How to configure the SPF record for Microsoft 365
The SPF (Sender Policy Framework) record defines which servers are authorized to send email for your domain and helps reduce spoofing. For Microsoft 365, you just need to publish a TXT record that references the Microsoft service.
Quick steps
- Log in to your domain’s DNS manager at your registrar or DNS provider.
- Create (or edit) a TXT record for the root host of the domain (host name “@” or leave the Name field empty).
- Enter the following value: v=spf1 include:spf.protection.outlook.com -all
- Set the TTL (e.g., 3600 seconds) or leave the default value.
- Save the changes.
Recommended value
Type: TXT
Host/Name: @
Value: v=spf1 include:spf.protection.outlook.com -all
TTL: 3600 (suggested)
Verification and propagation
After saving, allow DNS propagation (typically 15–60 minutes, up to 24–48 hours in some cases) and verify the record is visible.
- Use online DNS tools or the command: nslookup -type=TXT yourdomain.tld
- Ensure there is only one SPF record for the domain.
Attention
- If you also send mail from other services or IPs (e.g., third-party systems, printers, on‑prem servers), extend the SPF by adding the appropriate includes or ip4/ip6 mechanisms, avoiding multiple SPF records.
- Using -all enforces a strict policy (reject). During a transition you may use ~all (softfail) and later switch to -all.
- SPF allows a maximum of 10 DNS lookups: avoid excessive include chains.
