Rely solely on DKIM, remove spf.protection.outlook.com from SPF record?
Question: Is there anyone that already has removed the spf.protection.outlook.com entry for their Office 365 hosted mail domain, and how has this impacted deliverability? Situation: In order to protect our email from being spoofed, we have a DMARC policy in place that recipient email servers respect to filter out unauthenticated emails sent from our mail domain. As we all know, DMARC authentication can take place either by publishing the autorized sending servers IP's/netblocks in the domains SPF record, by publishing DKIM keys, or both. One of the mechanisms has to align, two is fine as well of course For our mail domain, both the SPF mechanism as well as the DKIM mechanism are used at this moment. Two assumptions: 1. The SPF record's entry for Office 365 (include:spf.protection.outlook.com) is used by ALL Office 365 tenatnt/customers and contains all the possible IP's that Office 365 uses to send outgoing email. 2. The DKIM key used by Office 365 to cryptogarphically sign mails that are sent out from our mail domain is unique for our tenant. When inspecting the DMARC reporting, i noticed that some emails were not signed with the correct DKIM keys, but are labeled as 'aligned'. Quite possibly, these emails were sent from within some Office 365 tenant, but not from our tenant and thus, quite possibly, malicious. Statement: On hosted email platforms such as O365 and gmail, SPF isn't good enough because all their good customers and all their abusive customers use spf.protection.outlook.com (or spf.gmail.com for that matter) for spf lookups. The spf record is only a simple txt lookup with no logic or cryptographic keys involved. By removing the SPF element from the equasion our email domain, we rely solely on the DKIM signing, which is unique and cryptographically sound. Email deliverability should not be impacted for DMARC compatible mailservices, but will be lower for email services that are not DMARC-compliant.