Hey everyone,
I'm running into some serious issues with DKIM and SPF alignment failures when sending emails to Hotmail and Outlook domains, and it's really frustrating me. I checked the headers using MXToolbox and saw that there's an SPF alignment failure for the IP address '52.101.71.109'. Our SPF record already includes spf.protection.outlook.com, which covers the IP range `+ip4:52.100.0.0/15`. Since '52.101.71.109' falls within that range, I'm puzzled as to why it's still failing. For our DMARC record, we've set the alignment to relaxed for both SPF and DKIM. Any advice or insights would be greatly appreciated!
4 Answers
First off, what authentication result are you getting? If it's showing a **tempfail**, it could be a temporary issue on Microsoft's side. You might want to take a look at this deep dive related to the issue: [Uriports Blog](https://www.uriports.com/blog/outlook-com-dkim-temperror-in-dmarc-reports/). Also, try running your setup through [LearnDMARC](https://learnDMARC.com). If everything checks out there, you’ve done your part. For reducing those tempfails, consider increasing the TTL on your DKIM and SPF records to 24–48 hours.
Double-check that your SPF, DKIM, and DMARC records all have a TTL of at least 3600 seconds. There have been some ongoing transient issues with Exchange Online lately that could be related to short-lived records.
Make sure that the From Header is aligned with the MAIL FROM which should match your organizational domain. That’s what alignment means in DMARC context. If there isn’t a MAIL FROM (like in out-of-office replies), then the From header needs to be aligned with the EHLO hostname of your sending MTA. If that’s not feasible, just ensure your mail is DKIM signed, even for DSNs.
Actually, I think the issue might be that your SPF CIDR includes IPs in the range of 52.100, and the address you provided, 52.101.71.109, is technically different and isn’t included—even though it might seem close. You should check those ranges as they can be tricky to get right.
Exactly, 52.100.0.1 to 52.101.255.254 is the range you would expect... at least verify it with a subnet calculator or something.
Doesn't the /15 mean that the range is from 52.100.0.1 to 52.101.255.254?