Compartilhar via


Ensure your SPF Record is Correct

Update: Feb 26, 2015 - A great post about Office 365 SPF checks was recently written by one of our program managers which I would high recommend reading. How Office 365 does SPF checks for customer-to-customer mail

 

I've recently seen an increase in cases that involve incorrectly published SPF records that have resulted in sent mail failing the SPF check. Ensuring your SPF record is up to date is great proactive work that can help prevent issues with SPF checks. In this article I'm going to go over how to properly set your SPF record if you are using Exchange Online or Exchange Online Protection.

There is also a common mistake that organizations sometimes make in their SPF record when they are smart hosting mail out through EOP which I will also highlight.

 

How does SPF Work?

SPF is a text DNS record that is published for a domain. This record lists all of the devices (typically by IP but there are other options) that are allowed to send mail on behalf of the domain. An SPF record can end in one of the following.

~all = If the SPF check fails, the result is a soft failure. Some mail systems may mark a message as spam if it has soft failed an SPF, but typically not.

-all = If the SPF check fails, the result is a hard failure. Most mail systems will mark an inbound message as spam if the SPF check results in a hard failure.

?all = If the SPF check fails, the result is neutral. This is typically used for SPF testing and not typically used for production domains.

SPF is designed to help prevent spoofing. There are spoofing techniques that SPF cannot protect against, and this is where DMARC and DKIM come in. I'll be writing an article soon about this technology.

In EOP, if you would like inbound messages that hard fail an SPF check to be marked as spam, you can enable the following option in your content filter.

One way to view the SPF record of a domain is to type the following in a command window (remove the triangle brackets).

nslookup -type=txt <domain>

 

Configure your SPF Record

If you subscribe to Exchange Online and ONLY send mail out of the cloud mailboxes, your SPF record will probably look as follows.

v=spf1 include:spf.protection.outlook.com -all

If you are in a hybrid setup or use EOP without cloud  mailboxes, you will need to add the IPs of your on-premises edge mail servers to your SPF. In these situations, if outbound mail is being smart hosted through EOP, your SPF will probably look as follows. Here, 10.0.0.1 and 10.0.0.2 represent the IPs of the on-premises edge servers.

v=spf1 ip4:10.0.0.1 ip4:10.0.0.2 include:spf.protection.outlook.com -all

This next bit is very important. If you only take one thing away from this article, it should be this next paragraph.

Even if you smart host all of your outbound mail through EOP, you will still need to add your on-premises mail servers to your SPF record to ensure receiving partners SPF checks don't fail against your domain. I have seen some cases where organizations that smart host all of their outbound mail through EOP do not add their on-premises IPs to their SPF record and this has resulted in some SPF failures. It is very important that all devices that send mail on behalf of your domain are included in your SPF record, even if they smart host their outbound mail through EOP.

 

Resources

How Office 365 does SPF checks for customer-to-customer mail Customize an SPF record to validate outbound email sent from your domain

Comments

  • Anonymous
    January 01, 2003
    Hi TecHMSP, not that it means much from me, but apologies for the problems it caused you. We recently published a new article on how EOP checks SPF for O365 customer to O365 customer mail flow. Seehttp://blogs.msdn.com/b/tzink/archive/2015/02/26/how-office-365-does-spf-checks-for-customer-to-customer-mail.aspx.
  • Anonymous
    February 07, 2015
    Thanks
    very interesting refresh on spf
    waiting for next articles about DMARC and DKIM
  • Anonymous
    February 23, 2015
    Thanks for changing the way EOP works without notifying any of your customers. I was having a lot of mail flow issues due the fact the email headers now report my internal IP as the sending IP instead of EOP.
  • Anonymous
    February 24, 2016
    Hi, I followed exactly the steps you outlined here and the result is...sometimes SPF passes, other times (most times), it fails. Can it be made to pass every time? Thanks.Regards,Tekena
    • Anonymous
      May 18, 2016
      The comment has been removed
  • Anonymous
    November 17, 2017
    That screenshot of the SPF dropdown is useless. Where is it located? "In EOP" is not really helpful.
    • Anonymous
      November 24, 2017
      Hi Oliver. In the Exchange Online portal, select "Protection" on the left of the page, and then select "Spam Filter." Edit one of the spam filters and select "advanced options." On this page you will find the SPF drop down list.