0365 mail users are encouraged to use include:spf.protection.outlook.com -all in their SPF record.
I have followed this guidance. My company's spf record says:
v=spf1 include:spf.protection.outlook.com -all
the spf.protection.outlook.com record ends with include:spfa.protection.outlook.com -all which ends with include:spfb.protection.outlook.com
Each of those includes has a set of CIDRs for IPs used by outlook.com when sending email.
However, I am getting DMARC reports from google.com indicating an SPF FAIL for an IP that is actually covered by one of the includes in the SPF record. I think this is incorrect, yet is happening frequently.
Here is an example:
source_ip>104.47.117.233</source_ip>
<count>1</count>
-<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
the rejected ip is part of ip4:104.47.0.0/17 which is part of the spfb.protection.outlook record:
spfb.protection.outlook.com. 394 IN TXT "v=spf1 ip6:2a01:111:f400::/48 ip4:23.103.128.0/19 ip4:23.103.198.0/23 ip4:65.55.88.0/24 ip4:104.47.0.0/17 ip4:23.103.200.0/21 ip4:23.103.208.0/21 ip4:23.103.191.0/24 ip4:216.32.180.0/23 ip4:94.245.120.64/26 -all"
So, why is Google's email server treating this as an SPF fail?
This is not an isolated example - I receive frequent SPF fail notifications with respect to IPs included in the SPF record.