SPF Records for Microsoft 365 - emails receiving Validation Error

user13917 · July 10, 2024, 6:45pm

What is the name of the domain?

What is the error message?

Domain couldnt confirm that your message was sent from a trusted location

What is the issue you’re encountering

Emails are not being received by recipients

What steps have you taken to resolve the issue?

I have deleted spf record and re input details as below:

v=spf1 include:spf.protection.outlook.com include:secureserver.net -all

My domain uses cloudflare dns and Microsoft 365 for email but recipients using Microsft 365 are giving an error saying the location cant be trusted.

What feature, service or problem is this related to?

DNS records

DarkDeviL · July 10, 2024, 9:19pm

You have two “_dmarc” records:

$ dig +noall +answer TXT _dmarc.o-hx.com
_dmarc.o-hx.com.        300     IN      TXT     "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"
_dmarc.o-hx.com.        300     IN      TXT     "v=DMARC1; p=none;"

Delete the second DMARC record,

In other words, let the one that only contains “v=DMARC1; p=none;” go away.

Use the DMARC reports you’re receiving thereafter.

If the email address from the first one is handled by a human (e.g. manual work), it may be wise to look in to alternative ways, such as e.g. sending them through a DMARC service, that can provide more human-readable results.

The (g)zipped XML reports you’re eventually receiving, may not always seem to make much sense to the human eye.

However, - they can give an insight in to which emails do not pass the flow, and where you need to look.

user13917 · July 10, 2024, 9:42pm

So remove - v=DMARC1; p=none;

The other record only mentions investment@ email address however there are around 20 emails for this domain. Surely this other record is also incorrect with that in mind?

(I didnt set this up originally and Im trying to find out what does what within the dns and ensure everything is as it shoyld be.)

epic.network · July 10, 2024, 11:05pm

The mailto: URI in the rua is the address where DMARC reports are sent. It is best to not use a personal mailbox as it will receive many report emails every day. The best option is to use the address assigned to your account by a DMARC reporting service. If you don’t have one yet, you can use Cloudflare DMARC Management for free.

The mailto: URI in the ruf is similar, but iit represents the destination where you want forensic reports sent. Some providers do not send these since they can expose private information. I don’t use an ruf for that reason.

Your SPF is valid, but contains a redundant include. (Your second include contains your first include.) See the following report for a more detailed explanation.

user13917 · July 11, 2024, 9:01am

Thank you for the responses, I have made all the changes as suggested, lets now see how we get on!

system · July 26, 2024, 9:01am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No valid SPF record for included domain: _spfcf1.domain.com DNS & Network	2	511	February 29, 2024
Office 365 emails dns issue DNS & Network	9	2899	June 23, 2023
Emails not downloading DNS & Network	3	545	November 3, 2023
Multiple SPF issue DNS & Network	4	966	June 3, 2023
Can't Access Email After Move to Cloudflare --- DNS & Network	12	35	October 21, 2024