I recently moved our mail servers to a new IP range, which was done about 36 hours ago. We updated the connector with the new IPs but forgot to add the SPF record until 24 hours after the change. All DNS records have a TTL of 300 seconds (or 5 minutes). However, I'm noticing that some Microsoft mail servers, like AMS0EPF000001B1.mail.protection.outlook.com and others, are still acting up. While it seems like more emails are getting through, I'm still encountering SPF failures, indicating that they're using outdated DNS records. I'm concerned about when Microsoft will start correctly looking up DNS entries, adhering to the RFCs, and respecting the TTL to avoid DKIM errors. It seems like there might be a problem with their programming regarding DNS caching. Is there a way to clear the cache across all Microsoft mail servers?
1 Answer
Unfortunately, you can't really force Microsoft’s mail protection servers to immediately follow the TTL settings. Even with your records set to a 300-second TTL, they often cache SPF lookups for much longer—sometimes two days! This is a common issue with large mail providers prioritizing efficiency over strict compliance. Usually, these problems resolve themselves within a day or two. For future reference, it’s smart to update your SPF records at least 48 hours before changing your mail flow to minimize disruptions.
Totally agree! It's like they ignore the guidelines when it suits them.
It's frustrating when these big companies treat RFCs like suggestions instead of rules. What’s the deal with that?