A Brief Guide To Setting Up Sender Policy Framework Office 365

Spoof emails have become a common threat these days. The malicious actors research an organization to send emails to the victim by using its domain name to make it look genuine. The Sender Policy Framework Office 365 helps in email authentication for Microsoft users to protect them from scam and phishing emails malicious actors forge in their names. The Office 365 SPF contains an SPF record that includes a list of all authorized hosts permitted to send an email from an organization’s domain.

sender policy framework

SPF Record Syntax For Microsoft Office 365

To add a typical SPF record in Microsoft 365 SPF, one needs to input information like IP version, IP addresses, domain names, and Enforcement rules. Here is an example of SPF record syntax for Sender Policy Framework Office 365.

v=spf1 [|:] [include:]

In this example, ‘v=spf1’ defines the SPF TXT record, and ‘ip4|ip6’ specifies the version of the IP address used. Following these details, the authorized IP addresses and domain names are mentioned. The ‘Enforcement Rule’ instructs what action to be taken by the Sender Policy Framework when an email fails authentication.

Office 365 SPF Record Single vs. Multiple Outbound Servers

Here are SPF record examples for two different scenarios.

1. When all the emails are sent from a single Office 365 account, the record should be as follows.

v=spf1 include:spf.protection.outlook.com –all

2. On the other hand, when one has multiple outbound email servers, they must all be added to the SPF record, as shown below.

v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 include:spf.protection.outlook.com -all

spf record example
spf record

How To Create SPF Records With Multiple Subdomains?

If an organization has multiple subdomains, each subdomain must have a separate SPF record as it doesn’t inherit the records of the top-level domain. A wildcard SPF record (*.) is used for each subdomain and domain, as shown below.

Syntax: *.subdomain.domain.com. IN TXT “v=spf1 –all”

Example: *.abc.example.com IN TXT "v=spf1 –all"

MORE – How to create SPF record

Limitation For Adding External Domains

Sometimes organizations have to authorize external domains like third parties to send emails using their domain information. It is done by inserting the ‘include’ function in the SPF record. Every ‘include’ function will necessitate a DNS lookup while authenticating the emails.

There are lookups already for each added domain and subdomain. Third-party domains will further increase the number of lookups. However, the maximum number of such lookups allowed is 10. If the lookup exceeds 10 in Office 365 SPF, it will return an error such as ‘too many lookups’ or ‘maximum hop count exceeded.’ One must keep this factor in mind while adding external domains to the DNS record.

spf record flattening
spf checker

How To Add DNS Record In Microsoft Office 365?

Once the SPF record is set, it must be added to the DNS. Here are the steps to create a DNS record.

 Domain Verification

  1. Sign in to Microsoft 365 ‘Admin Center.’
  2. Select Show all-> Setting -> Domains.
  3. Sign in to the domain hosting provider’s website and search for the ‘DNS Setting’ option to manage the domain.
  4. Go to the hosting provider’s DNS Manager page and add the TXT record mentioned in the domain’s Admin Center.
  5. Save the record and go back to the admin center page and select ‘Verify.’

The records take around 15 minutes to reflect in the register. And once Microsoft finds the correct TXT record, the domain is verified.

Adding An SPF Record Or Editing The Existing One

If the organization has an existing SPF record for the domain, there is no need to create a separate one. The required MS Office 365’s values can be added to the organization’s hosting provider’s website’s current record.

The following values must be set.

  • Record Type: TXT
  • Host: @
  • TXT Value: v=spf1 include:spf.protection.outlook.com –all
  • TTL: 3600‎ (or your provider default)

Please note that if the SPF records are not validated and incorrect, a 550 rejecting for Sender Policy Framework error will be displayed at the receiver’s end, and the email will be rejected.

SPF records help prevent the malicious actor from sending spoof emails impersonating an organization’s domain. The Sender Policy Framework Office 365 has numerous provisions for Microsoft Office users to set up SPF records for various scenarios. They provide complete authentication of emails, thereby safeguarding an organization’s reputation and ensuring email delivery.

Join the thousands of organizations that use DuoCircle


Find out how affordable it is for your organization today and be pleasantly surprised.

Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.

Pin It on Pinterest