Set Up SPF to Identify Authorized Email Sources in Microsoft 365
The Sender Policy Framework (SPF) is an email authentication method that helps prevent spoofing and phishing by specifying which servers are allowed to send emails on behalf of your domain. In Microsoft 365, properly setting up SPF is critical for protecting your organization against business email compromise and other threats.
SPF for Microsoft Online Email Routing Address (MOERA)
If you're using only the default Microsoft 365 domain (yourdomain.onmicrosoft.com), you don't need to configure SPF manually. Microsoft owns and manages the DNS settings for onmicrosoft.com and its subdomains.
For more information, see the article: Why you have an onmicrosoft.com domain.
SPF for Custom Domains
If you're using one or more custom domains (e.g., contoso.com) for email, you must manually add a TXT SPF record to your domain's DNS.
This enables recipient mail servers to verify that emails sent from your domain are from authorized sources (Microsoft 365).
SPF Record Syntax for Microsoft 365
The TXT record must be formatted correctly. Here’s the standard syntax recommended by Microsoft:
v=spf1 include:spf.protection.outlook.com -allThis record indicates that Microsoft 365 is the authorized sender. The -all qualifier instructs servers to reject messages sent from unauthorized sources.
SPF Troubleshooting
- Verify that the SPF TXT record is correctly published in your domain's DNS.
- Ensure you have only one SPF record per domain.
- Use an SPF checking tool to validate your configuration.
Next Steps After Setup
- Monitor alerts and system reports to confirm correct email authentication.
- Combine SPF with DKIM and DMARC for enhanced protection.
For full details, refer to the official Microsoft article: Set up SPF in Microsoft 365 to prevent spoofing.
