How to Set Up Microsoft Office 365 SPF record?

To authorize Microsoft Office 365 to send emails on your behalf you will have to manually set up your Microsoft Office 365 SPF record for O365 emails. Email authentication is a critical part of keeping your domain secure and free from spam. It's a way of letting an email provider know that the sender of the email is who they claim to be, which helps prevent spoofing and phishing. Microsoft recommends its users enable Office 365 SPF to enjoy a safer email experience.  

Leveraging your Office 365 SPF record to stop domain spoofing 

To set up your office 365 SPF, you need to add a DNS TXT record for office 365 SPF on your external DNS (for both your domain and subdomains). 

Things to consider when implementing Office 365 SPF record

Note that you won’t be required to add an O365 SPF record on Microsoft’s internal DNS, hence you need to start off by gaining access to your external DNS management console by speaking to your hosting provider (in case you don’t handle the hosting yourself). 

Once your gain access to your DNS management console, follow the steps below: 

• Locate your existing SPF record

Note that if you already have an existing record for SPF, you need to make a few changes to incorporate Office 365 SPF. If you add multiple SPF records to your domain it can invalidate the protocol. 

• Make a list of IP addresses used by external servers

This should include IP4 and IP6 mechanisms for external email-sending servers that participate in email transfer on behalf of you 

• Assemble the SPF handling domains for your third-party ESPs

This should include third-party email vendors (e.g. Microsoft office 365) that you may be using to send out marketing emails. 

TXT record syntax for Office 365 SPF

Given below is a list of SPF includes and IP addresses pertaining to the services that you have signed up for on Office 365: 

• For Exchange Online users: 

• For Exchange Online users (dedicated only):

• For Office 365 Germany (Microsoft Cloud Germany only)

Creating your record for Office 365 SPF

Step 1: Create an SPF record for Office 365 using with an SPF record generator

Case 1: All your emails are routed via Office 365

If you do not use any external third-party email services and route all your emails via Office 365, your SPF record will have the following syntax: 

The SPF -all mechanism denotes SPF hardfail (emails that fail SPF will not be delivered) for emails that do not pass SPF check and is the recommended mechanism for protection against spoofing. 

Case 2: You use several other third-party email services along with Office 365

In case you use other email vendors to send out emails on behalf of your organization, you need to include them in your domain’s SPF record as well. Considering you’re using a third-party service known as SmartMails.org with an SPF-handling domain such as spf.smartmails.com, your SPF record will have the following syntax: 

Note: Don’t create separate DNS records for third parties. 

Add SPF record Office 365

• Access your DNS management console 
• Paste the record 

Type: TXT

TTL: 1 hour

Host: @ 

Value: v=spf1 include:spf.protection.outlook.com -all

• Save changes to your record
• Wait for 24 hours (or more depending on your DNS provider) to activate the protocol.