SPF record for domain won't verify for custom Email domain

Martin Haug 36

Hello,
I'm trying to add a custom Email domain to Azure Communication Services. The domain verification using the TXT DNS record was successful.

However, because I need the sent mails to be DKIM and SPF authenticated, I also started adding those records.
This domain has a preexisting SPF record, let's say v=spf1 include:spf.service1.com include:servers.service2.com -all.
After modifying it to include Azure's SPF listing, it now reads as v=spf1 include:spf.protection.outlook.com include:spf.service1.com include:servers.service2.com -all.

Azure does not seem to be able to successfully verify this record. The dashboard is stuck saying "Verification in progress" for SPF for days now, even though DKIM validation worked just fine.

What can I do to fix this? Is there anything I'm missing?

ajkuma 22,086 Reputation points Microsoft Employee

2022-07-18T11:40:32.587+00:00

MartinHaug, Apologies for the delay from over the weekend.

While I' check on this further, could you please confirm if you're referring to the steps outlined in this doc section Configure sender authentication for custom domain
Yes, you need add the TXT record and CNAME records to your domain's registrar. I understand the verification is stuck for > 24 hrs. Kindly take a look at the records sample from the doc:
Martin Haug 36 Reputation points

2022-07-18T12:48:42.063+00:00

I have followed the steps in the linked documentation article prior to posting this question and did create the required TXT records.
As outlined in the original post, my deployment requires multiple SPF-authorized domains, so I cannot use the SPF value as proposed by the Azure dashboard. However, as also described above, I included spf.protection.outlook.com in the sender domains in an SPF-compliant way. External SPF checkers recognize this change and attest that both my SPF and DKIM records are valid.

Unfortunately, my problem remains unsolved. I would be grateful for any further assistance.
ajkuma 22,086 Reputation points Microsoft Employee

2022-07-19T18:57:24.273+00:00

MartinHaug, Thanks for the additional info and clarity on this. I'm checking on this internally and will get back. I'll also follow-up with you privately' for some subscription related info.

Accepted answer

Ebraheem Al-Muneyeer (MSFT) 951 Reputation points Microsoft Employee

2022-07-24T09:36:53.083+00:00

Hi @Martin Haug , I'm sorry for any inconvenience happened because of this.

As you know Email Service is still in public preview which means that it is not recommended for production workloads and certain capabilities might not be supported or might have constrained.

That said, currently, you can have only 1 SPF value and verification will fail if you have many. The product group is working on this to have a better experience with a such scenario.

At the moment you can try to have only 1 SPF value, and after the verification is done, you can add the others (Note: This workaround will be working now but not in the future, as we are working on periodic verification too)
Please sign in to rate this answer.
Krishan 6 Reputation points

2022-10-11T16:36:40.7+00:00

Is there somewhere we can stay tuned for updates on this? Thanks!

ajkuma 22,086 Reputation points Microsoft Employee

2022-10-17T16:25:46.27+00:00

krishan711-hooke, Apologies for the delay!

You may follow/take a look at these resources for updates:

Azure Communication Service project

Azure Communication Services Blog

https://github.com/Azure/Communication#release-notes
Sign in to comment

2 additional answers

ajkuma 22,086 Reputation points Microsoft Employee

2022-07-21T19:10:12.907+00:00

@Martin Haug , Following-up after my discussions with ACS product engineering team, currently, we do not support multiple SPF records. They have a work item to track this, the fix will be rolled out in next couple of weeks.

Note: Please note that this timeline is just an estimate and is subject to change, depending on a myriad of factors. I will keep you posted as soon as I have more updates.

Thanks for your patience and cooperation!

If your requirement fits, as a temporary alternate solution, you may add only our SPF, verify domain and then update the SPF record to include your other IP as well. (this workaround may not work in future).
Please sign in to rate this answer.

1 person found this answer helpful.
Dxsego 1 Reputation point

2022-12-21T15:28:09.1+00:00

Hello! is there any update on this? Your time and attention are appreciated!

Best Regards

ajkuma 22,086 Reputation points Microsoft Employee

2023-01-06T08:35:45.85+00:00

Apologies for the delay! We do now support multiple SPF records for configuration. The doc would be updated appropriately.

Krishan 6 Reputation points

2023-01-17T12:10:17.18+00:00

Hey AJ do you know if this is implemented now and if not is there somewhere we can track?

Edit: apologies, i see you said it has been implemented. Thanks!

Andreas Georgsson 16 Reputation points

2023-06-20T12:54:45.7733333+00:00

Still not working, and it's not in preview anymore.

JeffDev 10 Reputation points

2023-07-20T18:05:53.17+00:00

I can verify Andreas' experience. We entered include:spf.protection.outlook.com into our SPF TXT record. We have several other IP addresses and domain names included there for other services that we use.

Other SPF verification tools are reporting that our record is perfect, but Azure's "Provision domains" tool still reports that we need to configure it. We even tried moving the include:spf.protection.outlook.com value so that it's the first value n the record. No change. The validation tool still seems to fail when multiple values exist in the SPF record.

As Andreas reported this tool is no longer in preview. Any idea on when this will be resolved?

Tom 10 Reputation points

2023-07-21T20:52:50.56+00:00

I'll second that this still isn't working. I had to create a second spf record with just the outlook.com server in it even though we're O365 and the record already exists in our SPF record. Hopefully the periodic checks haven't been implemented yet.

This is a big deal as many organizations have several entries in their SPF records. Would like to get an update on this as well.

Ebraheem Al-Muneyeer (MSFT) 951 Reputation points Microsoft Employee

2023-07-23T08:59:39.76+00:00

Can you please confirm if you are using Hard fail (-all) Soft fail (~all), or Neutral (?all) in your SPF records?

Andreas Georgsson 16 Reputation points

2023-07-23T09:22:36.22+00:00

I submitted a support case, and they confirmed this is not solved. So ended up doing a second temporary SPF record to pass the validation, but that should not be needed, tried also to change between hard fail and soft fail and that didn’t affect the validation.
Sign in to comment
Rodrigues,Diego 5 Reputation points

2023-07-26T15:04:16.3133333+00:00

What worked for us just now was changing from ~all to -all temporarily to get it verified.
Please sign in to rate this answer.

1 person found this answer helpful.
Andy Grothe 0 Reputation points

2023-11-13T12:50:55.71+00:00

ok, this ist the solution. i have change the tilde (~) to minus (-) and now it works.

ajkuma 22,086 Reputation points Microsoft Employee

2023-11-13T19:04:48.6433333+00:00

Thanks for the update and sharing the solution that worked for you.

Tom Maljaars | Red Cactus 0 Reputation points

2024-02-08T16:52:47.5+00:00

Still same problem as Rodrigues,Diego. Changed ~all to -all and fixed the verification. @Ebraheem Al-Muneyeer (MSFT)

Ebraheem Al-Muneyeer (MSFT) 951 Reputation points Microsoft Employee

2024-02-11T06:59:37.8033333+00:00

Hello @Tom Maljaars | Red Cactus , yes, you are correct, Email Communication Service (ECS) does not support soft fail (~) and you should copy/paste the SPF record as is with the hard fail (-). That being said, I need to mention here that ECS supports multiple SPF records now
Sign in to comment