Thank you for your reply.
As I mentioned, netblocks.dreamhost.com is not defined in any public DNS. So this setting (with the strict “-all” directive) will effectively say, only accept mail if it comes from netblocks.dreamhost.com, which doesn’t exist, so do not accept any mail at all.
I don’t think you want to use the a: mechanism, which tests all the A records for the domain. Most examples seem to use the include: mechanism.
In a lengthy discussion with Dreamhost Abuse support, I learned that mail for my account (and presumably others on my server) is split among several servers:
[quote]1) CGI Mail is sent out via ‘iad1-shared-relay1.dreamhost.com’ with an IP of '184.108.40.206’
2) SMTP mail is sent out via ‘sub4.mail.dreamhost.com’ load balancer with an IP of ‘220.127.116.11’[/quote]
So the correct SPF for the shared relay with Office 365 would be:
example.com TXT “v=spf1 include:spf.protection.outlook.com include:iad1-shared-relay1.dreamhost.com -all”
In my experience, iad1-shared-relay1.dreamhost.com is always on at least five blacklists per www.mxtoolbox.com. A zealous mail admin might reject the mail due to a blacklist even if the SPF is correct. So it’s better if possible to connect to an external mail server to send email. In my case, I’m doing that via the WordPress WP-Mail-SMTP plugin. It’s not ideal, because it means each time someone posts a comment on the blog, it takes 10-30 seconds because it is sending an external email. But mail is getting through.