Some sending sources verify their presence in a domain’s SPF record by specifically looking for their include mechanism, for example: v=spf1 include:thirdpartyservice.com ~all
Microsoft 365 is one such source. If the required include mechanism is missing or has been flattened, you may encounter errors in your Microsoft account:
EasySPF, a dynamic IP flattening solution extracts IP address values from include tags in your SPF record and consolidates them under a single include mechanism tag. This simplifies your SPF record and reduces lookup counts. However, sources like Microsoft 365, which rely on the explicit presence of their include mechanism name, may not recognize this flattened setup. Despite this, the actual sending IPs remain in use and pass email authentication checks as expected, ensuring email deliverability. The issue lies in these sources' inability to verify their presence based solely on the flattened structure.There is no need for concern, as the IPs continue to function correctly and pass email authentication without issues.
We recommend reviewing your DMARC reports. If you notice that most emails, for example those sent from Microsoft, are passing the SPF check, there’s no need to worry — you can safely ignore the warning.
However, if you prefer not to see the warning, you can update your SPF record to include Microsoft’s SPF entry (include:spf.protection.outlook.com). Here’s how:
- Login to your DNS
- Locate your existing SPF record (EasySPF)
- Update the record as shown below:
Current SPF Record : v=spf1 include:_spf.yourdomain_com._d.easydmarc.pro ~all
Updated SPF record: v=spf1 include:_spf.yourdomain_com._d.easydmarc.pro include:spf.protection.outlook.com ~all
This ensures Microsoft can verify their SPF entry within your record, preventing the warning from appearing.
Important: If you make this change, ensure you disable or remove “include:spf.protection.outlook.com “ from EasySPF to avoid duplicates.
Now, let’s compare this to Zendesk’s approach, which differs slightly from Microsoft.
Zendesk requires verification to achieve an SPF pass. To do this, you must first add the include mechanism to your SPF record in the DNS, complete the verification process within Zendesk, and only then safely update the DNS to integrate the inclusion with the EasySPF solution.
Your SPF record before verifying Zendesk:
v=spf1 include:mail.zendesk.com include:_spf.yourdomain_com._d.easydmarc.pro ~all
Your SPF record after verifying Zendesk and adding the source to EasySPF:
v=spf1 include:_spf.yourdomain_com._d.easydmarc.pro ~all
