Azure Communication Service - Cannot successfully verify SPF - Is there an approved workaround?

Question

Azure Communication Service - Cannot successfully verify SPF - Is there an approved workaround?

JB International 0

Hello,

I am in the process of adding a client’s email domain to our Azure Communication Services (ACS) instance in order to configure a custom emailFrom address for outbound messaging. As part of this setup, we are required to validate the domain and verify SPF, DKIM, and DKIM2 records.

While domain validation and DKIM/DKIM2 verification have completed successfully, we are encountering issues with the SPF verification step. We have been collaborating with the client’s IT team, who provided the following explanation:

“Microsoft Office 365 is already an enabled sender, so no action is required on the SPF side. One thing that might come up is that they can't verify you've added the record. Microsoft is doing an exact match in your SPF record that should look like this: v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:spf.protection.outlook.com ~all Instead, they can see only the macro: v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all and can't read behind it. This might generate an error, but it can be ignored.”

Unfortunately, ACS does not allow us to proceed without successful SPF verification, so we are unable to "ignore" the issue as suggested. I followed up with the client, and they further clarified:

“The issue isn’t with the SPF itself, but rather that Microsoft’s validation process cannot perform an exact match on the SPF record due to the use of macros. Macros are necessary due to SPF record size limitations. Because the validation tool is unable to resolve the macro, it fails the verification step. You may need to contact Microsoft Azure Support to explore possible workarounds.”

At this point, I am unsure how to proceed. The SPF TXT entry does appear to be correctly configured in DNS on the client side. The issue seems to lie with ACS’s ability to resolve and validate the macro-based SPF record.

Is this a known limitation, and is there a recommended approach or workaround for completing SPF validation in this type of scenario?

Thank you for your assistance.

Best regards,
Matt Reynolds

JB International

Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-04-11T21:58:43.4966667+00:00
Hi JB International,

The issue arises because ACS is performing an exact match of the SPF record during validation, while the client's SPF record includes macros (e.g., %{i}, %{h}, %{d}), which are valid according to the SPF standard but not supported by Microsoft's validation tool. As a result, the SPF validation fails, even though the SPF record works correctly in practice.

Unfortunately, ACS requires SPF validation to pass before proceeding and doesn't allow bypassing or manual confirmation. Since it can't resolve macro-based SPF, here is the workaround.

Ask the client to temporarily add a simple SPF record without macros that includes the ACS domain. Once verified, they can switch back to their original record, this is the easiest and safest workaround.

v=spf1 include:spf.protection.outlook.com include:spf.vali.email ~all

https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/email/send-email?pivots=programming-language-csharp&tabs=windows%2Cconnection-string%2Csend-email-and-get-status-async%2Csync-client#use-a-custom-domain
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-04-14T19:06:15.1233333+00:00

Hi JB International,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
JB International 0 Reputation points

2025-04-15T14:00:44.07+00:00

Hi Prabhavathi Manchala,

Thank you for your response. I needed a few days to consult with the client and evaluate whether the proposed solution would be viable. Unfortunately, this approach will not work for our situation.

The existing SPF DNS TXT record, which utilizes macros that ACS cannot seem to read properly, cannot be removed—even temporarily—as it currently supports the base domain for a large institution. This record plays a critical role in ensuring email authentication and consistent delivery for tens of thousands of users. We have thoroughly verified that the existing SPF configuration is valid and effectively serving its purpose.

Given these constraints, is it possible to engage Microsoft Azure support to override the SPF verification within Azure Communication Services (ACS) on the back end?
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-04-15T20:53:18.5633333+00:00

Hi JB International,

Thank you for the update. I understand that your SPF record with macros is very important and can’t be changed. No, you can't override the SPF verification in Azure Communication Services (ACS). It’s required for security, and there’s no way to bypass it.
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-04-16T20:10:44.2033333+00:00

Hi JB International,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
JB International 0 Reputation points

2025-04-16T20:25:58.6166667+00:00

Prabhavathi Manchala,

We believe there may be a misunderstanding. We are in the process of verifying SPF records for a major U.S. higher education institution. While their SPF configuration is technically accurate, the ACS is not properly verifying it due to the previously mentioned macro-related issue.

Implementing the suggested workaround poses a significant security risk, as it will negatively impact thousands of users, so it is not an acceptable option.

Before we consider using a different platform, we would appreciate the opportunity to speak directly with a Microsoft Azure support representative or engineer who can assist us in identifying a proper and secure solution. Could you please advise on how we can escalate this matter or connect with the appropriate support personnel?
Sampath 3,750 Reputation points Microsoft External Staff Moderator

2025-04-17T02:32:26.45+00:00

Hello @JB International ,

Further Feel free to express your feedback regarding the Azure Communication Services on Uservoice.

All input shared in these forums undergoes monitoring and review by the Microsoft engineering teams responsible for developing Azure.

Furthermore, users with similar requests have the opportunity to up-vote your post and contribute their comments.

Your feedback is actively considered in the ongoing development of the Azure.
Sampath 3,750 Reputation points Microsoft External Staff Moderator

2025-04-21T05:49:59.4266667+00:00

Hello @JB International ,

Converting the above comment to an answer to close the question since you are moving to another feedback form. Requesting you to accept and click yes. Thank you.

2 answers

Your answer

Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-04-11T21:58:43.4966667+00:00

Hi JB International,

The issue arises because ACS is performing an exact match of the SPF record during validation, while the client's SPF record includes macros (e.g., %{i}, %{h}, %{d}), which are valid according to the SPF standard but not supported by Microsoft's validation tool. As a result, the SPF validation fails, even though the SPF record works correctly in practice.

Unfortunately, ACS requires SPF validation to pass before proceeding and doesn't allow bypassing or manual confirmation. Since it can't resolve macro-based SPF, here is the workaround.

Ask the client to temporarily add a simple SPF record without macros that includes the ACS domain. Once verified, they can switch back to their original record, this is the easiest and safest workaround.

v=spf1 include:spf.protection.outlook.com include:spf.vali.email ~all

https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/email/send-email?pivots=programming-language-csharp&tabs=windows%2Cconnection-string%2Csend-email-and-get-status-async%2Csync-client#use-a-custom-domain
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-04-14T19:06:15.1233333+00:00

Hi JB International,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
JB International 0 Reputation points

2025-04-15T14:00:44.07+00:00

Hi Prabhavathi Manchala,

Thank you for your response. I needed a few days to consult with the client and evaluate whether the proposed solution would be viable. Unfortunately, this approach will not work for our situation.

The existing SPF DNS TXT record, which utilizes macros that ACS cannot seem to read properly, cannot be removed—even temporarily—as it currently supports the base domain for a large institution. This record plays a critical role in ensuring email authentication and consistent delivery for tens of thousands of users. We have thoroughly verified that the existing SPF configuration is valid and effectively serving its purpose.

Given these constraints, is it possible to engage Microsoft Azure support to override the SPF verification within Azure Communication Services (ACS) on the back end?
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-04-15T20:53:18.5633333+00:00

Hi JB International,

Thank you for the update. I understand that your SPF record with macros is very important and can’t be changed. No, you can't override the SPF verification in Azure Communication Services (ACS). It’s required for security, and there’s no way to bypass it.
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-04-16T20:10:44.2033333+00:00

Hi JB International,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
JB International 0 Reputation points

2025-04-16T20:25:58.6166667+00:00

Prabhavathi Manchala,

We believe there may be a misunderstanding. We are in the process of verifying SPF records for a major U.S. higher education institution. While their SPF configuration is technically accurate, the ACS is not properly verifying it due to the previously mentioned macro-related issue.

Implementing the suggested workaround poses a significant security risk, as it will negatively impact thousands of users, so it is not an acceptable option.

Before we consider using a different platform, we would appreciate the opportunity to speak directly with a Microsoft Azure support representative or engineer who can assist us in identifying a proper and secure solution. Could you please advise on how we can escalate this matter or connect with the appropriate support personnel?
Sampath 3,750 Reputation points Microsoft External Staff Moderator

2025-04-17T02:32:26.45+00:00

Hello @JB International ,

Further Feel free to express your feedback regarding the Azure Communication Services on Uservoice.

All input shared in these forums undergoes monitoring and review by the Microsoft engineering teams responsible for developing Azure.

Furthermore, users with similar requests have the opportunity to up-vote your post and contribute their comments.

Your feedback is actively considered in the ongoing development of the Azure.
Sampath 3,750 Reputation points Microsoft External Staff Moderator

2025-04-21T05:49:59.4266667+00:00

Hello @JB International ,

Converting the above comment to an answer to close the question since you are moving to another feedback form. Requesting you to accept and click yes. Thank you.

Answer 1

Hello @JB International,

Thank you for continuing the conversation.

We understand the importance of your situation and appreciate your efforts in trying to resolve it. At this time, Azure Communication Services does not support overriding SPF verification requirements, and macro-based SPF records are not currently compatible with the verification tool.

For product-related limitations and feature requests, we highly encourage you to share your feedback directly with the Azure product team via the Azure Communication Services UserVoice.

All input shared on this platform is actively monitored and reviewed by Microsoft engineering teams, and contributions from users with similar needs can help prioritize future improvements. Please consider submitting your scenario for review and encourage others impacted by the same limitation to vote and comment.

If you have further technical questions or need help crafting your UserVoice submission, feel free to comment here.

Kindly mark the answer as “Accept” and click "yes" if the information is helpful. This can benefit other members of the community as well and It assists others in the community facing similar challenges.If you have any further questions, please click Comment

Answer 2

JB International 0

For those that come across this issue in the future, we want to write and share that we were able to open a support ticket with Azure engineers (requires the $100/mo standard support plan) to get this resolved. When provided the description we opened this Q&A with, they recognized this as an understandable problem, and were able to override the verification from the back-end.

We're going to ask if there is a way to get around this without needing to pay $100/mo for what arguably should be standard behavior. We can advocate for that over at Azure Communication Services UserVoice as well. We imagine this will become a supported feature in the future.

Thanks for the help!

JB International

Sampath 3,750 Reputation points Microsoft External Staff Moderator

2025-04-22T10:26:19.7+00:00

Hello @JB International,

Thank you for providing an update and sharing your experience with opening a support ticket. We understand the frustration of encountering additional steps and costs to resolve what seems like a straightforward issue, and we genuinely appreciate your patience throughout this process.

We recognize that improving accessibility to such solutions without requiring a support plan would be valuable to many users. Advocating for this on the Azure Communication Services UserVoice platform is an excellent step, as it ensures that your feedback is heard by the product team. We're glad to hear you're taking initiative to highlight this need, and we support your efforts in bringing this to the forefront.

Share via

Azure Communication Service - Cannot successfully verify SPF - Is there an approved workaround?

2 answers

Your answer