---
title: "How to configure SPF to identify valid email sources for Microsoft 365 domains? | AutoSPF"
description: "SPF, which is short for Sender Policy Framework, is an email authentication protocol that allows Microsoft 365 domain owners to prevent threat actors from."
image: "https://autospf.com/og/blog/configuring-spf-for-valid-email-sources-in-microsoft-365-domains.png"
canonical: "https://autospf.com/blog/configuring-spf-for-valid-email-sources-in-microsoft-365-domains/"
---

Quick Answer

SPF, which is short for Sender Policy Framework, is an email authentication protocol that allows Microsoft 365 domain owners to prevent threat actors from succeeding in deceiving recipients by sending phishing and spoofing emails from your domain. With SPF in place, emails sent by only officially authorized IP addresses and servers linked to your domain land in the recipients’ inboxes.

## Try Our Free SPF Checker

Instantly analyze any domain's SPF record - check syntax, count DNS lookups, and flag errors.

[ Check SPF Record → ](/tools/spf-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fconfiguring-spf-for-valid-email-sources-in-microsoft-365-domains%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20to%20configure%20SPF%20to%20identify%20valid%20email%20sources%20for%20Microsoft%20365%20domains%3F&url=https%3A%2F%2Fautospf.com%2Fblog%2Fconfiguring-spf-for-valid-email-sources-in-microsoft-365-domains%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fconfiguring-spf-for-valid-email-sources-in-microsoft-365-domains%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fconfiguring-spf-for-valid-email-sources-in-microsoft-365-domains%2F&title=How%20to%20configure%20SPF%20to%20identify%20valid%20email%20sources%20for%20Microsoft%20365%20domains%3F "Share on Reddit") [ ](mailto:?subject=How%20to%20configure%20SPF%20to%20identify%20valid%20email%20sources%20for%20Microsoft%20365%20domains%3F&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fconfiguring-spf-for-valid-email-sources-in-microsoft-365-domains%2F "Share via Email") 

![identify valid email](https://media.mailhop.org/autospf/images/2024/08/spf-validator-6004.jpg) 

SPF, which is short for [Sender Policy Framework](/explaining-sender-policy-framework-spf-macros/sender-policy-framework-office-365/), is an email authentication protocol that allows Microsoft 365 domain owners to prevent threat actors from succeeding in deceiving recipients by sending phishing and [spoofing emails](https://www.pcmag.com/news/nsa-warns-of-north-korean-hackers-spoofing-emails-from-legit-domains) from your domain. With SPF in place, emails sent by only officially authorized IP addresses and servers linked to your domain land in the recipients’ inboxes. This means if someone sends an email from your domain through an unauthorized server or IP address, the email will not reach the recipient’s inbox- it will either sit in their [spam folder](https://www.courthousenews.com/judge-tosses-rncs-lawsuit-against-google-over-emails-sent-to-spam-folders/) or get rejected (also called bouncing back). 

_Microsoft 365’s SPF include (`include:spf.protection.outlook.com`) chains to multiple nested records and typically consumes 2-3 of the 10 DNS lookups allowed by [RFC 7208 §4.6.4](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4). Adding other senders alongside Microsoft requires careful lookup budgeting._

In simple words, while SPF can’t stop a [threat actor](https://www.cyberdefensemagazine.com/latest-watchguard-report-reveals-rise-in-threat-actors-exploiting-remote-access/) or ill-intended person from sending a [malicious email](https://www.theguardian.com/technology/2024/mar/25/us-sanctions-chinese-hackers) using your domain, it can surely prevent it from reaching the inbox of the recipient. _This minimizes (in case of the message getting marked as ‘spam’) or nullifies (in case of the message getting rejected outrightly) the chances of recipients falling into the trap and getting duped_.

The primary purpose of SPF is to validate email sources for a domain. This is done by creating a TXT type SPF record that gets published in the DNS to help the recipients’ servers identify valid or authorized sources for the incoming emails’ domain. The recipients’ email systems dig into the publicly available SPF [TXT record](https://en.wikipedia.org/wiki/TXT%5Frecord) to verify that the MAIL FROM address or 5321.MailFrom address is legitimately authorized by the domain owner.

## A general rundown of SPF in Microsoft 365 for different domain types

### For Microsoft Online Email Routing Address or MOERA domain users

If you are a MOERA domain user, you don’t have to do anything, as the SPF record is already set up appropriately for your domain. Microsoft owns the .onmicrosoft domain so it is responsible for generating and maintaining [DNS records](https://www.ibm.com/topics/dns-records) for your domain as well as subdomains. 

![identify valid email](https://media.mailhop.org/autospf/images/2024/08/spf-record-tester-6117.jpg) 

### For one or more custom domain users

During enrollment, there will be a step requiring you to create or modify the SPF TXT record in DNS for your [custom domain](https://blog.hubspot.com/website/custom-domains) to identify Microsoft 365 as a valid mail source for your outgoing emails. However, your job won’t end there. Here are a few more things you need to take care of for the holistic protection of your domain against phishing, spoofing, [ransomware](https://www.aljazeera.com/economy/2023/1/26/us-shuts-down-major-ransomware-network-hive), and other email-based threats.

#### Subdomain considerations: 

1. If you don’t directly control the email services (for example, you have outsourced the [email marketing](https://www.salesforce.com/in/marketing/email/) task to an agency), you should use a subdomain dedicated only to the [third](https://www.investopedia.com/terms/t/third-party.asp)[\-](https://www.investopedia.com/terms/t/third-party.asp)[party](https://www.investopedia.com/terms/t/third-party.asp) service provider. _This way, they would have limited access to your domain, minimizing the effect of issues emerging from the subdomain delegated to them_.
2. Please ensure each subdomain has its dedicated SPF record. While you can subject your subdomain to inherit the parent domain’s SPF policy, it isn’t recommended because of various potential issues, including exceeding the lookup and character limits.
3. If you own parked Microsoft domains (the domains you own but don’t use for sending emails or anything else), then you need to create an SPF record for that, too. Also, use the ‘-all’ mechanism so that no email sent from that domain or subdomain reaches the recipients’ mailboxes at all.

While we are emphasizing configuring SPF records to avert threat actors from exploiting your domains for sending fake emails, we also say that SPF alone is not enough. Unfortunately, sophisticated threat actors can spike SPF records and add their sending sources to label them as officially authorized by the domain owner. This way, emails sent by [malicious actors](https://thehackernews.com/2024/01/threat-actors-increasingly-abusing.html) can pass the SPF security check. 

So, it’s better if you pair up SPF with [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/) and [DMARC](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dmarc-record-check/). Together, they strengthen the [email infrastructure](https://www.socketlabs.com/blog/email-infrastructure/) against cyber menace.

## Guide on creating and managing SPF records for Microsoft 365 domains

The rest of the article explains common rules and troubleshooting tips for Microsoft 365 domain owners. _Please understand that SPF isn’t a one-time job; yes, you have to create the SPF record once, but it requires regular updates, monitoring, and troubleshooting_. 

![spf record](https://media.mailhop.org/autospf/images/2024/08/latest-office-365-spf-record-statistics-411x1024.jpg) 

### 1\. SPF enforcement rule

The enforcement rule is how you want the recipients’ servers to treat emails from sources not mentioned in your [SPF record](/explaining-sender-policy-framework-spf-macros/spf-record-syntax/). Valid sources are-

#### SPF hard fail

The ‘-all’ mechanism denotes [SPF hard fail](/fix-spf-permerror-and-temperror-a-diy-guide/spf-neutral/). If you use this mechanism in your SPF record, the messages sent by unspecified sources will be rejected on the recipients’ end. What exactly happens with such messages depends on the destination email system. However, most of them are usually discarded.

#### SPF soft fail

The ‘\~all’ mechanism denotes SPF soft fail and represents that the source is probably not authorized to send emails from a domain, so it should be allowed to enter the mailbox but must be marked as spam. In some destination email systems, the message is delivered to the [junk email folder](https://www.usatoday.com/story/tech/2023/06/23/emails-in-spam-folder/70350606007/) or placed in the inbox with an identifier added to the subject line or message body. 

## Points to remember

- Each domain or subdomain in DNS needs its own [SPF TXT record](/blog/how-to-create-an-spf-txt-record/), and only one SPF record is allowed per domain or subdomain. For undefined subdomains, DMARC is the best way to handle [email authentication](/blog/role-relevance-of-dns-spf-records-for-email-authentication/).
- The SPF TXT record for the \`\*.onmicrosoft.com\` domain can’t be changed.
- SPF validation fails if the check involves too many DNS lookups.

## How Do You Troubleshoot the DNS lookup limit error?

When an email system checks the SPF record to verify the sender’s [IP address](https://www.investopedia.com/terms/i/ip-address.asp), it goes through the listed IPs and ‘include:’ statements until it finds a match. If more than 10 DNS lookups are needed during this process, the email will fail [SPF validation](/spf-validation-failed-meaning-and-troubleshooting-methods/spf-validation-error/) with a permanent error, leading to the message being rejected and a bounce message being sent. This might happen due to errors like exceeding the hop count or requiring too many lookups.

Each ‘include:’ statement in the SPF record triggers at least one [DNS lookup](https://www.digicert.com/faq/dns/how-does-dns-lookup-work), and if the statement references nested resources, additional lookups might be required. _Even if you have fewer than 10 ‘include:’ statements, you could still exceed the lookup limit_.

![domain reputation](https://media.mailhop.org/autospf/images/2024/08/spf-permerror-2.jpg) 

_Email systems evaluate the SPF record from left to right, stopping once they find a valid source, so not all sources are always checked_. However, it’s possible for an SPF record to have enough information to cause more than 10 lookups, even if some emails pass without errors.

To avoid exceeding the DNS lookup limit and protect your [domain’s reputation](https://postmarkapp.com/glossary/domain-reputation), consider using subdomains for email services you don’t control. You can use free online tools to view your SPF record and estimate the number of lookups it requires.

If nothing works, use [our automatic SPF flattening tool](/http://www.autospf.com) to condense your SPF record and stay within the lookup limit.

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/)[ SPF Flattening tool ](/tags/spf-flattening-tool/)[ SPF record ](/tags/spf-record/) 

![Vishal Lamba](https://media.mailhop.org/autospf/images/authors/vishal-lamba.jpg) 

[ Vishal Lamba ](/authors/vishal-lamba/) 

Content Specialist

Content Specialist at AutoSPF. Writes vendor-specific SPF configuration guides and troubleshooting walkthroughs.

[LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 6m  6 Best practices for maintaining an SPF record  Jun 5, 2025 ](/blog/6-best-practices-for-maintaining-an-spf-record/)[  Intermediate 3m  Adding your SPF record to your domain provider  Sep 2, 2024 ](/blog/adding-your-spf-record-to-your-domain-provider/)[  Intermediate 6m  Your SPF record is broken- What does it mean and how do you fix it?  Jan 16, 2025 ](/blog/broken-spf-record-meaning-and-how-to-fix-it/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"How to configure SPF to identify valid email sources for Microsoft 365 domains?","description":"SPF, which is short for Sender Policy Framework, is an email authentication protocol that allows Microsoft 365 domain owners to prevent threat actors from.","url":"https://autospf.com/blog/configuring-spf-for-valid-email-sources-in-microsoft-365-domains/","datePublished":"2024-08-20T15:40:00.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2024-08-20T15:40:00.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://autospf.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes AutoSPF's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/autospf/images/authors/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/configuring-spf-for-valid-email-sources-in-microsoft-365-domains/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, SPF, SPF Flattening tool, SPF record","wordCount":1183,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2024/08/spf-validator-6004.jpg","caption":"identify valid email","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"How to configure SPF to identify valid email sources for Microsoft 365 domains?","item":"https://autospf.com/blog/configuring-spf-for-valid-email-sources-in-microsoft-365-domains/"}]}
```