Emails being put into quarantine, says spf fail, no dkim(even though dkim is enabaled). Which then leads to DMARC failures

Hi Toan,

Good day.

Thank you for connecting with us in Microsoft community.

According to your description, I would like to share some information with you, in order of your certain situation, as the Office 365 global admin may need to contact our Office 365 support team on the back-end side through an open service request so they can diagnose this specific issue through some more technical resources, If necessary, they may be collecting certain log information for further diagnosis. Since forum moderators have limited access permissions and resources, due to this reason we are unable to collect certain detailed information on the public forum for data privacy. 

For this standard process, here is the official document for the global administrator: Get support - Microsoft 365 admin | Microsoft Learn

Important note: If any organization's Office 365 Business/Enterprise / Education subscription is from a syndicated partner or reseller, and if the global administrator can't open the service request on their side, they may need to contact the reseller's support provider so they can help the global admin open the service request on their side. after the Office 365 support team can participate in the service request.

I would really appreciate your valuable time. Thank you for your kind cooperation.

Sincerely

Darpan

Ok, I first need to clarify if the problem is with emails being sent to you or your outbound emails are being rejected.

Assuming its your outbound emails are being rejected -

SPF fail means the SPF record in your DNS is faulty.

There are several possible causes -

1. Syntax errors.

The typical DNS entry for the SPF record for the Microsoft portion is as follows

v=spf1 include:spf.protection.outlook.com -all

Any typo errors, hidden characters etc will render the SPF record invalid

2. Other SPF record errors.

You may have errors in other parts of your SPF record, if it also involves other senders. If your SPF record includes many other senders besides the Microsoft entry, the error may lie there. Some SPF records I have seen exceed the recommended number of DNS lookups. This might result in timeout errors leading to a failed SPF and then leading to a failed DMARC

The other question to ask is whether those emails with SPF errors were originating from Exchange Online , or you have other systems sending mail on your behalf using the same domain name, but not declared on the SPF, and it is these emails that are experiencing a SPF fail condition. If such is the case you need to add these senders into the SPF record as part of the list of authorized senders for this domain.

3. No DKIM

If you did not specify a DKIM, and your DMARC policy has been set to either p=quarantine or p=reject, then DKIM will also fail leading to the specified DMARC action of quarantine or reject. Please proceed to setup your DKIM as well. There are numerous posts online on how to enable DKIM for Microsoft365 and your various senders.

4. DMARC Policy

For the time being, it would probably be good to set your DMARC policy to p=none first, until you have sorted out your SPF and DKIM.

When you are fairly confident you have done it correctly, then set DMARC policy to your desired action.

Alternatively you can also sign up for a DMARC reporting tool like Dmarcian, and direct your DMARC reports (mainly rua reports) to the reporting tool, to see what is happening to emails you send out. If there are errors in DKIM or SPF, the reporting tool would also highlight this to you.

5. Tracing the SPF error.

Try using this tool by putting in your domain name and see what it says about your SPF https://mxtoolbox.com/spf.aspx