How do SPF works?
An SPF (Sender Policy Framework) record is a type of DNS TXT record that specifies which mail servers are authorized to send emails on behalf of a domain. SPF helps prevent email spoofing (when an attacker forges an email to make it look like it’s coming from a legitimate domain).
When an email is sent from a domain with an SPF record, the receiving mail server checks the SPF record to see if the sending server’s IP address is authorized to send email for that domain. If the sending server is listed in the SPF record, the email passes the SPF check. If it’s not listed, the email may be flagged as spam or rejected.
SPF record syntax
Each subdomain that you use to send email from Microsoft 365 requires its own SPF TXT record.
Expected syntax:
- v=spf1: indicates the version of SPF being used
- include: specifies other domains or services, spf.protection.outlook.com, that are allowed to send on behalf of your domain
- ip4: or ip6: if you want to add a list of specific IP addresses that are allowed to send emails
- -all: specifies how to handle emails that don’t match any authorized server. -all is a “fail” qualifier, meaning unauthorized emails should be rejected.
Example:
If you own yourdomain.com and only want Microsoft’s servers to send emails on your behalf, you would add an SPF record like this:
v=spf1 include:spf.protection.outlook.com -allThis would tell receiving servers to only accept emails from Microsoft’s authorized servers and reject all others.
DNS records can take time to propagate across different servers. Before seeing a change in Office Protect, you might have to wait a few hours (or up to 24–48 hours in some cases) after updating your SPF records, as it may take time for the changes to be consistently recognized across all DNS servers.
Set up SPF to identify valid email sources for your Microsoft 365 domain
Office Protect alert
You might receive a health status decline alert if:
- Your SPF record spf1 does not include spf.protection.outlook.com on one or many of your domains.
Remediation: add the missing SPF record. In Microsoft, you can do so from the Microsoft admin center portal > Settings > Domains > Click on your domain > DNS Records.
- The syntax of your SPF record is invalid on one or many of your domains.
Remediation: check your current SPF record, validate the syntax (you can use SPF syntax validator tools), update your SPF record with the right syntax.
- The domain is no longer registered (this can happen if payment on domain registration fails) / You do not own the domain anymore.
Remediation: make sure you still own the domain, or if you don't, remove verified domain from the tenant, in the Microsoft admin center portal > Settings > Domains.
- If you frequently receive many health status declined / improved (flickering) on a tenant: chances are that the different DNS servers are not aligned with the same values in your SPF records.
Remediation: make sure your SPF records are configured the same way on your different authoritative DNS servers, for each of your domains.
The Office Protect team is actively working on distinguishing flickering from other critical states, to avoid alerting you many times.
Resources
DNS lookup tools to check your SPF record:
- https://www.nslookup.io/domains/[yourdomain.com]/dns-propagation/txt/
- https://mxtoolbox.com/spf.aspx