SPF Record, Office 365 Spam Filter, and On-Premise Exchange nightmares

Rick Ranck
Rick Ranck used Ask the Experts™
Okay, so I've hit a wall here. Prior to yesterday, we were hosting out internet and DNS with WindStream. They handled everything for us with no issue. But, in an effort to not have to change DNS hosts everytime we change ISP's we made the decision to host our DNS with Network Solutions who we've used as our registrar for 20 years. I've now run into an issue where I can not send email to certain providers such as Yahoo. We use Office 365 as our spam filter and host an on-prem Exchange server. Does anyone have a recommendation for how to configure the SPF record to accommodate this configuration?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Server engineer
Yahoo, AOL domains requires reverse dns records for accepting any emails from external senders.

So since you changed your dns providers and isp, first of all check whether your domain has a ptr record I. E. Reverse dns record. You can contact your isp as well for the same.

Also since your spam filter is office 365, then make sure you add/include  your Exchange server public IP in your current spf record which only has office 365 entry.
David FavorFractional CTO
Distinguished Expert 2018

There are many requirements.

1) You must have a valid PTR record, as Saif mentioned.

2) You must have a valid SPF record.

3) You must have a valid DKIM record.

4) Optionally (and best) have a DMARC record for daily delivery failure reports.

5) You must DKIM sign all your messages using OpenDKIM or some similar system.

6) You must warm up your sending IP pool, which can take weeks to months.

7) After you've done #1-#6, you'll have a chance of good deliverability.

Alternatively: Skip all this + use a Mail Relay Service like MailGun, which allows you to skip all the above steps + have reasonable deliverability immediately (no IP pool warm up required).
David FavorFractional CTO
Distinguished Expert 2018

You can use https://dmarcian.com/dmarc-tools + https://mxtoolbox.com for testing/verifying your DNS records are setup correctly.

You can also post your From: address + actual SMTP submission response from Yahoo, if you require more assistance.

Tip: Delivery to Oath properties (all yahoo + aol addresses) is extremely difficult.

In all my businesses I tell people right up front if they use an Oath address likely they'll never get email, related to their subscription or purchase, including shipment tracking info. Then suggest they use a Gmail address, if getting email is important to them.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial