Guilty until proven innocent, an excellent initial position.
I’ve had to relax my SPF record to include the entire mail pool of my ISP to be able to send to anything hosted by Microsoft. I tried to liaise with them directly, and through Linode, but they refused to exclude the IP from their opaque blocklist. Their proposed solution was to change the IP of the VPS, but that’s just agreeing to play whack-a-mole with a bad faith actor.
There should be a path to greater transparency and accountability from the SMTP cartels, but I’m at a loss as to how that can manifest.
Did you send out mails directly from your ISP? (Than I could unterstand Microsoft.) Only your MX must send out mails. And only it should be in the SPF record.
It would be crazy of Microsoft to look at all Received-Hearders and want everything mention there in the SPF record. If that is what really happens, than you should exclude this information from the header.
(mask-src on Opensmtpd. Pretty sure Postfix has that option to, but haven't used it in a decade, so I can't tell you the syntax.)
I originally had only my MX hosts listed in my SPF record, and configured to accept them exclusively. Microsoft unilaterally blocked the entire /23 my VPS resides within, and refused to exclude my configured IPs from their block.
The only way I’m currently able to deliver anything to domains hosted by Microsoft is to expand my SPF record to include my ISP’s mail hosts, and route delivery through them.
Microsoft, and the other SMTP cartel thugs, are undermining the protections these protocols were designed to provide.
