What is the SPF record for Microsoft 365?

The SPF include for Microsoft 365 is include:spf.protection.outlook.com. A complete record is: v=spf1 include:spf.protection.outlook.com ~all

What's the SPF for Office 365 Exchange Online?

Office 365 and Microsoft 365 use the same SPF: include:spf.protection.outlook.com. This covers Exchange Online and all Microsoft 365 email services.

Where do I add SPF for Microsoft 365?

SPF is added to your domain's DNS, not in Microsoft 365 Admin Center. Log into your DNS provider (GoDaddy, Azure DNS, Cloudflare, etc.) and add a TXT record.

How many DNS lookups does Microsoft 365 SPF use?

Microsoft's spf.protection.outlook.com typically uses 2-3 DNS lookups. This is more efficient than Google Workspace, leaving more room for additional senders.

Do I need SPF if I'm using Microsoft Defender?

Yes. SPF is required regardless of whether you use Defender for Office 365. SPF authenticates your outbound mail—Defender protects your inbound mail.

SPF for Microsoft 365: Complete Setup Guide

The Microsoft 365 SPF Record

For Microsoft 365 (Office 365), use this SPF include:

include:spf.protection.outlook.com

If Microsoft 365 is your only email sender:

v=spf1 include:spf.protection.outlook.com ~all

This authorizes all Microsoft Exchange Online servers to send email for your domain.

Step 1: Check for Existing SPF

Before adding a record, check if one exists:

dig TXT yourdomain.com +short | grep spf

Or use MXToolbox SPF Lookup.

If you have an existing record: Modify it to add Microsoft's include. Don't create a second SPF record.

If no record exists: Create a new TXT record.

Step 2: Add the DNS Record

Add a TXT record at your domain's root:

Field	Value
Host/Name	`@` or blank
Type	TXT
Value	`v=spf1 include:spf.protection.outlook.com ~all`
TTL	3600 (or default)

Azure DNS

Go to your DNS zone
Add record set
Type: TXT
Name: @
Value: v=spf1 include:spf.protection.outlook.com ~all

GoDaddy

DNS Management → Add
Type: TXT
Host: @
TXT Value: v=spf1 include:spf.protection.outlook.com ~all

Cloudflare

DNS → Add record
Type: TXT
Name: @
Content: v=spf1 include:spf.protection.outlook.com ~all

Step 3: Combining with Other Senders

Most organizations use Microsoft 365 alongside other services. Combine includes:

Microsoft 365 + SendGrid:

v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all

Microsoft 365 + Mailchimp:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all

Microsoft 365 + Salesforce + HubSpot:

v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com include:_spf.hubspot.com ~all

Practitioner note: Microsoft's SPF is more efficient than Google's—typically 2-3 lookups versus 3-4. This gives you slightly more room when combining with other ESPs. Still, always verify total lookup count before publishing.

Step 4: Verify in Microsoft 365 Admin Center

Microsoft 365 Admin Center can verify your SPF configuration:

Go to admin.microsoft.com
Settings → Domains → Select your domain
Check the DNS records section
Look for SPF status—it should show as configured

Note: Microsoft's verification can take up to 72 hours to reflect DNS changes.

Step 5: Test Authentication

Send a test email from your Microsoft 365 account to an external address.

Check headers in the received email:

Authentication-Results: spf=pass (sender IP is xxx.xxx.xxx.xxx)
 smtp.mailfrom=yourdomain.com

Look for spf=pass. If you see spf=fail or spf=softfail, verify your DNS record is correct and propagated.

Check in Outlook:

Open the email
File → Properties → Internet headers
Look for Authentication-Results

Hybrid Deployments

If you run a hybrid Exchange setup (on-premises + Microsoft 365), you may need additional IP addresses:

v=spf1 include:spf.protection.outlook.com ip4:your.onprem.ip ~all

Replace your.onprem.ip with your on-premises Exchange server's public IP.

For complex hybrid scenarios, Microsoft recommends consulting their hybrid configuration wizard.

Common Issues

"SPF record not found" in Admin Center

DNS propagation can take up to 48 hours. Verify with an external tool like MXToolbox while waiting for Microsoft's check to update.

"Too many DNS lookups"

Microsoft's include uses 2-3 lookups. If you're hitting the 10-lookup limit:

Audit other includes—remove unused ones
Replace includes with ip4 where IPs are static
Consider SPF flattening

Emails still failing SPF

Ensure you're using the correct include: spf.protection.outlook.com

Not:

outlook.com (wrong)
microsoft.com (wrong)
office365.com (wrong)

Third-party applications sending via Microsoft 365

If apps send through Microsoft 365's SMTP relay (smtp.office365.com), they're already covered by the SPF include. No additional configuration needed.

If apps send directly (not through Microsoft 365), add their SPF include or IP.

Practitioner note: The most common Microsoft 365 SPF issue I see is old Office 365 migrations where the original SPF was never updated. Clients have include:sendgrid.net from a marketing tool they set up five years ago but never added include:spf.protection.outlook.com when they moved to Office 365.

Microsoft 365 SPF Lookup Details

What happens when receivers check spf.protection.outlook.com:

dig TXT spf.protection.outlook.com +short

Returns Microsoft's IP ranges. The nested structure typically uses 2-3 total lookups—more efficient than Google's structure.

Moving to Hardfail

After testing confirms SPF works:

v=spf1 include:spf.protection.outlook.com -all

The -all (hardfail) tells receivers to reject unauthorized senders outright.

If you need help configuring Microsoft 365 email authentication or troubleshooting deliverability issues, schedule a consultation.

Sources

Microsoft: Set up SPF to help prevent spoofing
Microsoft: Troubleshoot SPF issues
Microsoft Learn: Email authentication in Microsoft 365
RFC 7208: Sender Policy Framework (SPF)

v1.0 · March 2026