If you see a message sent from an Office365/Hotmail email domain flagged for SPF Fail, it is because Office365 -occasionally- sends from IP addresses that are not contained by their new SPF include: statement.


Existing SPF "TXT" record for spf.protection.outlook.com


"v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 include:spfd.protection.outlook.com -all"


What we have see is the sending IP is in the 40.95.0.0/24 range.


Recommendation:  

Add "40.92.0.0/14" to System Setup > Mail Authentication > SPF Bypassed IPs/Networks::




-- That will bypass SPF checks for that IP range.


-- That IP range that used to be in their SPF record, before it was changed.

Update:  6 Dec, 2024:

Is also looks like this mechanism is wrong: ip4:52.103.0.0/17

# dig TXT spf.protection.outlook.com +short
"v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/15 ip4:52.102.0.0/16 ip4:52.103.0.0/17 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all"

we have seen message coming from this range:  ip4:52.103.128.0/17 
--- You may want to add that range to SPF exemptions as well.