subdomain IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@sub.domain.tld"
Or, of course, if you’re using external DNS and your MX record is set incorrectly, but then you would have other issues as well.
can occur if you’re sending mail through an external relay service, in which case you need to include their servers in the SPF record: