To authorize Microsoft Office 365 to send emails on your behalf you will have to manually set up your Microsoft Office 365 SPF record for O365 emails. Email authentication is a critical part of keeping your domain secure and free from spam. It's a way of letting an email provider know that the sender of the email is who they claim to be, which helps prevent spoofing and phishing. Microsoft recommends its users enable Office 365 SPF to enjoy a safer email experience.
In this article, we will take you through the steps for setting up your office 365 SPF record.
Leveraging your Office 365 SPF record to stop domain spoofing
To set up your office 365 SPF, you need to add a DNS TXT record for office 365 SPF on your external DNS (for both your domain and subdomains).
Things to consider when implementing Office 365 SPF record
Note that you won’t be required to add an O365 SPF record on Microsoft’s internal DNS, hence you need to start off by gaining access to your external DNS management console by speaking to your hosting provider (in case you don’t handle the hosting yourself).
Once your gain access to your DNS management console, follow the steps below:
- Locate your existing SPF record
Note that if you already have an existing record for SPF, you need to make a few changes to incorporate Office 365 SPF. If you add multiple SPF records to your domain it can invalidate the protocol.
- Make a list of IP addresses used by external servers
This should include IP4 and IP6 mechanisms for external email sending servers that participate in email transfer on behalf of you
- Assemble the SPF handling domains for your third-party ESPs
This should include third-party email vendors (e.g. Microsoft office 365) that you may be using to send out marketing emails.
TXT record syntax for Office 365 SPF
Given below is a list of SPF includes and IP addresses pertaining to the services that you have signed up for on Office 365:
- For Exchange Online users:
- For Office 365 Germany (Microsoft Cloud Germany only):
Creating your record for Office 365 SPF
Step 1: Create an SPF record for Office 365 using our free SPF record generator
Case 1: All your emails are routed via Office 365
If you do not use any external third-party email services and route all your emails via Office 365, your SPF record will have the following syntax:
The SPF -all mechanism denotes SPF hardfail (emails that fail SPF will not be delivered) for emails that do not pass SPF check and is the recommended mechanism for protection against spoofing.
Case 2: You use several other third-party email services along with Office 365
In case you use other email vendors to send out emails on behalf of your organization, you need to include them in your domain’s SPF record as well. Considering you’re using a third-party service known as SmartMails.org with an SPF-handling domain such as spf.smartmails.com, your SPF record will have the following syntax:
Note: Don’t create separate DNS records for third parties.
Add SPF record Office 365
- Access your DNS management console
- Paste the record
TTL: 1 hour
Value: v=spf1 include:spf.protection.outlook.com -all
- Save changes to your record
- Wait for 24 hours (or more depending on your DNS provider) to activate the protocol
You can find instructions on publishing DNS records for different DNS providers like GoDaddy:
Why do you need an O365 SPF record?
What SPF does for your domain
Sender Policy Framework (SPF) is an email authentication protocol that lets domain owners specify which mail servers are allowed to send mail on their behalf.
SPF works by publishing a list of authorized sending hosts for your domain in the Domain Name System (DNS). Recipient mail exchanges use the DNS to check that mail from a given domain comes from an IP address authorized by that domain's administrators.
SPF can help protect your company from spear phishing, spoofing, and other types of email fraud by verifying the identity of senders before messages reach the inbox.
How to ensure error-free SPF record for Office 365?
To make sure your SPF record is error-free and updated:
- Check your Office 365 SPF record using our free SPF record checker tool
- Leverage SPF flattening to stay under the 10 DNS lookup limit
- Update your SPF record every time you add to your third-party services
Related Articles on authenticating your Office 365 emails
SPF alone isn’t enough to protect your domain and emails against impersonation attacks and other types of domain abuse. To achieve compliance on your emails, Microsoft recommends users configure additional protocols (like DMARC and DKIM) to enhance their security.
Click on the links below to check out detailed documents about the configuration processes:
Hope this article was helpful to you! Are you new to email authentication and DMARC? Take a free DMARC trial to weigh out your benefits today.