I want to use Azure Email Communication Services as an option for bulk mail with our customer service apps that send out lots of notifications.
I've created a service and am provisioning domains. One of our domains is pretty simple and was easy to configure.
Another is not, so I'm stuck on the step where I try to validate that domain. Azure wants me to create an SPF record that looks like this:
However we have an existing SPF environment that already has this value, and several others (salesforce, mimecast, some custom things). Our SPF record is so big it has to be split up into multiple records, a "main" record, and two sub-records:
@ record = v=spf1 mx include:spf1.mydomain.com include:spf2.mydomain.com include:us._netblocks.mimecast.com include:spf.protection.outlook.com include:_spf.salesforce.com ip4:96.126.xxx.132 ~all
spf1 record = v=spf1 ip4:216.81.xxx.57 ip4:198.2.128.0/24 ip4:198.2.xxx.0/22 ip4:198.2.xxx.0/23 ip4:198.2.xxx.0/24 ip4:198.2.xxx.0/23 ip4:205.201.xxx.128/25 ip4:205.xxx.134.128/25 ip4:205.xxx.136.0/23 ip4:69.167.186.9 ip4:69.167.xxx.193 ~all
spf2 record = v=spf1 ip4:205.xxx.178.231 ip4:205.xxx.166.231 ip4:205.201.xxx.0/24 ip4:198.2.xxx.0/24 ip4:198.2.xxx.0/23 ip4:198.2.xxx.0/24 ip4:103.151.xxx.0/23 ip4:185.12.xxx.0/22 ip4:188.172.xxx.0/20 ip4:192.xxx.144.0/20 ip4:xxx.198.0.0/18 ~all
Since our SPF records don't match exactly what the Azure Email Communication Service is expecting, it won't validate the domain and keeps prompting to configure it:
Is there a workaround? Is there some trick to the ordering? Or am I just out of luck using our primary domain (I could create a subdomain but the business will complain about it)?
EDIT I did open a ticket with Microsoft and they pointed out something I missed: Their validation requires a hard fail (-all) where our record had a soft fail (~all). I did not think that would matter but apparently it does. After I changed our record to a hard fail the validation worked, so it was unrelated to the complexity of our SPF records as I had originally assumed.
(I also learned that Azure only validates the record once, so if you need a soft fail you can get the domain validated with "-all" then change it back to "~all" if you need to.)