How Microsoft 365 uses Sender Policy Framework (SPF) to foreclose spoofing

  • Article
  • 12 minutes to read

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Role 365, Microsoft 365 Defender, and more than into the Microsoft 365 Defender portal. Learn what's new.

Applies to

  • Exchange Online Protection
  • Microsoft Defender for Office 365 plan 1 and plan 2
  • Microsoft 365 Defender

Summary: This commodity describes how Microsoft 365 uses the Sender Policy Framework (SPF) TXT record in DNS to ensure that destination electronic mail systems trust letters sent from your custom domain. This applies to outbound post sent from Microsoft 365. Messages sent from Microsoft 365 to a recipient inside Microsoft 365 will e'er laissez passer SPF.

An SPF TXT record is a DNS record that helps prevent spoofing and phishing by verifying the domain proper name from which email messages are sent. SPF validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain.

Note

SPF tape types were deprecated by the Net Engineering Task Force (IETF) in 2014. Instead, ensure that y'all apply TXT records in DNS to publish your SPF data. The residual of this article uses the term SPF TXT record for clarity.

Domain administrators publish SPF information in TXT records in DNS. The SPF information identifies authorized outbound e-mail servers. Destination email systems verify that messages originate from authorized outbound email servers. If y'all are already familiar with SPF, or you have a simple deployment, and just demand to know what to include in your SPF TXT tape in DNS for Microsoft 365, you tin can go to Gear up SPF in Microsoft 365 to help forbid spoofing. If you do not accept a deployment that is fully hosted in Microsoft 365, or yous want more information about how SPF works or how to troubleshoot SPF for Microsoft 365, keep reading.

Annotation

Previously, y'all had to add a different SPF TXT record to your custom domain if you too used SharePoint Online. This is no longer required. This change should reduce the take a chance of SharePoint Online notification messages catastrophe up in the Junk Email folder. You do not need to make any changes immediately, but if you receive the "likewise many lookups" error, alter your SPF TXT record as described in Set upward SPF in Microsoft 365 to help prevent spoofing.

How SPF works to prevent spoofing and phishing in Microsoft 365

SPF determines whether or not a sender is permitted to ship on behalf of a domain. If the sender is not permitted to do then, that is, if the email fails the SPF bank check on the receiving server, the spam policy configured on that server determines what to do with the message.

Each SPF TXT record contains three parts: the declaration that it is an SPF TXT tape, the IP addresses that are allowed to transport mail from your domain and the external domains that can transport on your domain's behalf, and an enforcement rule. You need all iii in a valid SPF TXT record. This article describes how you form your SPF TXT record and provides all-time practices for working with the services in Microsoft 365. Links to instructions on working with your domain registrar to publish your record to DNS are also provided.

SPF nuts: IP addresses immune to send from your custom domain

Take a look at the basic syntax for an SPF rule:

v=spf1 <IP> <enforcement rule>

For case, allow's say the following SPF rule exists for contoso.com:

v=spf1 <IP accost #i> <IP address #two> <IP address #iii> <enforcement rule>

In this example, the SPF rule instructs the receiving e-mail server to only accept post from these IP addresses for the domain contoso.com:

  • IP address #1

  • IP address #2

  • IP accost #3

This SPF rule tells the receiving email server that if a message comes from contoso.com, simply not from one of these three IP addresses, the receiving server should utilize the enforcement dominion to the message. The enforcement rule is usually one of these options:

  • Hard fail. Mark the bulletin with 'hard fail' in the bulletin envelope then follow the receiving server'south configured spam policy for this type of message.

  • Soft fail. Mark the message with 'soft neglect' in the message envelope. Typically, email servers are configured to deliver these letters anyway. Most terminate users practice non see this mark.

  • Neutral. Do cypher, that is, do not marker the message envelope. This is usually reserved for testing purposes and is rarely used.

The following examples show how SPF works in different situations. In these examples, contoso.com is the sender and woodgrovebank.com is the receiver.

Example 1: E-mail authentication of a message sent directly from sender to receiver

SPF works best when the path from sender to receiver is direct, for case:

Diagram showing how SPF authenticates email when it is sent directly from server to server.

When woodgrovebank.com receives the message, if IP address #i is in the SPF TXT tape for contoso.com, the message passes the SPF check and is authenticated.

Example 2: Spoofed sender address fails the SPF check

Suppose a phisher finds a way to spoof contoso.com:

Diagram showing how SPF authenticates email when it is sent from a spoofed server.

Since IP address #12 is not in contoso.com's SPF TXT record, the message fails the SPF cheque and the receiver may choose to marker it every bit spam.

Instance 3: SPF and forwarded letters

One drawback of SPF is that it doesn't work when an email has been forwarded. For case, suppose the user at woodgrovebank.com has set a forwarding rule to send all e-mail to an outlook.com account:

Diagram showing how SPF cannot authenticate email when the message is forwarded.

The message originally passes the SPF bank check at woodgrovebank.com simply it fails the SPF check at outlook.com because IP #25 is not in contoso.com's SPF TXT record. Outlook.com might and so mark the message as spam. To work around this trouble, use SPF in conjunction with other email authentication methods such every bit DKIM and DMARC.

SPF nuts: Including 3rd-party domains that can send mail on behalf of your domain

In improver to IP addresses, you tin can also configure your SPF TXT record to include domains as senders. These are added to the SPF TXT tape as "include" statements. For example, contoso.com might desire to include all of the IP addresses of the mail servers from contoso.internet and contoso.org which it also owns. To practice this, contoso.com publishes an SPF TXT record that looks like this:

              v=spf1 include:contoso.net include:contoso.org -all

When the receiving server sees this record in DNS, it also performs a DNS lookup on the SPF TXT record for contoso.internet and so for contoso.org. If it finds an additional include statement within the records for contoso.internet or contoso.org, it volition follow those besides. In club to aid forestall denial of service attacks, the maximum number of DNS lookups for a single email bulletin is ten. Each include argument represents an additional DNS lookup. If a message exceeds the 10 limit, the message fails SPF. In one case a message reaches this limit, depending on the mode the receiving server is configured, the sender may get a message that says the message generated "likewise many lookups" or that the "maximum hop count for the message has been exceeded" (which can happen when the lookups loop and surpass the DNS timeout). For tips on how to avert this, run across Troubleshooting: Best practices for SPF in Microsoft 365.

Requirements for your SPF TXT record and Microsoft 365

If you set up up mail when yous ready up Microsoft 365, you already created an SPF TXT tape that identifies the Microsoft messaging servers equally a legitimate source of post for your domain. This record probably looks similar this:

              v=spf1 include:spf.protection.outlook.com -all

If you're a fully-hosted customer, that is, you take no on-premises mail servers that transport outbound mail service, this is the merely SPF TXT record that yous need to publish for Office 365.

If you accept a hybrid deployment (that is, you have some mailboxes on-premises and some hosted in Microsoft 365), or if you're an Exchange Online Protection (EOP) standalone customer (that is, your organization uses EOP to protect your on-premises mailboxes), you should add the outbound IP address for each of your on-premises edge mail service servers to the SPF TXT tape in DNS.

Class your SPF TXT record for Microsoft 365

Use the syntax information in this article to form the SPF TXT record for your custom domain. Although there are other syntax options that are non mentioned here, these are the almost commonly used options. One time you have formed your record, y'all need to update the tape at your domain registrar.

For information well-nigh the domains you will need to include for Microsoft 365, meet External DNS records required for SPF. Use the footstep-by-footstep instructions for updating SPF (TXT) records for your domain registrar.

SPF TXT record syntax for Microsoft 365

A typical SPF TXT tape for Microsoft 365 has the following syntax:

              v=spf1 [<ip4>|<ip6>:<IP address>] [include:<domain name>] <enforcement dominion>

For case:

              five=spf1 ip4:192.168.0.ane ip4:192.168.0.2 include:spf.protection.outlook.com -all

where:

  • v=spf1 is required. This defines the TXT record every bit an SPF TXT tape.

  • ip4 indicates that you are using IP version four addresses. ip6 indicates that you are using IP version 6 addresses. If you are using IPv6 IP addresses, replace ip4 with ip6 in the examples in this article. You lot can also specify IP address ranges using CIDR notation, for example ip4:192.168.0.1/26.

  • IP accost is the IP address that you want to add to the SPF TXT record. Normally, this is the IP accost of the outbound mail server for your system. Yous tin list multiple outbound mail servers. For more than information, encounter Example: SPF TXT record for multiple outbound on-bounds mail servers and Microsoft 365.

  • domain name is the domain y'all want to add as a legitimate sender. For a list of domain names you should include for Microsoft 365, see External DNS records required for SPF.

  • Enforcement dominion is unremarkably one of the post-obit:

    • -all

      Indicates hard neglect. If you know all of the authorized IP addresses for your domain, list them in the SPF TXT record and utilize the -all (hard neglect) qualifier. As well, if you are only using SPF, that is, you are non using DMARC or DKIM, you should employ the -all qualifier. We recommend that you use always this qualifier.

    • ~all

      Indicates soft fail. If you lot're not sure that you have the complete listing of IP addresses, then y'all should utilise the ~all (soft fail) qualifier. Besides, if you are using DMARC with p=quarantine or p=reject, then yous tin can use ~all. Otherwise, utilise -all.

    • ?all

      Indicates neutral. This is used when testing SPF. We practise non recommend that you lot apply this qualifier in your live deployment.

Case: SPF TXT record to apply when all of your post is sent by Microsoft 365

If all of your post is sent by Microsoft 365, employ this in your SPF TXT record:

              v=spf1 include:spf.protection.outlook.com -all

Example: SPF TXT record for a hybrid scenario with ane on-premises Substitution Server and Microsoft 365

In a hybrid environment, if the IP address of your on-premises Exchange Server is 192.168.0.1, in social club to set the SPF enforcement rule to hard fail, form the SPF TXT tape every bit follows:

              5=spf1 ip4:192.168.0.1 include:spf.protection.outlook.com -all

Example: SPF TXT record for multiple outbound on-bounds post servers and Microsoft 365

If yous have multiple outbound mail servers, include the IP address for each mail server in the SPF TXT record and split each IP address with a infinite followed by an "ip4:" argument. For example:

              v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 ip4:192.168.0.3 include:spf.protection.outlook.com -all

Next steps: Gear up SPF for Microsoft 365

In one case y'all have formulated your SPF TXT record, follow the steps in Set up SPF in Microsoft 365 to aid foreclose spoofing to add it to your domain.

Although SPF is designed to assist prevent spoofing, simply there are spoofing techniques that SPF cannot protect against. In social club to protect against these, once you have gear up SPF, you should also configure DKIM and DMARC for Microsoft 365. To become started, see Use DKIM to validate outbound electronic mail sent from your custom domain in Microsoft 365. Side by side, see Utilize DMARC to validate email in Microsoft 365.

Troubleshooting: Best practices for SPF in Microsoft 365

Yous can only create 1 SPF TXT tape for your custom domain. Creating multiple records causes a round robin state of affairs and SPF will fail. To avoid this, you can create separate records for each subdomain. For example, create one tape for contoso.com and some other tape for bulkmail.contoso.com.

If an email message causes more ten DNS lookups before it is delivered, the receiving mail server volition reply with a permanent error, also called a permerror, and cause the bulletin to fail the SPF check. The receiving server may also respond with a non-delivery study (NDR) that contains an error like to these:

  • The message exceeded the hop count.

  • The message required too many lookups.

Avoiding the "also many lookups" mistake when you utilise tertiary-party domains with Microsoft 365

Some SPF TXT records for third-party domains directly the receiving server to perform a large number of DNS lookups. For example, at the time of this writing, Salesforce.com contains 5 include statements in its record:

              5=spf1 include:_spf.google.com include:_spfblock.salesforce.com include:_qa.salesforce.com include:_spfblock1.salesforce.com include:spf.mandrillapp.com mx ~all

To avert the error, you can implement a policy where anyone sending bulk e-mail, for example, has to apply a subdomain specifically for this purpose. Yous then define a unlike SPF TXT tape for the subdomain that includes the bulk electronic mail.

In some cases, like the salesforce.com example, you lot take to employ the domain in your SPF TXT record, but in other cases, the tertiary-political party may accept already created a subdomain for you to use for this purpose. For case, exacttarget.com has created a subdomain that you lot demand to use for your SPF TXT record:

              cust-spf.exacttarget.com

When you include third-party domains in your SPF TXT tape, yous need to confirm with the 3rd-party which domain or subdomain to use in lodge to avoid running into the 10 lookup limit.

How to view your current SPF TXT record and make up one's mind the number of lookups that it requires

You can employ nslookup to view your DNS records, including your SPF TXT record. There are a number of free, online tools bachelor that yous can utilise to view the contents of your SPF TXT record. By looking at your SPF TXT record and following the chain of include statements and redirects, you tin can determine how many DNS lookups the record requires. Some online tools volition even count and display these lookups for y'all. Keeping track of this number will help foreclose messages sent from your system from triggering a permanent error, chosen a perm error, from the receiving server.

For more than information

Need help adding the SPF TXT record? Read the article Create DNS records at whatever DNS hosting provider for Microsoft 365 for detailed information about usage of Sender Policy Framework with your custom domain in Microsoft 365. Anti-spam message headers includes the syntax and header fields used by Microsoft 365 for SPF checks.