Hotmail users worldwide have problems sending emails, with messages flagged as spam or not delivered after Microsoft misconfigured the domain’s DNS SPF record.
The email issues began late last night, with users and admins reporting on Reddit, Twitter, and Microsoft forums that their Hotmail emails were failing due to SPF validation errors.
A Hotmail user explained in a post on Microsoft’s forum that their Microsoft Outlook Hotmail accounts were failing to send with the following error:
“For Email Administrators
This error is related to the Sender Policy Framework (SPF). The destination email system’s evaluation of the SPF record for the message resulted in an error. Please work with your domain registrar to ensure your SPF records are correctly configured.
exhprdmxe26 gave this error:
Message rejected due to SPF policy – Please check policy for hotmail.com”
The Sender Policy Framework (SPF) is an email security feature that reduces spam and prevents threat actors from spoofing domains in phishing attacks.
To configure SPF, admins create a special DNS TXT (text) record for a domain that specifies the specific hostnames and IP addresses allowed to send emails under that domain.
When a mail server receives an email, it will verify that the hostname/IP address for the sending email servers is part of a domain’s SPF record, and if it is, allows the email to be delivered as usual.
However, if the IP address or domain of the sending mail server is not listed in the sender domain’s SPF record, it will either bounce the email back to the sender with an error or put it in the recipient’s SPAM folder.
After analyzing what was causing email delivery errors, admins noted that Microsoft removed the ‘
include:spf.protection.outlook.com‘ record from hotmail.com’s SPF record.
To illustrate the issue, the previous SPF record for hotmail.com was:
v=spf1 ip4:18.104.22.168/25 include:spf.protection.outlook.com include:spf-a.outlook.com include:spf-b.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all
Hotmail’s current SPF record with spf.protection.outlook.com removed is now:
v=spf1 ip4:22.214.171.124/25 include:spf-a.outlook.com include:spf-b.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com -all
The spf.protection.outlook.com SPF record contains a large list of hosts allowed to send an email for the hotmail.com domain, and with that record missing, any email from those senders will fail SPF checks.
BleepingComputer tested sending an email from an Outlook.com Hotmail account and replicated the problem, with our email going to Gmail’s SPAM folder instead due to its SPF record failing.
Authentication-Results: mx.google.com; dkim=pass firstname.lastname@example.org header.s=selector1 header.b=Aoix6uEm; arc=pass (i=1); spf=fail (google.com: domain of ###@hotmail.com does not designate 2a01:111:f400:fe5b::808 as permitted sender) email@example.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hotmail.com
This is because the allowed IPv6 address (2a01:111:f400) associated with Outlook.com that was used to send my email is designated in the spf.protection.outlook.com record and, with its removal, is no longer accepted as valid.
Other hosts that will now fail SPF checks due to the removal of spf.protection.outlook.com are:
126.96.36.199/15 188.8.131.52/16 184.108.40.206/14 220.127.116.11/17 2a01:111:f400::/48 2a01:111:f403::/49 2a01:111:f403:8000::/50 2a01:111:f403:c000::/51 2a01:111:f403:f000::/52
Unfortunately, there is nothing that Hotmail users can do to fix this problem on their own, and they will have to wait for Microsoft to fix the DNS entry.
BleepingComputer has asked Microsoft about this change, but a reply was not immediately available.