SPF record lookup does not appear to search recursively - ORF Forums

SPF record lookup does not appear to search recursively RSS Back to forum


I've noticed some emails getting caught up in our Greylist policy that should be passing due to the "Skip Greylsiting if the sender explicity passes the SPF Test" option.

Outlook.com uses nested SPF records to specify a large number of IP addresses and subnets that are valid senders

For example

As you can see "spf.protection.outlook.com" has 8 valid IP ranges and a reference to "spfa.protection.outlook.com". SPFA has an additional 8 valid IP ranges and a reference to "spfb.protection.outlook.com". Finally SPFB has 10 more IP ranges, and the recursive lookup ends.

If an email is received from one of these IP addresses not in the primary lookup, it appears as though it does not continue to look to bypass the Greylist.

by RJohnson 2 years ago

@RJohnson: Hello RJohnson,

I can assure you that during the SPF evaluation each "include" mechanism triggers a recursive SPF query - as per RFC7208#section-5.2 - so this should not be a problem. You may confirm this as well by reviewing output of our SPF Policy Tester (https://vamsoft.com/support/tools/spf-policy-tester) which uses the same SPF engine that is built into ORF.

When you use the SPF Policy Tester, make sure that you use the same IP and sender address combination that was logged for the problematic email in the ORF logs (in the "Related IP" and "Sender" columns) to avoid false positive readings.

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)


Then it appears there is something else wrong, as this domain passes the SPF test, but is still rejected by the Greylist.


by RJohnson 2 years ago

@RJohnson: Thank you for the update. Could you save the ORF configuration (Ctrl + S or File > Save Configuration) in the ORF Administration Tool - just to make sure that ORF is using the most recent settings - and monitor the ORF logs to see if the issue reoccurs?

On a sidenote - and not to sidestep the issue - I would actually advise against leaving the "Skip Greylisting if the sender explicitly passes the SPF test" option enabled, as spammers often publish valid SPF records for their domains before launching a spam campaign.

I suppose the reason you want to use this option is because you are trying to exclude those emails from Greylisting which are sent via mail service providers (i.e. Microsoft's Office365, GoogleApps) that have clusters of outbound mail servers - and might re-attempt the delivery from another mail server - right? If that is the case, I suggest you add the IP range(s) of their mail servers to the "IP Exceptions" list of the Greylisting test instead:

The up-to-date Office 365 and Exchange Online IP ranges can be checked on Microsoft’s website (here: http://bit.ly/1I9rn1S and here: http://bit.ly/1B3OtDB). Google, on the other hand, does not have this information published anywhere. They recommend querying their DNS server for their SPF record (instructions can be found here: http://bit.ly/1re0WSW), which contains the authorized IP ranges for outbound STMP. That being said, if you drop us an email to , I can send you an up-to-date IP exception list that contains the relevant IP ranges of both Google and Microsoft - which you can import into ORF with just a few clicks.

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)


Exactly, for services which potentially have hundreds of valid IP addresses there is a real possibility the email never gets through.

Thank you for the help, I will send an email to the provided address for the exception list.

by RJohnson 2 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2