If you see a message sent from an Office365/Hotmail email domain flagged for SPF Fail, it is because Office365 -occasionally- sends from IP addresses that are not contained by their new SPF include: statement.

Existing SPF "TXT" record for spf.protection.outlook.com

"v=spf1 ip4: ip4: ip4: ip4: ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 include:spfd.protection.outlook.com -all"

What we have see is the sending IP is in the range.


Add "" to System Setup > Mail Authentication > SPF Bypassed IPs/Networks::

-- That will bypass SPF checks for that IP range.

-- That IP range that used to be in their SPF record, before it was changed.