The Skysnag Blog

How to Setup SPF for Microsoft Office 365?

October 1, 2022  |  3 min read
Microsoft Office 365

An SPF record is a type of Domain Name System (DNS) record that identifies which mail servers are authorized to send email on behalf of your domain. SPF records help to reduce the risk of your emails being marked as spam because they allow recipients to verify that the email is coming from a legitimate source.

We’ll walk you through the process of setting up your office 365 SPF record in this article.

How to implement the use of Office 365 SPF record to prevent domain spoofing

You must add a DNS TXT record for office 365 SPF on your external DNS server in order to configure office 365 SPF (for both your domain and subdomains).

Things to take into account when adopting the Office 365 SPF record

  • Noting that you won’t be required to add an O365 SPF record on Microsoft’s internal DNS, you must first contact your hosting provider (if you don’t handle the hosting yourself) to obtain access to your external DNS administration interface.
  • The steps following should be followed once you have gained access to your DNS administration console:

Considerations for adopting the Office 365 SPF record

Note that you won’t be required to add an O365 SPF record on Microsoft’s internal DNS, hence you need to start off by gaining access to your external DNS management console by speaking to your hosting provider (in case you don’t handle the hosting yourself). 

Once your gain access to your DNS management console, follow the steps below: 

  • Find your current SPF record

Keep in mind that if you currently have an SPF record, you will need to make a few adjustments to include Office 365 SPF. Multiple SPF entries added to a domain can render the protocol useless.

  • Create a list of all the external servers’ IP addresses.

This should incorporate IP4 and IP6 protocols for your external email sending servers that take part in email transfer.

  • Create the SPF handling domains for your third-party ESPs.

This should include any outside email providers you could be using to send out promotional emails, like Microsoft Office 365. 

Syntax for TXT records for Office 365 SPF

A list of SPF includes and IP addresses for the Office 365 services you have registered for are shown below:

  • Users of Exchange Online:

include:spf.protection.outlook.com

  • Users of the dedicated version of Exchange Online:

ip4:23.103.224.0/19

ip4:206.191.224.0/19

ip4:40.103.0.0/16

include:spf.protection.outlook.com

  • Office 365 Germany (exclusively through Microsoft Cloud Germany):

Requirements to setup SPF for Microsoft Office 36

  • Your emails are all forwarded through Office 365.

Your SPF record will have the following syntax if you just use Office 365 to send all of your emails and do not utilize any external third-party email services:

v=spf1 include:spf.protection.outlook.com -all

The SPF -all technique, which is the suggested method for preventing spoofing, signals SPF hardfail (emails that fail SPF will not be delivered).

  • Along with Office 365, you also utilize a number of other third-party email providers.

If you utilize other email suppliers to send emails on your behalf, you must include them in your domain’s SPF record as well. Your SPF record will have the following syntax given that you’re utilizing a third-party service called SmartMails.org with an SPF-handling domain like spf.smartmails.com:

v=spf1 include:spf.smartmails.com include:spf.protection.outlook.com -all

Reminder: Avoid setting up unique DNS records for third parties.

How to publish SPF record for Microsoft Office 365

  • Navigate to the DNS management interface
  • Copy the record

Type: TXT

TTL: 1 hour

Host: @ 

Value: v=spf1 include:spf.protection.outlook.com -all

  • Update your record and save changes.
  • To activate the protocol, wait 24 hours (or longer depending on your DNS provider).

With Skysnag, you can easily manage Microsoft Office 365’s SPF records without having to go to your DNS. This allows Microsoft Office 365’s SPF record to propagate instantly, and autonomously always pass SPF alignment.

Start a free trial today to see how it works for your domain.

For more information on setting up Microsoft Office 365’s SPF, you can refer to their reference documentation.

You can use Skysnag’s free SPF Checker to check the health of your SPF record here

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.

Check your domain’s DMARC security compliance