Microsoft 365
Microsoft 365 SPF Setup
Microsoft 365 requires include:spf.protection.outlook.com in your SPF record to authorize Exchange Online outbound mail.
Quick answer
Microsoft 365 sends outbound mail through Exchange Online infrastructure authorized by include:spf.protection.outlook.com. Add this include to your domain SPF record alongside other providers, ensuring only one v=spf1 TXT record exists. Microsoft also requires DKIM and recommends DMARC. Verify the envelope domain matches where you publish SPF, especially when using third-party connectors.
Beginner explanation
Setup is straightforward when Microsoft is your only sender. Complexity appears when you also send through HubSpot, Mailchimp, or custom SMTP relays. Each additional service must coexist in one SPF policy without duplicates or lookup overload.
Microsoft 365 does not replace SPF with DKIM. You should implement both plus DMARC for meaningful reporting and protection against header From spoofing.
Technical explanation
Hybrid environments using on-premise Exchange with Exchange Online must include both Microsoft and any remaining on-premise ip4 mechanisms. Connectors and third-party journaling solutions may send mail using different envelope domains—confirm which domains appear in SMTP MAIL FROM before publishing TXT records.
Microsoft Defender and anti-spoofing policies do not remove the need for public SPF at your custom domain. They protect recipients inside your tenant; SPF, DKIM, and DMARC protect how the broader internet evaluates mail claiming to be from your domain.
Business impact
Because Microsoft is often the first include teams add, duplicate or outdated Microsoft macros also push domains toward lookup limits that block later marketing integrations.
Common mistakes
- Publishing SPF on onmicrosoft.com while custom domains send MAIL FROM elsewhere
- Forgetting third-party Microsoft 365 connectors that send from non-Microsoft IPs
How SPF Manager helps
Guided checks help hybrid and connector-heavy tenants identify which domains need SPF updates beyond the primary user domain.
Recommended next step
See how this applies to your domain before you change DNS.
Analyze my domainRelated articles
Providers
SPF Email Providers
Email providers publish SPF include hostnames or IP ranges that you must add to your domain policy to authorize their outbound mail.
Google Workspace
Google Workspace SPF Setup
Google Workspace uses include:_spf.google.com to authorize Gmail and Google Apps SMTP infrastructure for your domain.
Email Authentication
DMARC and SPF
DMARC builds on SPF and DKIM by defining alignment rules and reporting what receivers see when mail claims your domain.
Providers
Provider SPF Synchronization
Provider SPF synchronization keeps your DNS policy aligned with the email services your organization actually uses.