3 of 3 people found this helpful
But the real problem is that your IT has decided to transform a TempError into a Fail, which is not respecting the meaning of SPF result codes.
If they don't trust a TempError, they should reject or deliver the message, not quarantine it. This recommendation is explicit in RFC 7208 Sections 8.6 and G.4, since quarantining a message informs neither the sender nor the receiver that there's a problem.
It also isn't clear that there's a real problem outside of Avanade, since it's a DNS timeout (timeout is always a receiver-side setting, and if set unrealistically low, perhaps to deal with other attacks, it will have collateral damage). And from the looks of it, the problem would apply to anyone with protection.outlook.com in their SPF record, not just Marketo.
Of course, IT can roll out whatever policies they want, but they shouldn't be surprised at the consequences -- like saying, "I'm going block any web pages that take more than 2 seconds to load because they might be trying to hang up TCP connections."
Thanks for the additional insight, Sandy. I’ll relay this to our IT team.