[snowwrestler]

There seems to be an additional factor lately, especially for email going to Microsoft, which is how long these DNS lookups take.

We configured a new email sending service and kept the DNS TTLs low on the TXT records for SPF, DKIM, and DMARC, in case we needed to change them. We saw a lot of mystery failures for emails going to Microsoft inboxes (M365 and Outlook.com). Changing the TTLs to be very long (86400 or more) caused a large improvement within a day to two.

The only way I can think to explain this is that some of their DNS lookups would time out if they had to follow recursion back to our DNS provider. Lengthening the TTL increased the chance the records would be cached locally to Microsoft’s systems and therefore served faster.

The only other explanation I can think of is that MS prefers longer TTLs as a matter of policy and downgrades based on that. But usually they publish policy preferences like that and I could not find one.