This article discusses Sender Policy Framework (SPF) records and contains information about how to configure a SPF record for Exchange Online.
A SPF record is used for messaging security purposes. The SPF record enables a receiving messaging system to query and determine whether the sending server is authorized to send from a domain. There are two ways in which SPF record is parsed and can be dealt with such as hard fail and soft fail. The difference between a hard fail and a soft fail is how the owner of SPF records expects the message recipients to treat a spoofed message.
- A hard fail
If the email message from a domain comes from an IP address which is outside the IP range that is defined in the SPF record for the domain, the message will be rejected. The hard fail can be used when there is a heavyweight in a spam filtering engine.
- A soft fail
If the email message from a domain comes from an IP address which is outside the IP range that is defined in the SPF record for the domain, the message will be accepted but marked. The soft fail can be used when there is a lightweight in a spam filtering engine.
An organization that wants to control who can send email messages on behalf of the organization or has concerns on the security usually uses a hard fail in the SPF record. An organization that does not want much control on who can send email messages on behalf of the organization usually uses a soft fail in the SPF record.
For example, a bank needs to control who can send email messages on behalf of the bank, and the email senders' IP addresses come from a narrow set of IP ranges. Because spoofing is common in phishing attacks, the organizations such as banks might use a hard fail in the SPF record.
By contrast, Microsoft uses a soft fail. Many third-party vendors who send email messages on behalf of Microsoft for surveys, newsletters, and so on are outside the SPF record that Microsoft uses. Because Microsoft does not own that IP space but still wants those organizations to be able to send email messages on behalf of Microsoft, Microsoft uses a soft fail.
Microsoft expects email messages to be accepted, but marked. Additionally, when email messages are forwarded, it also requires a soft fail because SPF checks do not survive email forwarding. Outlook.com uses a soft fail in its SPF record.
Configure a SPF record
The Sender ID Framework SPF Record Wizard is a wizard that helps guide customers through creating a new SPF record for their DNS domain. Customers can use this wizard to add a new SPF record to their DNS zone to include Exchange Online servers as sending Simple Mail Transfer Protocol (SMTP) servers. To access the wizard, visit the following Microsoft website:
Additionally, you may also want to list IP addresses of all outgoing (also known as "outbound") mail servers. These IP addresses are required when you send email messages to other clients of Exchange Online Protection in Office 365. Each IP address should be added by using an "ip4:"
statement. For example, to use "127.0.0.1
" as an accepted IP for sending messages, you need to add "ip4:127.0.0.1
" to your SPF record. For example, Contoso.com has the following IP addresses for outgoing mail servers:
Contoso.com has the following outgoing mail servers:
Contoso's original SPF record resembles the following:
"v=spf1 ip4:127.0.0.1 ip4:127.0.0.2 ip4:127.0.0.3 -all"
After routing mail through FOPE or EOP, Contoso’s SPF record resembles the following:
"v=spf1 include:outlook.com ip4:127.0.0.1 ip4:127.0.0.2 ip4:127.0.0.3 -all"
Still need help? Go to the Office 365 Community
Article ID: 2640313 - Last Review: July 6, 2014 - Revision: 18.0
- Microsoft Exchange Online
- Microsoft Exchange Online Protection
|vkbportal225 o365a o365e o365p o365022013 o365m KB2640313|