Forum Discussion

RNalivaika's avatar
RNalivaika
Iron Contributor
May 04, 2020

Exchange Online Protection SPF record

Hi, I have received a message sent via Exchange Online host IPv6 "2603:10a6:20b:c0::31". The message was marked as spam because of SPF fail. Subnet "2603:10a6:20b:c0::/64" is not in the list of O365 ...
exchange online
office 365
fvanloon's avatar
fvanloon
Copper Contributor
Oct 07, 2022

I see the same thing happing with emails send from an application and using Office365 as SMTP. 

The address: 2603:10a6:102:1ce:6 is not in the record spf.protection.outlook.com

 

Looks like MS is not updating the record, or there are servers which a sending emails which should not be going on the internet that route. 

Which IPv6 range should be added, any one an idea? Not planning on manually adding each IP address. 

  • jabberwockdb123's avatar
    jabberwockdb123
    Copper Contributor
    Oct 07, 2022
    I used "v=spf1 ip6:2603:10b6::/37 include:secureserver.net ~all". I believe it includes most IP's starting with 2603:10b6 which overcompensates. But I couldn't think of any other way. Most of the emails pass through with this, but I still see some IP's which are not designated... For example 2603:10b6:a03:202::9 is not designated.
    Another odd thing is when I receive an email via Gmail, even if the email passes SPF, Gmail sometimes flags it as possible spam.
    • JohnLBevan's avatar
      JohnLBevan
      Copper Contributor
      Feb 15, 2024
      I've done a few tests now and think I can explain it...

      I see 2603:10b6::/37 IPs show up when I send emails to other mailboxes under our tenant.
      However, if I send mails externally (e.g. to a gmail address) I see the IPs listed in the SPF record (e.g. 2a01:111:f403:261b::700).

      Similarly, mails sent internally don't include a DKIM selector (header.s=selector1 / header.s=selector2), whislt those sent externally do.

      So I think this behaviour may be by design; but (to the best of my Google-fu) I can't find this documented anywhere.

      i.e. When mails are sent internally, MS already knows they're valid, so doesn't bother following the normal processes which would allow a mail to be verified via DMARC. But when mails are sent externally it does use an IP covered by SPF and a selector covered by DKIM as expected.

      That's my theory though; not a verified fact.
    • AdamS550's avatar
      AdamS550
      Copper Contributor
      Dec 04, 2023

      we had the same issue all of sudden most of our emails was marked spam and when we contacted MS support they fallow the standard MS support spam filter, email policies ..etc even though we clearly told them it seems the emails that was send from IPV6 like 2603:10c6:10:e::17 it was marked as spam and this IP is belong MS. why is that? after 3 days of none sense and lost of emails we did our investigation 

      https://www.spf-record.com/spf-lookup/spf.protection.outlook.com?ip=2603:10c6:10:e::17

      IPV6 start with 2603: is not part of spf recorders that cause our email to fails SPF check further more the entire 2603:1000::/24 is belong to Microsoft network.

      since we added the ipv6 record to our spf record our email seems to be fine 

      v=spf1 include:spf.protection.outlook.com ip6:2603:1000::/24 -all

      until MS figure out how to implement basic things like SPF 🙂 

Resources