This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 79%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Microsoft 365 emails are rejected with spf validation error. Log shows that email originated from M365 IP 40.95.89.66 which is not included in SPF subnet of 40.95.0.0/15.
Please advise if there is roadmap to include this in M365 SPF subnet. If yes, please include this in M365 documentations for everyone's visibility.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 84%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Hi @Spf Record ,
Due to your issue may be more related to exchange online instead of Outlook desktop client, in order to solve your issues better, I modified your tag. Thanks for your understanding and hoep your issue would be resolved soon.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi,@Spf Record
According to Office 365 URLs and IP address ranges,this ip seems not contained in the M365 ip addresses.
Did all the recipient domains reject the emails which were sent from this ip address?
Some only. Any insights?
Thanks for your information.
I noticed that many users come up with the similar problem, while so far it hasn't been confirmed as a known issue.
Since the problem seems to be related to Microsoft 365 backend, I would suggest opening a service request via Microsoft 365 Admin Center.
As the support agents may take a close look into each of these cases.
Thanks for your understanding and sorry for any inconvenience caused.
If there are any updates, please feel free to post back.
I haven't been able to check to see if that range should be included or not - but first, could you check to make sure that your messages are routing via the normal delivery pool, vs. being seen as high risk? Some delivery pools are intentionally excluded from SPF. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 42%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHK%3C/text%3E%3C/svg%3E)
To clarify...
The spf for M365 (spf.protection.outlook.com) returns the following ip4 networks:
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
51.4.72.0/24
51.5.72.0/24
51.5.80.0/27
51.4.80.0/27
None of these covers source address 40.95.89.66
The first one would, if the mask had been 14 and not 15.
You are not alone - https://learn.microsoft.com/en-us/answers/questions/250845/e-mail-message-rejected-by-icloud-because-of-dmarc.html
Looks like someone at Microsoft got lazy and forgot to add all IP's to SPF records.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 26%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
I've been seeing the same thing since mid January on a handful of outbound email. I'm seeing outbound IPs in the 40.95.78.x-40.95.80.x range. We're getting back NDRs saying:
Reason: LED=550 40.95.78.189 is not allowed to send mail from mydomain.com. Please see the SPF record, with scope mfrom, identity first.last@mydomain.com, and ip 40.95.78.189
Checking MXtoolbox SPF shows these IPs are not the spf.protection.outlook.com record. I have a ticket open with the 365 support team but the only solution they came up with is to add random IP addresses to our own SPF record :(
Again, check to see if those messages were marked as spam (see link I posted above). If they were marked as spam, ask support to submit as a false positive. Adding IPs to SPF isn't required.
Thank you Scott, I do think you're right. The 40.95.x.x range is probably from the HRDP or the Relay pool.
The article you shared doesn't go into much detail on diagnosing but i did find this technet article on locating the spam markers. Is there a better place to look?
Our custom_data field in the detailed message trace report doesn't contain and SFV (Spam Filter Verdict) tags but I did see "OutboundIpPool=1501" for the failed messages.
All our failed messages are autoforwarded ones.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 51%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
The reason these are not in the spf.protection.outlook.com SPF record is because the subnet 40.95.0.0/16 is used for the "High Risk Delivery Pool". Also, there are IPs used by the "Relay" IP pool, which is not publicly published, and also does not appear in the SPF record. Both of these are by design.