So, I recently discovered that Office 365 has a new trick up it’s sleeve – using SPF records WRONG. Had several bouncing and rejection issues with some clients due to this new idiocy.
An SPF record is supposed to match your SENDING ip to the SPF record. But now O365 is requiring the MX record – the Receiving ip – to be in the SPF record. Why is this messed up? Well, for one, many people use third party Spam Filtering services for their MX record – to filter out spam before it gets to their inbox. So, many MX records are spam filters – not what is sending out the email. Basically, O365 just opened up a Huge security hole.