SPF record for domain won't verify for custom Email domain

Martin Haug 36

Hello,
I'm trying to add a custom Email domain to Azure Communication Services. The domain verification using the TXT DNS record was successful.

However, because I need the sent mails to be DKIM and SPF authenticated, I also started adding those records.
This domain has a preexisting SPF record, let's say v=spf1 include:spf.service1.com include:servers.service2.com -all.
After modifying it to include Azure's SPF listing, it now reads as v=spf1 include:spf.protection.outlook.com include:spf.service1.com include:servers.service2.com -all.

Azure does not seem to be able to successfully verify this record. The dashboard is stuck saying "Verification in progress" for SPF for days now, even though DKIM validation worked just fine.

What can I do to fix this? Is there anything I'm missing?

ajkuma 26,471 Reputation points Microsoft Employee

2022-07-18T11:40:32.587+00:00

MartinHaug, Apologies for the delay from over the weekend.

While I' check on this further, could you please confirm if you're referring to the steps outlined in this doc section Configure sender authentication for custom domain
Yes, you need add the TXT record and CNAME records to your domain's registrar. I understand the verification is stuck for > 24 hrs. Kindly take a look at the records sample from the doc:
Martin Haug 36 Reputation points

2022-07-18T12:48:42.063+00:00

I have followed the steps in the linked documentation article prior to posting this question and did create the required TXT records.
As outlined in the original post, my deployment requires multiple SPF-authorized domains, so I cannot use the SPF value as proposed by the Azure dashboard. However, as also described above, I included spf.protection.outlook.com in the sender domains in an SPF-compliant way. External SPF checkers recognize this change and attest that both my SPF and DKIM records are valid.

Unfortunately, my problem remains unsolved. I would be grateful for any further assistance.
ajkuma 26,471 Reputation points Microsoft Employee

2022-07-19T18:57:24.273+00:00

MartinHaug, Thanks for the additional info and clarity on this. I'm checking on this internally and will get back. I'll also follow-up with you privately' for some subscription related info.

Accepted answer

Ebraheem Al-Muneyeer (MSFT) 956 Reputation points Microsoft Employee

2022-07-24T09:36:53.083+00:00

Hi @Martin Haug , I'm sorry for any inconvenience happened because of this.

As you know Email Service is still in public preview which means that it is not recommended for production workloads and certain capabilities might not be supported or might have constrained.

That said, currently, you can have only 1 SPF value and verification will fail if you have many. The product group is working on this to have a better experience with a such scenario.

At the moment you can try to have only 1 SPF value, and after the verification is done, you can add the others (Note: This workaround will be working now but not in the future, as we are working on periodic verification too)
Please sign in to rate this answer.

1 person found this answer helpful.
Krishan 6 Reputation points

2022-10-11T16:36:40.7+00:00

Is there somewhere we can stay tuned for updates on this? Thanks!

ajkuma 26,471 Reputation points Microsoft Employee

2022-10-17T16:25:46.27+00:00

krishan711-hooke, Apologies for the delay!

You may follow/take a look at these resources for updates:

Azure Communication Service project

Azure Communication Services Blog

https://github.com/Azure/Communication#release-notes
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

3 additional answers

Rodrigues,Diego 10 Reputation points

2023-07-26T15:04:16.3133333+00:00

What worked for us just now was changing from ~all to -all temporarily to get it verified.
Please sign in to rate this answer.

2 people found this answer helpful.
Andy Grothe 0 Reputation points

2023-11-13T12:50:55.71+00:00

ok, this ist the solution. i have change the tilde (~) to minus (-) and now it works.

ajkuma 26,471 Reputation points Microsoft Employee

2023-11-13T19:04:48.6433333+00:00

Thanks for the update and sharing the solution that worked for you.

Tom Maljaars | Red Cactus 20 Reputation points

2024-02-08T16:52:47.5+00:00

Still same problem as Rodrigues,Diego. Changed ~all to -all and fixed the verification. @Ebraheem Al-Muneyeer (MSFT)

Ebraheem Al-Muneyeer (MSFT) 956 Reputation points Microsoft Employee

2024-02-11T06:59:37.8033333+00:00

Hello @Tom Maljaars | Red Cactus , yes, you are correct, Email Communication Service (ECS) does not support soft fail (~) and you should copy/paste the SPF record as is with the hard fail (-). That being said, I need to mention here that ECS supports multiple SPF records now

OlHu 5 Reputation points

2024-10-01T12:59:58.32+00:00

Hi, I have the same problem with SPF-verification. We use autospf.com as service and our SPF-record looks like "v=spf1 ip4:x.x.x.x include:_s00xxxxxx.autospf.email -all". spf.outlook.com is definetly included and every entry ends with a "-". Nevertheless verification fails. Is this also a known problem and are there any ways around it? Edit: Managed to solve this by adding the include for spf.protection.outlook.com into the txt-entry and removed it from autospf.

Jeremy Bradshaw 36 Reputation points

2024-10-03T19:50:40.7033333+00:00

Just like OIHU, I too face the challenge where an SPF record currently includes another SPF record, which includes the SPF.protection.outlook.com piece. Both SPF's end in "-all" and this is all perfectly 100% SPF-compliant. But then this ACS/ECS SPF verification wizard just doesn't want to play along... I was so happy to find out last week that we can now connect multiple domains to an ACS, and I've been fine with having to use PowerShell to add additional Sender Addresses, but now am facing this.

This would be my last too-annoying hurdle to get past, at which point I'll be happily making lots of use of email communication services. I wish and hope for this to be a priority of Microsoft's. It's definitely a product fault. We can't be verifying SPF records but not playing by the SPF standard's rules.

OlHu 5 Reputation points

2024-10-04T05:41:30.7633333+00:00

Hi Jeremy,

I can confirm that it works after the spf entry for outlook exists directly in the txt entry and not within a nested entry. Maybe that will help.

Frank E 0 Reputation points

2024-10-07T14:30:30.4566667+00:00

@Ebraheem Al-Muneyeer (MSFT) Can i safely change SPF to hardfail and then back to softfail? Or is there going to be a periodic validation of the record?

Ebraheem Al-Muneyeer (MSFT) 956 Reputation points Microsoft Employee

2024-10-07T14:40:33.9833333+00:00

@Frank E, Currently, there is no periodic validation for the SPF record, but this might change in the future.

Could you please open a support ticket so a support engineer can verify this from the backend? Alternatively, you might consider making the temporary change you mentioned, keeping in mind that this could change in the future
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
ajkuma 26,471 Reputation points Microsoft Employee

2022-07-21T19:10:12.907+00:00

@Martin Haug , Following-up after my discussions with ACS product engineering team, currently, we do not support multiple SPF records. They have a work item to track this, the fix will be rolled out in next couple of weeks.

Note: Please note that this timeline is just an estimate and is subject to change, depending on a myriad of factors. I will keep you posted as soon as I have more updates.

Thanks for your patience and cooperation!

If your requirement fits, as a temporary alternate solution, you may add only our SPF, verify domain and then update the SPF record to include your other IP as well. (this workaround may not work in future).
Please sign in to rate this answer.

1 person found this answer helpful.
Dxsego 1 Reputation point

2022-12-21T15:28:09.1+00:00

Hello! is there any update on this? Your time and attention are appreciated!

Best Regards

ajkuma 26,471 Reputation points Microsoft Employee

2023-01-06T08:35:45.85+00:00

Apologies for the delay! We do now support multiple SPF records for configuration. The doc would be updated appropriately.

Krishan 6 Reputation points

2023-01-17T12:10:17.18+00:00

Hey AJ do you know if this is implemented now and if not is there somewhere we can track?

Edit: apologies, i see you said it has been implemented. Thanks!

Andreas Georgsson 16 Reputation points

2023-06-20T12:54:45.7733333+00:00

Still not working, and it's not in preview anymore.

JeffDev 10 Reputation points

2023-07-20T18:05:53.17+00:00

I can verify Andreas' experience. We entered include:spf.protection.outlook.com into our SPF TXT record. We have several other IP addresses and domain names included there for other services that we use.

Other SPF verification tools are reporting that our record is perfect, but Azure's "Provision domains" tool still reports that we need to configure it. We even tried moving the include:spf.protection.outlook.com value so that it's the first value n the record. No change. The validation tool still seems to fail when multiple values exist in the SPF record.

As Andreas reported this tool is no longer in preview. Any idea on when this will be resolved?

Tom 10 Reputation points

2023-07-21T20:52:50.56+00:00

I'll second that this still isn't working. I had to create a second spf record with just the outlook.com server in it even though we're O365 and the record already exists in our SPF record. Hopefully the periodic checks haven't been implemented yet.

This is a big deal as many organizations have several entries in their SPF records. Would like to get an update on this as well.

Ebraheem Al-Muneyeer (MSFT) 956 Reputation points Microsoft Employee

2023-07-23T08:59:39.76+00:00

Can you please confirm if you are using Hard fail (-all) Soft fail (~all), or Neutral (?all) in your SPF records?

Andreas Georgsson 16 Reputation points

2023-07-23T09:22:36.22+00:00

I submitted a support case, and they confirmed this is not solved. So ended up doing a second temporary SPF record to pass the validation, but that should not be needed, tried also to change between hard fail and soft fail and that didn’t affect the validation.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Matheus Schreiber 0 Reputation points

2024-10-18T01:27:25.1366667+00:00

Still faced the same problem after 2 years :\
Basically, I just did what @Ebraheem Al-Muneyeer (MSFT) said.

At the moment you can try to have only 1 SPF value, and after the verification is done, you can add the others (Note: This workaround will be working now but not in the future, as we are working on periodic verification too)

I did it recently though, maybe this "periodic verifciation" is still coming and this answer its just useless.
Please sign in to rate this answer.
Ebraheem Al-Muneyeer (MSFT) 956 Reputation points Microsoft Employee

2024-10-20T08:41:01.13+00:00

Hi @Matheus Schreiber . Support for multiple SPF values is now available, and there is no need for the previous workaround, and yes, periodic verification has not yet been implemented.

I'm curious about why it's failing for you. Do you have a soft-fail (~all) in your SPF instead of a hard-fail (-all)?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

SPF record for domain won't verify for custom Email domain

3 additional answers

Your answer