We are working towards getting our production server fully up and running and as such we were implementing SPF and DKIM email signing. We didn't have an issue setting these up until it came to the application sending emails as no-reply@test-domain.com. Our emails were being signed with DKIM and we couldn't put our finger on why SPF verification was failing.
"MS=ms12312312 v=spf1.1.1.1 ip4:2.2.2.2 include:spf.protection.outlook.com ~all"
As you can see we have a valid SPF record allowing 2 ip-addresses explicitly and one domain. We are using a soft-fail as per the schema. The "include" and "MS" portions are from GoDaddy with regards to pointing your domain to AWS and not GoDaddy.
What the heck is the MS portion for? We have identified that this is the root cause of our messages not being SPF verified. As soon as we removed this portion, our site was accessible, we could manually send and receive emails, the app could send emails and the server itself could send emails, all passing SPF.
I am not comfortable just removing something without knowing its purpose so I am hoping someone here is aware of it.
Thanks,
The MS=ms123456 TXT record is something used by Office 365 to validate your ownership of the domain (O365 gives you the record to create so you can prove you are the rightful owner of the domain).
The MS and SPF records can certainly coexist in the DNS, but they need to be put in separate TXT records. You can have multiple TXT records and whatever system that are looking for a certain TXT record must examine each one until it finds the one in the correct format, i.e. starts with MS=, v=spf1 or whatever.
Just make two separate TXT records:
TXT "MS=ms123456"
TXT "v=spf1 ip4:1.1.1.1 ip4:2.2.2.2 include:spf.protection.outlook.com ~all"
and everything should work fine!