Fixed Broken SPF & DMARC Configuration

The Challenge

The client, a corporate consulting firm, noticed their outgoing emails to corporate domains (using Outlook/Microsoft 365) were bouncing back with "Access Denied" or "SPF Fail" errors. This affected business communication and proposal deliveries, with no clear indication of what was misconfigured.

Technical Diagnosis

I audited their active DNS zones and identified:

• The SPF record contained 12 nested lookups, exceeding the maximum RFC limit of 10. Receiving servers stopped checking, resulting in an automatic SPF PermError.
• Their billing software sent emails using their domain name, but lacked DKIM configuration, failing DMARC alignment.
• They had a DMARC policy of p=reject, which instructed servers to block any emails that failed alignment, resulting in bounces.

Steps Taken

1. SPF record consolidation: I consolidated multiple ESP records, removing unused inclusions and flattening IP addresses to reduce lookup count to 7.
2. DKIM Key Setup: I generated DKIM keys inside Office 365 and their billing software, publishing them to their DNS panel.
3. Policy Adjustments: I temporarily reduced DMARC to a p=none policy to verify mail flow before restoring security settings once alignment resolved.
4. Validation Testing: I checked headers using mail authentication testing tools to verify that SPF and DKIM signatures validated correctly.

Before vs After Results

Bounces ceased immediately. Transactional and corporate emails pass authentication and align perfectly under DMARC check policies. Their SPF lookup count remains at 7, leaving headroom for future service integrations without causing delivery issues.

Lessons Learned

Exceeding the 10 DNS lookup limit in SPF is a common issue for growing businesses. Ensure you clean out inactive services from your SPF record, or use subdomain delegations for high-volume email platforms.