Enabling SPF (Sender Policy Framework)

Enabling SPF

It is important to understand where you are now so we don’t break anything. Take a look at the flowchart below:

 

Scenario 1 – Only Exchange Online can send e-mails from your domain

  1. Create a TXT record in your domain zone

    Tables can't be imported directly. Please insert an image of your table which can be found here.

  2. Test your SPF record at Scott Kitterman's SPF record testing tools
TXT Name: @ Value: "v=spf1 include:spf.protection.outlook.com –all"

 

Scenario 2 – Add Exchange Online Protection to your SPF record

  1. Get your SPF record

     

    Tables can't be imported directly. Please insert an image of your table which can be found here.

  2. Add Exchange Online Protection to your SPF record, just before the “all” verb.

     

    Tables can't be imported directly. Please insert an image of your table which can be found here.

  3. Test your SPF record at Scott Kitterman's SPF record testing tools
nslookup -querytype=txt contoso.com Server:  dns.external Address:  192.168.1.1 Non-authoritative answer: contoso.com  text = "v=spf1 mx -all" TXT Name: @ Value: "v=spf1 mx include:spf.protection.outlook.com -all"

 

Scenario 3 – Create a SPF record for your e-mail gateways and Exchange Online Protection

  1. Define which hosts will send e-mail and build the SPF string with the below table:

    Tables can't be imported directly. Please insert an image of your table which can be found here.

    For example, if you want to allow Exchange Online and the IP address 40.124.14.27 to send e-mails from the domain contoso.com you can use the following SPF record at contoso.com DNS zone:

     

    Tables can't be imported directly. Please insert an image of your table which can be found here.

     

  2. Test your SPF record at Scott Kitterman's SPF record testing tools
rd

 

where <3rd party SPF record> will be provided by your service provider

 

where <IP v4 Address> will be replaced with the actual IPv4 address

 

where <IP v6 Address> will be replaced with the actual IPv6 address

 

where <enforcement rule> can be:

-all – Anything not in the list will fail

~all – Anything not in the list will soft fail (avoid using this)

TXT Name: @ Value: "v=spf1 ip4:40.124.14.27 include:spf.protection.outlook.com –all"