How to Configure Office 365 SPF Record

When you want to use your own domain name in Office 365 you will need to create an SPF record. SPF, together with DKIM and DMARC helps to prevent spoofing of your mail domain.

SPF is the first line of defense in this and is required by Microsoft when you want to use a custom domain instead of the domain. You will need to create an SPF record for each domain or subdomain that you want to send mail from.

In this article, I am going to explain how to create an Office 365 SPF record.

SPF Record

An SPF record is used to identify which mail servers (or systems) are allowed to send mail on your behalf. So before we can create the SPF record we first need to know which systems are sending mail on behalf of your domain, besides Office 365.

Think of your scanners that send email to external contacts, (web)applications, newsletters systems, etc.

You will first need to identify these systems because if you don’t include them in the SPF record, mail sent from those systems will be listed as spam.

SPF Record Structure

The SPF Record is structured in such a way that you can easily add or remove mail systems to or from the record.

The 6 commonly used elements in an SPF record are:

v=spf1Every SPF record starts with this
aMatch all domain name records (A and AAAA)a
MXMatch all listed MX records. So only the listed mail servers are allowed to send mailmx
include:A domain name that is allowed to send mail on behalf of your domain
ip4: or ip6:Ip address that is allowed sending mail on behalf of your domainip4: or complete range: ip4:
Enforcement ruleIndicates what to do with mail that fails-all
SPF Record Elements

You can add as many include: or ip4: elements to your SPF record as you need. The enforcement rule indicates what the receiving mail system should do with mail sent from a server that isn’t listed in the SPF record.

Normally you use the -all element which indicates a hard fail. Other options are:

  • ~all – Soft fail. Used when you are not sure that you have listed all mail systems
  • ?all – Ignore. Only used for testing.

SPF Record Example

I will give you a couple of examples of SPF records, so you have an idea of how they look when you combine different applications.


Sending only mail from Office 365

v=spf1 -all

Example 2

  • Sending mail for on-premise systems – public IP Address
  • Office 365
  • Sending mail from MailChimp (newsletters service)
  • hard fail
v=spf1 ip4: -all

Create Office 365 SPF Record

When you have created a new Office 365 tenant and your subscription includes Exchange Online or Teams, then you will need to add a couple of DNS records. Included in those records is the Office 365 SPF Record.

We are going to start with looking up the DNS records that Microsoft 365 is expecting and then add the correct SPF record to our DNS hosting provider:

  1. Open the Microsoft 365 Admin Center

    First, we are going to check the expected SPF record in the Microsoft 365 Admin center. Login at

  2. Navigate to your domain

    – Expand Settings and select Domains
    Select your custom Domain (not the <companyname> domain

    Domain Office 365

  3. Lookup the SPF Record

    Click on the DNS Records tab.

    If you have bought a license that includes Exchange Online then the required Office 365 SPF record will be shown here

    Office 365 SPF Record

  4. Copy the SPF value

    Click on the TXT (SPF) record to open it.

    This allows you to copy the TXT value and also check if your domain already has an SPF record (it will be listed as Invalid Entry). Continue at Step 7 if you already have an SPF record

    Copy Record

  5. Go to your DNS Hosting Provider

    I am using Cloudflare, if you don’t know how to change or add DNS records, then contact your hosting provider.

  6. Create SPF record

    Add a new Record
    – Select Type: TXT
    – Name/Host: @
    – Content/Value: v=spf1 -all (or copy paste it from Microsoft 365 ( step 4 ))
    – Click Save

    Continue at Step 8
    Create SPF Record

  7. Update SPF Record

    If you already have an SPF record, then you will need to edit it. As you can see in the screenshot below, Microsoft has already detected an existing SPF record, marking it invalid.

    We can safely add to our SPF record.

    In your DNS Hosting Provider, look up the SPF record, and click edit.

    – Add before the -all element

    So in this case it would be:

    v=spf1 ip4: -all

    Invalid SPF Record

  8. Refresh the DNS page

    It can take a couple of minutes up to 24 hours before the change is applied. Refresh the DNS records page in Microsoft 365 Admin Center to verify the settings.

    The status of the TXT record will be listed as Ok when you have configured it correctly.

    spf office 365

Verify SPF Record

The Microsoft 365 Admin Center only verifies if is included in the SPF record. But it doesn’t verify or list the complete record.

A great toolbox to verify DNS-related records is MXToolbox. This tool checks your complete SPF record is valid.

verify SPF Record

Wrapping Up

To be able to send mail from Office 365 with your own domain name you will need to have SPF configured. Make sure that you include all mail systems in your SPF record, otherwise, mail sent from these systems will be listed as spam messages.

It’s a good idea to configure DKIM after you have configured SPF. DKIM is the second step in protecting your mail domain against spoofing and phishing attempts.

If you have any questions, just drop a comment below.

6 thoughts on “How to Configure Office 365 SPF Record”

  1. I’m seeing email from office365 that comes from that isn’t in the record … is there a more complete record we should be using?

  2. Must i include the RFC Adresses for local Clients
    like ipv4:
    or depends that on the behaviour of my email-relay/server ?

  3. Dear Ruud,
    Very helpful, but perhaps there is a simplified guidance for folks like me who just want to make sure gmail users will receive their teams meeting invitations made through groups in Outlook using a microsoft business account and own domain.

  4. Great article.
    Keep in mind, that SPF has a maximum of 10 DNS lookups.
    If you go over that limit with your include, a-records an more, mxtoolbox will show up an error!

Leave a Comment