Set Up SPF Record Office 365 to Prevent Spoofing and Phishing Attacks
Although not mandatory, publishing SPF records for all the domain names of an organization is vital in modern email ecosystems. Email-based attacks like phishing account for a majority of all data breaches. Although tools like Office 365 analyze and block millions of phishing emails, taking extra steps to prevent such malicious attacks is always welcome. SPF records in Office 365 are DNS records that help authenticate Office 365 based emails so organizations can operate with higher levels of trust and prevent spoofing.
How Does An SPF Record Prevent Spoofing In Office 365?
Sender Policy Framework or SPF decides if a sender is authorized to send emails for any domain. Malicious emails fail SPF checks on receiving servers, and the server then acts on the email according to its configured spam policy.
The Basics of An Office 365 SPF Record
To understand how Office 365 SPF works, users can examine the following SPF Record Breakdown. An SPF rule has the basic syntax:
v=spf1 <example IP> <example enforcement rule>
Supposing we consider a domain example.com. The SPF record example for it is:
“v=spf1 < IP address #1> <IP address #2> <enforcement rule> ”
For example.com, any receiving email server would then only accept emails from IP address #1 and #2. Supposing an email from example.com did not come from these addresses, the enforcement rule specified would be applied.
Enforcement rules can be –
- Hard Fails – Where messages are dealt with according to the configured spam policy.
- Soft Fails – Messages are marked with soft fail but delivered anyway.
- Neutral – Does nothing and is used for testing
What are the SPF TXT Requirements For Microsoft 365?
SPF TXT records are automatically created when a user sets up mail for Microsoft Office 365. Such an SPF TXT record authenticates Microsoft’s messaging servers as associated with a user’s domain.
Hosted customers of Office 365 who do not have on-premise email servers will need only this SPF TXT record for publishing. Hybrid deployment or EOP customers should add outbound IP addresses for all their on-premise mail servers to the SPF records.
How to Form SPF TXT Record For Office 365?
Users can use the following SPF record syntax examples for forming their records.
“v=spf1 ip4/ip6:<example IP> include:<example domain> <desired enforcement rule>”
For instance,
“v=spf1 ip4:101.341.1.2 ip4:152.138.1.4 include:spf.protection.outlook.com -all”
Here
- v=spf1 defines the TXT record as an SPF TXT Record
- ip4 or ip6 shows which IP version address is being used
- The IP address added to the TXT record is usually the outbound mail server of the organization
- The domain name is the domain name of the legitimate sender
- Enforcement rules can be -all for hard fail, ~all for soft fail, and ?all for neutral
If all emails are sent using outlook, there is no need to enter the IP addresses in the SPF record format. Along with this, users can use an online SPF record generator for a painless generation of records.
SPF is a great tool to combat phishing and spoofing. It is relatively easy to implement. In fact, for GoDaddy SPF records can be set up quickly due to the seamless integration between it and Office 365. An online SPF records check is a recommended practice to ensure that no issues occur after updating. Moreover, combining SPF with tools like DKIM and DMARC can act as a foolproof mechanism to guarantee authentication.
Join the thousands of organizations that use DuoCircle
Find out how affordable it is for your organization today and be pleasantly surprised.