SPF Records for Microsoft 365 - emails receiving Validation Error

What is the name of the domain?

What is the error message?

Domain couldnt confirm that your message was sent from a trusted location

What is the issue you’re encountering

Emails are not being received by recipients

What steps have you taken to resolve the issue?

I have deleted spf record and re input details as below:

v=spf1 include:spf.protection.outlook.com include:secureserver.net -all

My domain uses cloudflare dns and Microsoft 365 for email but recipients using Microsft 365 are giving an error saying the location cant be trusted.

What feature, service or problem is this related to?

DNS records

You have two “_dmarc” records:

$ dig +noall +answer TXT _dmarc.o-hx.com
_dmarc.o-hx.com.        300     IN      TXT     "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"
_dmarc.o-hx.com.        300     IN      TXT     "v=DMARC1; p=none;"
  1. Delete the second DMARC record,

In other words, let the one that only contains “v=DMARC1; p=none;” go away.

  1. Use the DMARC reports you’re receiving thereafter.

If the email address from the first one is handled by a human (e.g. manual work), it may be wise to look in to alternative ways, such as e.g. sending them through a DMARC service, that can provide more human-readable results.

The (g)zipped XML reports you’re eventually receiving, may not always seem to make much sense to the human eye.

However, - they can give an insight in to which emails do not pass the flow, and where you need to look.

So remove - v=DMARC1; p=none;

The other record only mentions investment@ email address however there are around 20 emails for this domain. Surely this other record is also incorrect with that in mind?

(I didnt set this up originally and Im trying to find out what does what within the dns and ensure everything is as it shoyld be.)

The mailto: URI in the rua is the address where DMARC reports are sent. It is best to not use a personal mailbox as it will receive many report emails every day. The best option is to use the address assigned to your account by a DMARC reporting service. If you don’t have one yet, you can use Cloudflare DMARC Management for free.

The mailto: URI in the ruf is similar, but iit represents the destination where you want forensic reports sent. Some providers do not send these since they can expose private information. I don’t use an ruf for that reason.

Your SPF is valid, but contains a redundant include. (Your second include contains your first include.) See the following report for a more detailed explanation.

Thank you for the responses, I have made all the changes as suggested, lets now see how we get on!

1 Like