Exchange 365 and SPF records -- always getting kickback from Yahoo

[Cerulean]

Greetings,

I've been having trouble with getting proper SPF record setup for my Exchange 365 which I use on domain szan.to. I have recently tried:

v=spf1 mx ptr include:szan-to.mail.protection.outlook.com include:szan.to include:spf.protection.outlook.com ~all

But Kitterman's tool at http://www.kitterman.com/spf/validate.html kicks it back saying szan.to is recursive. It validates if I remove szan.to from the SPF record. But, Yahoo complains of the same thing AppMailDev at http://www.appmaildev.com/en/spf/ is complaining about:

received-spf: None szan.to does not designate permitted sender hosts)

And straight out rejects my message. My mom is unable to send mail to szan.to I think for similar reasons, so she always e-mail my secondary e-mail addresses hosted with Google. Google Apps / GMail users have no problem sending e-mails to szan.to.

szan.to is hosted at DreamHost. DNS records of domain:

A 208.97.176.168
MX 0 szan-to.mail.protection.outlook.com.
NS ns1.dreamhost.com.
NS ns2.dreamhost.com.
NS ns3.dreamhost.com.
TXT v=spf1 mx ptr include:szan.to include:spf.protection.outlook.com ~all
autodiscover CNAME autodiscover.outlook.com.
mail CNAME autodiscover.outlook.com.

I changed modified the SPF record slightly before posting this, but validators say it isn't going to work and will still result in error. IntoDNS identifies four IP addresses belonging to the MX record.

Here is the full report from AppMailDev:

This email is an automatic response from AdminSystem DKIM verifier service (1.0.0.5).
The service allows email senders to perform a simple check of SPF, DKIM and DomainKeys.
It is provided free of charge, in the hope that it is useful to the email community.

We welcome any feedback you may have at <[email protected]>.
Thank you for using the service.
AdminSystem Software Limited

============================================================
SPF result: TempError
============================================================
Domain: szan.to
IP: 207.46.163.140

SPF Record: szan.to
IN TXT = "v=spf1 mx ptr include:szan-to.mail.protection.outlook.com include:szan.to include:spf.protection.outlook.com ~all"


---SPF Trace Log---
Start to check SPF record
Sender IP:207.46.163.140
Sender Domain:szan.to

Parse Sender-IP 207.46.163.140
Query TEXT record from DNS server for: szan.to
[TXT]: v=spf1 mx ptr include:szan-to.mail.protection.outlook.com include:szan.to include:spf.protection.outlook.com ~all Parsing SPF record: v=spf1 mx ptr include:szan-to.mail.protection.outlook.com include:szan.to include:spf.protection.outlook.com ~all

Mechanisms: v=spf1

Mechanisms: mx
Testing mechanism mx
Query MX record from DNS server for: szan.to
[MX]: szan-to.mail.protection.outlook.com
Testing mechanism A:szan-to.mail.protection.outlook.com/128
Query A record from DNS server for: szan-to.mail.protection.outlook.com
[A]: 207.46.163.138
[A]: 207.46.163.170
[A]: 207.46.163.215
[A]: 207.46.163.247
Testing CIDR: source=207.46.163.140; 207.46.163.138/128 Testing CIDR: source=207.46.163.140; 207.46.163.170/128 Testing CIDR: source=207.46.163.140; 207.46.163.215/128 Testing CIDR: source=207.46.163.140; 207.46.163.247/128

Mechanisms: ptr
Query PTR record from DNS server for: 207.46.163.140, szan.to
[PTR]: mail-bn1lp0140.outbound.protection.outlook.com

Mechanisms: include:szan-to.mail.protection.outlook.com
Testing mechanism include:szan-to.mail.protection.outlook.com
Query TEXT record from DNS server for: szan-to.mail.protection.outlook.com
Exception: DNS server failure


============================================================
DomainKey result: none (no signature)
============================================================


============================================================
DKIM result: none (no signature)
============================================================

---Original Message Header---
x-sender: [email protected]
x-receiver: [email protected]
Received: from na01-bn1-obe.outbound.protection.outlook.com ([207.46.163.140]) by mail.appmaildev.com over TLS secured channel with Microsoft SMTPSVC(7.5.7600.16385);
Mon, 17 Mar 2014 23:38:27 -0400
Received: from BY2PR05MB096.namprd05.prod.outlook.com (10.242.38.19) by BY2PR05MB095.namprd05.prod.outlook.com (10.242.38.18) with Microsoft SMTP Server (TLS) id 15.0.898.11; Tue, 18 Mar 2014 03:38:11 +0000
Received: from BY2PR05MB096.namprd05.prod.outlook.com ([169.254.8.10]) by BY2PR05MB096.namprd05.prod.outlook.com ([169.254.8.140]) with mapi id 15.00.0898.005; Tue, 18 Mar 2014 03:38:10 +0000
From: Joshua Szanto <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Test
Thread-Topic: Test
Thread-Index: Ac9CW3kQHt5b5cXRQROcLD0jxLVfLA==
Date: Tue, 18 Mar 2014 03:38:10 +0000
Message-ID: <d3ca4525c2f14aa489633512f967f4d9@BY2PR05MB096.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [108.206.5.182]
x-forefront-prvs: 0154C61618
x-forefront-antispam-report: SFV:NSPM;SFS10019001)(6009001)(428001)(199002)(189002)(83072002)(74706001)(74366001)(53806001)(15202345003)(95416001)(63696002)(54316002)(95666003)(19300405004)(74316001)(85852003)(69226001)(81686001)(551214005)(558084003)(81542001)(66066001)(80976001)(65816001)(87936001)(80022001)(59766001)(77982001)(56776001)(79102001)(51856001)(20776003)(555874004)(81342001)(85306002)(33646001)(54356001)(221733001)(74876001)(19580395003)(83322001)(94946001)(31966008)(76786001)(76576001)(16236675002)(46102001)(90146001)(47976001)(49866001)(77096001)(50986001)(76482001)(56816005)(47736001)(76796001)(76176001)(97186001)(47446002)(15975445006)(74662001)(86362001)(93136001)(97336001)(93516002)(87266001)(74502001)(81816001)(74482001)(4396001)(2656002)(92566001)(94316002)(24736002)(558944008);DIR:OUT;SFP:1102;SCL:1;SRVR:BY2PR05MB095;H:BY2PR05MB096.namprd05.prod.outlook.com;FPR:;MLV:sfv;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
received-spf: None szan.to does not designate permitted sender hosts)
Content-Type: multipart/alternative;
boundary="_000_d3ca4525c2f14aa489633512f967f4d9BY2PR05MB096namprd05pro_"
MIME-Version: 1.0
X-OriginatorOrg: szan.to
Return-Path: [email protected]
X-OriginalArrivalTime: 18 Mar 2014 03:38:27.0898 (UTC) FILETIME=[864241A0:01CF425B]

 

[Cardinals]

You stated this was Exchange on Office 365, correct? You should be able to go to the admin page -> domains -> view DNS records and it will show you what your spf record should be.

 

[Cerulean]

It says to use

v=spf1 include:spf.protection.outlook.com -all

But the thing is, before I posted this thread, that IS what I was using and received a bounce back from Yahoo saying

received-spf: None szan.to does not designate permitted sender hosts)

 

[MysticRyuujin]

How long are you waiting between updates and tests? Are you seeing immediate results? Perhaps their DNS servers are caching?

 

[Cerulean]

How long are you waiting between updates and tests? Are you seeing immediate results? Perhaps their DNS servers are caching?

Several hours until all the validators I can find see the changes ... or at least 24 hours. About 30 minutes ago I changed it back to

v=spf1 include:spf.protection.outlook.com -all

and I'm submitting a service request to Microsoft about this. In addition, since I don't use szan.to for anything but Exchange 365, I'm asking in the service request what I need to do to szan.to to transfer DNS management to them so that way I don't have to worry about any missing or incorrect entries, plus whenever I have problems or my mom receives kickbacks I can use the kickback information to create a new service request and have Microsoft investigate. ;o

 

[pcamis]

Cerulean - did you ever find a resolution to your issue? I'm investigating the same thing (O365, domain not listed in SPF) and have yet to find a solution. Thanks!

 

[Cerulean]

Yes, I did. I had contacted Microsoft Technical Support and they were able to lead me to a resolution.

The short:
You need to setup an Outbound Connector to Yahoo from your Exchange 365 admin console.

The how:
Login to your Office 365 Admin console, open the Exchange Admin Center, under Mail Flow select Connectors, create a new Connector using this information:

From: Office 365
To: Partner organization
Name: To yahoo.com (or anything you want)
Turn it on: Yes
When do you want to use this connector: Only when email messages are sent to these domains
When do you want to use this connector: *add yahoo.com to the list*
How do you want to route email messages: Route email through these smart hosts
How do you want to route email messages: *add mta5.am0.yahoodns.net to the list*
How should Office 365 connect to your partner's orgnaization's email server: DISABLE Always use Transport Layer Security (TLS) to secure the connection

Confirm and finish adding the Outbound Connector. The results might be immediate, so try validating this connector. You may need to give it a day if it doesn't succeed and then try again.

Other technical information (original message from Microsoft):

From: I***** P*****
Sent: ‎11/‎24/‎2014 9:36
To: Joshua Szanto
Subject: reg: SRX614111390699278ID - Yahoo is blocking all e-mail from Exchange 365 hosting services

Hello Joshua,


My name is I***** P***** and am the Technical Advisor for Exchange Online Protection.


As this has been highlighted to me, thought of writing you an email.


My Observations on this case :

1) One time issue where we see the NDR with the following message :

mta1181.mail.gq1.yahoo.com rejected your message to the following email addresses:
A***** B. C***** (******@yahoo.com) (******@yahoo.com)
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery. For more tips to help resolve this issue, see DSN code 5.7.1 in Exchange Online - Office 365. If the problem continues, contact your helpdesk.

mta1181.mail.gq1.yahoo.com gave this error:
[TS03] All messages from 65.55.169.246 will be permanently deferred; Retrying will NOT succeed. See Help for Yahoo Postmaster

Diagnostic information for administrators:
Generating server: BY2PR05MB094.namprd05.prod.outlook.com

******@yahoo.com
mta1181.mail.gq1.yahoo.com
Remote Server returned '421 4.7.1 [TS03] All messages from 65.55.169.246 will be permanently deferred; Retrying will NOT succeed. See Help for Yahoo Postmaster'

x-forefront-antispam-report: SFV:SPM;SFS: (10009020)(6009001)(61484003)(199003)(189002)(19580395003)(4396001)(15975445006)(50986999)(31966008)(74316001)(110136001)(15202345003)(16236675004)(54356999)(569274001)(86362001)(92566001)(19300405004)(77156002)(74482002)(46102003)(122556002)(62966003)(77096003)(2656002)(19625215002)(221733001)(87936001)(64706001)(101416001)(66066001)(20776003)(2521001)(450100001)(76576001)(105586002)(40100003)(97736003)(106356001)(108616004)(229853001)(107886001)(99286002)(33646002)(107046002)(21056001)(99396003)(95666004)(120916001)(273264002)(505194006)(165394004);DIR:OUT;SFP:1501;SCL:5;SRVR:BY2PR05MB094;H:BY2PR05MB096.namprd05.prod.outlook.com;FPR:;MLV:nov;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
2) Based on the highlighted message, it looks like this email was routed incorrectly through HRDP pool of IP

3) We are looking into the DMARK and Deccan implementation and currently it’s under the review process

However if the issue occurs in the near future then:

1) Get the original email as an attachment for which we got the NDR

2) Get the copy of the NDR message

3) Get the detailed message trace

Please let me know if you are having any further questions and we will assist you on it. For feedbacks or any other suggestion you may directly contact me and we will look into the suggestion. Hoping to assist you better the next time you call in.


Thank you for choosing Microsoft Online Services.


Regards,

I***** P*****

Technical Advisor - Exchange Online Protection (EOP)