Submit a ticket My Tickets
Welcome
Login  Sign up
  1. PowerDMARC
  2. Solution home
  3. Aligning your sources
  4. SPF

How to Set Up Microsoft Office 365 SPF record?

PowerDMARC Support
Modified on: Fri, 29 Apr, 2022 at 11:07 AM

To authorize Microsoft Office 365 to send emails on your behalf you will have to manually set up your Microsoft Office 365 SPF record for O365 emails. Email authentication is a critical part of keeping your domain secure and free from spam. It's a way of letting an email provider know that the sender of the email is who they claim to be, which helps prevent spoofing and phishing. Microsoft recommends its users enable Office 365 SPF to enjoy a safer email experience.  


In this article, we will take you through the steps for setting up your office 365 SPF record. 

Leveraging your Office 365 SPF record to stop domain spoofing 

To set up your office 365 SPF, you need to add a DNS TXT record for office 365 SPF on your external DNS (for both your domain and subdomains). 

Things to consider when implementing Office 365 SPF record

Note that you won’t be required to add an O365 SPF record on Microsoft’s internal DNS, hence you need to start off by gaining access to your external DNS management console by speaking to your hosting provider (in case you don’t handle the hosting yourself). 


Once your gain access to your DNS management console, follow the steps below: 

  • Locate your existing SPF record

Note that if you already have an existing record for SPF, you need to make a few changes to incorporate Office 365 SPF. If you add multiple SPF records to your domain it can invalidate the protocol. 

  • Make a list of IP addresses used by external servers

This should include IP4 and IP6 mechanisms for external email sending servers that participate in email transfer on behalf of you 

  • Assemble the SPF handling domains for your third-party ESPs

This should include third-party email vendors (e.g. Microsoft office 365) that you may be using to send out marketing emails. 

TXT record syntax for Office 365 SPF

Given below is a list of SPF includes and IP addresses pertaining to the services that you have signed up for on Office 365: 

  • For Exchange Online users: 

include:spf.protection.outlook.com

  • For Exchange Online users (dedicated only):

ip4:23.103.224.0/19

ip4:206.191.224.0/19

ip4:40.103.0.0/16

include:spf.protection.outlook.com

  • For Office 365 Germany (Microsoft Cloud Germany only):

Creating your record for Office 365 SPF

include:spf.protection.outlook.de

Step 1: Create an SPF record for Office 365 using our free SPF record generator


Case 1: All your emails are routed via Office 365


If you do not use any external third-party email services and route all your emails via Office 365, your SPF record will have the following syntax: 


v=spf1 include:spf.protection.outlook.com -all

The SPF -all mechanism denotes SPF hardfail (emails that fail SPF will not be delivered) for emails that do not pass SPF check and is the recommended mechanism for protection against spoofing. 

Case 2: You use several other third-party email services along with Office 365


In case you use other email vendors to send out emails on behalf of your organization, you need to include them in your domain’s SPF record as well. Considering you’re using a third-party service known as SmartMails.org with an SPF-handling domain such as spf.smartmails.com, your SPF record will have the following syntax: 


v=spf1 include:spf.smartmails.com include:spf.protection.outlook.com -all

NoteDon’t create separate DNS records for third parties. 

Add SPF record Office 365

  • Access your DNS management console 
  • Paste the record 

Type: TXT

TTL: 1 hour

Host: @ 

Value: v=spf1 include:spf.protection.outlook.com -all

  • Save changes to your record
  • Wait for 24 hours (or more depending on your DNS provider) to activate the protocol 

You can find instructions on publishing DNS records for different DNS providers like GoDaddy: 

godaddy office 365 spf record

Why do you need an O365 SPF record?

What SPF does for your domain

Sender Policy Framework (SPF) is an email authentication protocol that lets domain owners specify which mail servers are allowed to send mail on their behalf.


SPF works by publishing a list of authorized sending hosts for your domain in the Domain Name System (DNS). Recipient mail exchanges use the DNS to check that mail from a given domain comes from an IP address authorized by that domain's administrators.


SPF can help protect your company from spear phishing, spoofing, and other types of email fraud by verifying the identity of senders before messages reach the inbox.

How to ensure error-free SPF record for Office 365?

To make sure your SPF record is error-free and updated:

  • Check your Office 365 SPF record using our free SPF record checker tool
  • Leverage SPF flattening to stay under the 10 DNS lookup limit
  • Update your SPF record every time you add to your third-party services 

Related Articles on authenticating your Office 365 emails

SPF alone isn’t enough to protect your domain and emails against impersonation attacks and other types of domain abuse. To achieve compliance on your emails, Microsoft recommends users configure additional protocols (like DMARC and DKIM) to enhance their security. 


Click on the links below to check out detailed documents about the configuration processes: 

Hope this article was helpful to you! Are you new to email authentication and DMARC? Take a free DMARC trial to weigh out your benefits today. 

P
PowerDMARC is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Related Articles