As of some recent date, Microsoft has “fixed” this problem by getting rid of all sub-records and using 2 or 3 “ptr” records instead:
$ dig TXT spf.protection.outlook.com
spf.protection.outlook.com. IN TXT "v=spf1 ptr:protection.outlook.com ptr:o365filtering.com -all"
$ dig TXT spf.messaging.microsoft.com
spf.messaging.microsoft.com. IN TXT "v=spf1 ptr:protection.outlook.com ptr:messaging.microsoft.com ptr:o365filtering.com -all"
Here’s the problem: while this will help Office 365 clients avoid stay below the “Too many lookups” PermError … it does so by forcing every mailserver in the world to do (expensive) PTR lookups for every IP address that connects to them.
Per the SPF specification:
If at all possible, you should avoid using this mechanism in your SPF
record, because it will result in a larger number of expensive DNS
lookups.