Systems Tinkerer emblem

Microsoft 365 Sending Issue A small SPF note from a real-world mail-delivery problem.

I use Microsoft 365 for some business e-mail communication. Most of the time, it works exactly as expected.

However, I occasionally saw messages rejected by certain recipient mail systems even though the usual DNS records were configured and the majority of e-mails were delivered successfully.

The symptoms

The issue affected only a small percentage of outgoing e-mails. More than 98% were delivered successfully, which made the problem harder to diagnose.

Poor reputation message

554 mail@example.com: Your access to this mail system has been rejected due to the sending MTA's poor reputation

Recipient rejection

550 mail@example.com: Recipient address rejected: User unknown (in reply to RCPT TO command)

Not a full outage

Most e-mails arrived normally, so the setup was not completely broken.

Recipient-side suspicion

The pattern suggested that some recipient servers were stricter, outdated or configured differently.

The original SPF record

The default Microsoft-style SPF record looked similar to this: 

v=spf1 include:spf.protection.outlook.com -all

The change that solved it

After research and testing, the practical fix was to add the mx mechanism to the SPF record. 

v=spf1 mx include:spf.protection.outlook.com -all

After this change, the specific sending problem was resolved in my case.

What mx means here

The mx mechanism tells receiving systems that the domain's MX servers are also authorised to send e-mail for the domain.

Authorised MX path

The domain's mail exchangers become part of the permitted sending sources in the SPF check.

Compatibility benefit

Some receiving systems appear to perform checks in a way that benefits from this additional SPF mechanism.

Not magic

This does not replace a clean Microsoft 365 setup, SPF, DKIM, DMARC or proper domain configuration.

Assumption

My assumption is that some older or poorly configured systems verify the mail path differently and react better when mx is present.

What I took from it

The lesson was not that every domain must blindly add mx. The lesson was that small SPF differences can matter when messages travel through real-world mail systems.

Modern e-mail delivery is not only about having a record. It is about having a record that matches the actual sending path and is understood by the recipient's server.

In my case, adding mx turned an irritating edge case into a solved issue.

Important note
SPF records should always match the real sending infrastructure. Adding mx helped in this case, but DNS changes should be tested carefully.

Small DNS change. Big practical relief. The kind of fix that looks too simple after two hours of research.

Ask about this note
E-mail delivery is mostly invisible until one small record decides to become important.
© 2025-2026 Robert Seemann