Customize an SPF Record to Validate Outbound Email Sent from Your Domain

Customize an SPF Record to Validate Outbound Email Sent from Your Domain

Applies to: Exchange Online Protection (EOP), Exchange Online

You use SPF records to ensure that destination email systems trust messages sent from your domain. The SPF record is important because it ensures that all the messages from your domain appear to originate from the messaging servers that support the cloud-based service.

What is an SPF record?

An SPF (sender policy framework) record is a text (TXT) record that uses the Sender ID Framework. The Sender ID Framework is an email authentication protocol that helps prevent spoofing and phishing by verifying the domain name from which email messages are sent. Sender ID validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain.

Domain administrators publish SPF records in DNS. The SPF record identifies authorized outbound email servers. Destination email systems verify that messages originate from authorized outbound email servers. For more information, see Sender ID.

When you setup your service, you created an SPF record in your DNS provider records that identifies the Microsoft messaging servers as a legitimate source of mail for your domain. For example:

v=spf1 include:spf.protection.outlook.com -all

Customizing your SPF record

If you have a hybrid deployment, or if you’re an Exchange Online Protection (EOP) stand-alone customer (meaning that your organization currently uses EOP to protect your on-premises mailboxes), you can add the IP address for your on-premises server to the TXT record.

For example, if the IP address of your Exchange server is 192.168.0.1, the TXT record would have the following value:

v=spf1 ip4:192.168.0.1 include:spf.protection.outlook.com -all

If you have multiple outbound mail servers, include the IP address for each mail server in the TXT record and separate each IP address with a space followed by an “ip4:” statement. For example:

v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 ip4:192.168.0.3 include:spf.protection.outlook.com -all

The maximum number of DNS lookups for the SPF record is 10. Adding IP addresses enables recipients to avoid DNS lookups.

Tips

  • If you are using IPv6 IP addresses, replace “ip4” with “ip6” in the above examples. You can also specify IP address ranges using CIDR notation, for example “ip4:192.168.0.1/26”.
  • If you know all of the authorized IP addresses, they should be added using the –all (Fail) qualifier. If you are not sure that you have the complete list of IP addresses then you should use the ~all (SoftFail) qualifier.

 

 

 

3 out of 4 people found this post helpful.

Sort by: Published Date | Most Recent | Most Useful
Comments
  • doesn't advise if i use Office365 online to add a SPF address

Page 1 of 1 (1 items)