Avatar of SooHow Cheng
SooHow Cheng
Flag for Singapore asked on

Why the spf records fails with my hybrid exchange configuration?

This is using MS Exchange server 2013 and Office 365 in hybrid. One of the user got the bounced mail with error messages as follows,

SPF validation error

How to fix it

Your organization's email domain will have to diagnose and fix your domain's email settings. Please forward this message to your email admin.

More info for Email admins

status code: 550 5.7.23

This error occurs when Sender Policy Framework (SPF) validation for the sender's domain fails. If you're the sender's email admin, make sure the spf records for your domain at your domain registrar are setup correctly. Office 365 supports only one SPF record (a TXT record that defines SPF) for your domain. Include the following domain name: spf.protection.outlook.com. If you have a hybrid configuration (some mailboxes in the cloud, and some mailboxes on premises) or if you're an Exchange online protection standalone customer, and the outbound ip address of your on-premises servers to the TXT record.

We already created the spf records as follows,

"v=spf1 include:spf.protection.outlook.com ip4:xx.xx.xx.xxx -all"

The ip4 address is the on-prem exchange server's public ip address. Don't know why this fails the spf records? So far, only this recipient is reject the spf records.


ExchangeMicrosoft 365* SPF Records

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
Dr. Klahn

Did the email in question actually emanate from your servers, or did it go out via some unexpected alternate route?

Dump the header section of the email in text format and carefully examine the routing header chain.
David Favor

You'll either debug this yourself using MXToolBox or Dmarian... or... provide data... by attaching the full message your sending...

This will include...

1) Sender - From

2) Recipient - To

3) IP address your email is emitting through

4) Also, as Dr. Klahn mentioned, if you're routing mail through a Mail Relay, you'll provide that information also.
David Favor

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SooHow Cheng

Hi Dr Klahn,

We are using MS Exchange - MS Office365 hybrid. Some mailboxes locate in Exchange on-prem while others in Office 365 cloud.
Initially, both OnPrem and Office365 cloud were configured to relay mail to messagelabs for outgoing mail. However, about 2 months ago, we configured to send directly either from onPrem or office365 directly. We removed the configuration for "smart host" for both onprem and office365 cloud.
Unless mail still relay via the smart host (by mistake), otherwise don't really know what really went wrong.

Your help has saved me hundreds of hours of internet surfing.
SooHow Cheng

Hi David,

We have onprem exchange server, office 365, as well as messagelabs.

This is the spf records updating,
v=spf1 vp4: x.x.x.x include:spf.protection.outlook.com include:spf.messagelabs.com -all

So far so good
David Favor

Be sure you're checking your DMARC reports daily too, as many companies fail to update their SPF records, to if you're sending massive amounts of bulk mail, best use a dedicated IP only, then put this dedicated IP in your SPF record.