What is SPF, Why it is important & How to setup in Microsoft 365?

  • Jatin 

Protect your email reputation and deal with email spoofing by setting up a SPF record (Sender Policy Framework). It’s a type of DNS record that notifies the recipient’s mail host which mail servers are authorized to send email from your domain name, making it more difficult for someone to spoof your email address trying to impersonate you.

This is all about your email deliverability. Its time to learn basics about SPF record and we’re going to delve into what SPF is, what are the benefits of implementing SPF, and how to further protect your email-sending domains with DKIM and DMARC and setup in Microsoft 365.

What is Sender Policy Framework (SPF)?

In simple terms, Sender Policy Framework (SPF) is an email authentication protocol that domain owners use to specify the email servers they send email from, making it harder for fraudsters to spoof sender information. It is a security mechanism created to prevent the bad guys from sending emails on your behalf. SPF is a protocol that helps to reduce spam via email.

How does SPF Record Works?

Let’s say sender (Sarah) sent an email to receiver (James). But how does James’s DNS server know that the email was in fact sent by Sarah? The problem is, it doesn’t really. Unless you have SPF set on your DNS server.

SPF defines which IP addresses can be used to send emails from your domain. So let’s imagine two possible server “conversations”. To make it all easier, let’s assume your name is Sarah.

Scenario 1 – You don’t have SPF set up.

Sarah ’s server: Hey, James’s server. I’ve got a new message from Sarah.
James’s server: Hi Sarah’s server. What’s your SPF?
Sarah ’s server: Yeah, about the SPF, Who cares, really. I don’t have one. Trust me, it’s from Sarah.
James’s serverIf you don’t have SPF, I can’t be sure it was Sarah who sent this. Give me Sarah ’s allowed IPs, so I can compare it with yours.
Sarah ’s server: I don’t have the list of Sarah ’s allowed IPs.
James’s server: Then I don’t want your message. Delivery denied.

Scenario 2 – You do have SPF set up.

Sarah ’s server: Hey, James’s server. I’ve got a new message from Sarah.
James’s server: Hi Sarah ’s server. What’s your SPF?
Sarah ’s server: There you go, here’s my SPF. There’s a whole list of IPs that Sarah himself declared as the ones which can be used on his behalf.
James’s server: Ok, let me see… And the message you have for me is sent from IP address. Ok, it’s on the list. Everything looks fine. Gimme the message, I’ll show it to James. Thanks!

SPF Record

Why SPF Record is Important?

  • Improves domain reputation and email deliverability. SPF protects your emails so that spammers cannot use your domain to send spam. This keeps your domain off blacklists and improves its overall deliverability.
  • Your brand reputation is protected by preventing domain impersonations and spoofing emails. SPF records prevent email spoofing by verifying the IP address of the sender against the domain owners.
  • With SPF email policies in place, you give your domain a positive reputation and show your commitment to email security to other servers and blacklist sites. Your outbound emails will be less likely to be flagged as spam, and you will gain a better reputation inside firewalls and other cybersecurity databases.
  • For DMARC, this is a foundational method of email authentication.

How is SPF related to DKIM, DMARC?

SPF, DKIM, and DMARC support a range of email authentication options. Their features complement each other.

SPF enables senders to specify which IP addresses can send mail for a particular domain.

Using DKIM, an email message can be verified that it has not been altered or forged through encryption and digital signatures.

Domain owners can declare how failed emails from their domains will be handled if they fail an authorization test by combining SPF and DKIM authentication into a common framework called DMARC.

How to set up SPF record on Microsoft 365 step by step?

Step 1: Sign in to M365 Admin Center and login to your portal.

Step 2: Go to Settings > Domains & click on the domain that we are configuring SPF records for.

Step 3: Click on the tab DNS records, and down below, there are three records for Exchange Online i.e. MX, TXT and CNAME Record. For this instance we are looking at TXT record that is SPF record for Exchange Online.

Step 4: Click on TXT Record. M365 has already got SPF record configured for domain as below:

TypeNameValueTTL
TXT@ v=spf1 include:spf.protection.outlook.com -all 1 Hour
The example above is the most common SPF TXT record. This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, or in Europe (including Germany), or in another location.

Here’s a quick break down of what the above values mean:

If you’re usingCommon for customers?Add this…
Any email system (required)Common. All SPF TXT records start with this valuev=spf1
Exchange OnlineCommoninclude:spf.protection.outlook.com
Any email system (required)Common. All SPF TXT records end with this valueThis can be one of several values.
Microsoft recommend the value -all.

Step 5: Note down all the above record details that we will need to update in Domain registrar DNS settings.

Step 6: Login to your DNS provider & Create a new TXT record, I am using Cloudflare so will add record as below:

SPF Record
Cloudflare: TXT Record for SPF

The change can take up to 24 hours, but most of the time, this will resolve within 5-15 minutes.

Here’s how to set up SPF for the most common domain hosts:

How to verify SPF record is enabled and working?

We have multiple options to verify SPF records and they are as below:

Option 1: Using Microsoft 365 Tenant:

Login to M365 Portal, Go to Settings > Domains & click on the domain that we are configuring SPF records for. Click on DNS Record and press Refresh. TXT records status with be changed to OK with green tick.

Click on TXT record and it will show record as Correct

SPF Record

Option 2: Using third party websites as below to verify:

MXToolBox SPF Tool: The SPF Record Check is a diagnostic tool that acts as a Sender Policy Framework (SPF) record lookup and SPF validator. This test will lookup an SPF record for the queried domain name, display the SPF Record (if found), and run a series of diagnostic tests (SPF Validation) against the record, highlighting any errors found with the record that could impact email delivery.

DMARC Analyser Tool: DMARC Analyzer is a pure play DMARC specialist with over 15 years of email deliverability experience.

Final Thoughts:

In this post you learned how to configure the SPF record in Office 365. This is just the initial step towards securing and improving domain reputations and email delivery.

Furthermore, SPF does have limitations. As a result, you should not rely solely on it to provide email security. You should also use DKIM and DMARC records to ensure that your messages are protected on multiple fronts, we will cover this in coming article.

If this article helped you or if you have further suggestions, please feel free to comment below 🙂

You may also like Adding Email Alias to Office 365 when using Azure AD Connect. Feel free to share this article.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.