---
title: "MessageLabs SPF Setup: How To Configure SPF Records Correctly | AutoSPF"
description: "Learn how to configure MessageLabs SPF records correctly to improve email authentication, prevent spoofing, and enhance deliverability."
image: "https://autospf.com/og/blog/messagelabs-spf-setup-how-to-configure-spf-records-correctly.png"
canonical: "https://autospf.com/blog/messagelabs-spf-setup-how-to-configure-spf-records-correctly/"
---

Quick Answer

To configure MessageLabs SPF records correctly, add the authorized MessageLabs SPF include statement to your domain’s DNS record and verify it. A properly configured SPF record helps prevent email spoofing, improves authentication, and supports better email deliverability.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fmessagelabs-spf-setup-how-to-configure-spf-records-correctly%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=MessageLabs%20SPF%20Setup%3A%20How%20To%20Configure%20SPF%20Records%20Correctly&url=https%3A%2F%2Fautospf.com%2Fblog%2Fmessagelabs-spf-setup-how-to-configure-spf-records-correctly%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fmessagelabs-spf-setup-how-to-configure-spf-records-correctly%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fmessagelabs-spf-setup-how-to-configure-spf-records-correctly%2F&title=MessageLabs%20SPF%20Setup%3A%20How%20To%20Configure%20SPF%20Records%20Correctly "Share on Reddit") [ ](mailto:?subject=MessageLabs%20SPF%20Setup%3A%20How%20To%20Configure%20SPF%20Records%20Correctly&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fmessagelabs-spf-setup-how-to-configure-spf-records-correctly%2F "Share via Email") 

![MessageLabs SPF Setup](https://media.mailhop.org/autospf/spf-records-in-dns-5928-1781688460893.jpg) 

MessageLabs, later known as Symantec Email Security.cloud and associated with Symantec Corporation before the Broadcom-Symantec transition, has long been used as a cloud-based service for filtering inbound and [outbound email](https://www.ricoh-usa.com/en/glossary/outbound-mail). Organizations adopted MessageLabs for email security because it helped detect malware, phishing, ransomware, malicious attachments, spear phishing, and business email compromise before those threats reached users or customers. Today, some Symantec customers still operate legacy Symantec email services, while others evaluate a MessageLabs replacement such as Mimecast, Mimecast SaaS, or other SaaS-based services after the Symantec sale to Broadcom.

SPF, or [Sender Policy Framework](https://autospf.com/blog/what-leads-to-email-spf-rejections-after-dns-update-explained/), is a DNS-based sender authentication method that tells receiving mail servers which systems are authorized to send email for your domain. If your organization sends outbound mail through MessageLabs, your SPF record must authorize the **MessageLabs sending infrastructure**. Without the correct SPF include mechanism, legitimate messages may fail SPF checks, reducing deliverability and weakening [email security](https://autospf.com/) controls.

_For a CISO, IT Director, or messaging administrator, SPF is not a complete email security strategy on its own_. It does not stop all phishing, spear phishing, ransomware, or business email compromise. However, it is a foundational control for sender authentication, compliance, corporate data protection, and broader cyber resiliency. When combined with DKIM, DMARC, sandboxing, click-time URL protection, web browser isolation, static file analysis, outbound monitoring, analytics, and advanced detection technologies, SPF contributes to comprehensive defense against email threats.

![Layered Email Security Stack](https://media.mailhop.org/autospf/spf-records-6938-1781688832641.jpg)

MessageLabs historically operated as a cloud-based service rather than a purely on-premises solution. Some organizations also used related products such as Symantec Messaging Gateway, which could be deployed as a messaging gateway, virtual appliance, or hybrid control point. In modern enterprise messaging security, platforms such as Symantec Enterprise Cloud, Email Threat Detection Response, and Mimecast **emphasize threat detection**, automated remediation, attack response, [data protection](https://www.ibm.com/think/topics/data-protection), archiving, backup, continuity solutions, redundancy, and recovery solutions. SPF configuration remains relevant across all of these architectures because every authorized outbound sender must be represented correctly in DNS.

## Finding the Correct MessageLabs SPF Include Mechanism for Your Domain

For most MessageLabs outbound email configurations, the SPF include mechanism commonly used is:

```
include:spf.MessageLabs.com
```

A simple MessageLabs-only SPF record may look like this:

```
v=spf1 include:spf.MessageLabs.com -all
```

However, you should verify the exact include mechanism in your MessageLabs and Symantec Email Security.cloud, Broadcom, or customer support documentation before publishing changes. Large enterprises may have custom routing, dedicated outbound pools, regional configurations, IMS Events integrations, [PGP Encryption](https://www.fortinet.com/resources/cyberglossary/pgp-encryption) Service dependencies, or Professional Services-led designs that require validation. If your organization is **planning customer migration** or transition services to a MessageLabs replacement, confirm whether both old and new sending platforms must be authorized during coexistence.

_Many domains send mail from more than one source_. For example, an organization may use MessageLabs for filtering, Office 365 for mailboxes, Google Apps for collaboration, a [CRM platform](https://piwik.pro/glossary/customer-relationship-management-crm-platforms/) for marketing email, and a ticketing system for support notifications. In that case, the SPF record must include every legitimate sender without exceeding SPF’s 10-DNS-lookup limit.

![SPF DNS Lookup Limit Tracking](https://media.mailhop.org/autospf/dmarc-alignment-4924-1781688676821.jpg)

A combined record might look like this:

```
v=spf1 include:spf.MessageLabs.com include:spf.protection.outlook.com include:_spf.google.com -all
```

This example supports MessageLabs, Office 365 integration, and Google Apps integration. Before using it, check whether your domain actually sends through all three services. **Over-authorizing senders** can weaken email security and increase exposure to targeted attacks, phishing, spear phishing, and [business email compromise](https://www.wilmingtonbiz.com/technology/2026/06/10/cybercrime%5Framps%5Fup%5Fsophistication/27544).

Organizations researching alternatives may encounter references from Radicati, KuppingerCole, Marketwatch, SearchSecurity, SDxCentral, Cybersecurity Experts, and industry leader comparisons involving Mimecast, Broadcom, CA Technologies, and Symantec. Those evaluations often focus on email threat detection response, malware prevention, ransomware protection, continuity, archiving, user awareness, and [cyber resiliency](https://grcsolutions.io/cyber-resilience/). SPF should be reviewed during any MessageLabs replacement project, because sender authentication failures are common during platform transitions.

### How to Create or Update Your SPF TXT Record in DNS

To configure MessageLabs SPF correctly, first identify where your **public DNS is hosted**. This may be your domain registrar, cloud DNS provider, managed service provider, or internal DNS administration team. You will create or update a TXT record at the root of your sending domain, such as example.com.

Follow this process:

- Check for an existing SPF record. Use a [DNS lookup](https://threat.media/definition/what-is-a-dns-lookup/) tool to query TXT records for your domain. If you already see a record beginning with `v=spf1`, you must update that record rather than create a second one.
- Add the MessageLabs include mechanism. Insert `include:spf.MessageLabs.com` into the existing SPF record. For example:  
```  
v=spf1 include:spf.MessageLabs.com include:spf.protection.outlook.com -all  
```
- Include other authorized senders. Add only legitimate systems used for outbound mail, such as Office 365, Google Apps, marketing automation tools, or approved **messaging gateway infrastructure**.
- Choose the correct enforcement qualifier. The `-all` mechanism tells receivers to reject mail from unauthorized sources. The `~all` mechanism is a soft fail and is often used during testing. Mature email security programs generally move toward stricter alignment after validation.
- Save the TXT record and allow DNS propagation. Propagation can take minutes or hours, depending on TTL values and DNS provider behavior.

![SPF Record Anatomy](https://media.mailhop.org/autospf/dkim-generator-5922-1781688919713.jpg)

_A well-formed SPF record supports sender authentication and improves resilience against spoofing, phishing, spear phishing, and business email compromise_. It also supports data protection, compliance, and cyber resiliency by reducing the chance that attackers can **impersonate your domain** during ransomware campaigns or malware delivery attempts.

#### Common MessageLabs SPF Setup Mistakes and How to Avoid Them

The most common mistake is publishing multiple SPF records for the same domain. A domain must have only one [TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) beginning with `v=spf1`. Multiple SPF records cause permanent errors and can break legitimate delivery, even when MessageLabs itself is configured correctly.

Another frequent issue is forgetting that SPF has a 10-DNS-lookup limit. Each include, a, mx, exists, or redirect mechanism may count toward that limit. Organizations with complex email security stacks, **cloud-based service dependencies**, Office 365 integration, Google Apps integration, and third-party SaaS-based services can exceed the limit quickly. If that happens, SPF may return PermError, undermining threat detection workflows and sender authentication.

Administrators also sometimes copy old documentation during a MessageLabs replacement or migration from Symantec Email Security.cloud to Mimecast. During a Mimecast Bridge Program, Broadcom-Symantec migration, or other transition services effort, make sure SPF authorizes both platforms only for the required coexistence period. Leaving obsolete include mechanisms in place after customer migration can create unnecessary risk.

Other mistakes include:

- Using `+all`, which authorizes everyone and defeats SPF.
- Adding IP addresses that are not owned or controlled by your organization.
- Forgetting subdomains that send mail, such as news.example.com.
- Failing to **coordinate with customer support**, Professional Services, or the team managing Symantec Messaging Gateway.
- Assuming SPF alone blocks malware, ransomware, phishing, spear phishing, malicious attachments, and business email compromise.

SPF is important, but it must work alongside threat detection, sandboxing, user education, [security awareness training](https://www.usclaro.com/blog/security-awareness-training-what-it-covers-and-why-its-important), user awareness campaigns, global intelligence network insights, automated remediation, click-time URL protection, web browser isolation, and attack response processes. This layered approach improves cyber resiliency and supports a stronger email security posture.

![MessageLabs SPF Configuration and Email Security Guide](https://media.mailhop.org/autospf/spf-record-8967-1781688974995.jpg)

##### Testing, Validating, and Maintaining Your MessageLabs SPF Record

After publishing the record, validate it with [SPF lookup tools](https://autospf.com/spf-record-lookup-tool/) and by sending test messages through MessageLabs. _Review message headers to confirm SPF passes for mail routed through the cloud-based service_. If you use Office 365, Google Apps, Symantec Enterprise Cloud, Symantec Messaging Gateway, or **Mimecast SaaS alongside MessageLabs**, test each outbound path separately.

Maintenance is just as important as initial setup. Review the SPF record whenever you add cybersecurity software, change email routing, adopt a MessageLabs replacement, deploy new continuity solutions, update archiving systems, change backup workflows, or modify recovery solutions. Monitor outbound mail with analytics and outbound monitoring to identify unauthorized senders, [spoofing attempts](https://www.scworld.com/brief/fbi-us-officials-spoofed-in-ongoing-voice-sms-phishing-campaign), phishing campaigns, spear phishing attempts, ransomware lures, [malware delivery](https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html), and business email compromise patterns.

A mature email security program treats SPF as one control within a larger enterprise messaging security framework. That framework should combine sender authentication, advanced detection technologies, email threat detection response, sandboxing, static file analysis, global **intelligence network telemetry**, automated remediation, and user education. It should also account for compliance, redundancy, resilience, corporate data protection, and operational cyber resiliency.

For legacy Symantec customers, the key is accuracy: authorize the correct MessageLabs infrastructure, remove outdated senders, validate DNS regularly, and reassess SPF during any Broadcom, Symantec, Mimecast, or MessageLabs replacement initiative. _Done correctly, SPF strengthens email security, supports threat detection, and reduces the risk of domain abuse in malware, phishing, ransomware, spear phishing, and business email compromise attacks_.

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 6m  10 Reasons Why DIY-ing SPF isn’t a Good Choice for Companies  Apr 4, 2024 ](/blog/10-reasons-diy-ing-spf-isnt-good-choice-for-companies/)[  Intermediate 5m  The 12.4 billion shield for your email communications: Why DMARC software is the unsung hero in the war against phishing actors!  Nov 19, 2025 ](/blog/12-4-billion-dmarc-software-shield-protecting-email-from-phishing-actors/)[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 3m  5 key contributors to the development of the Sender Policy Framework  Nov 12, 2024 ](/blog/5-key-contributors-to-sender-policy-framework-development/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"MessageLabs SPF Setup: How To Configure SPF Records Correctly","description":"Learn how to configure MessageLabs SPF records correctly to improve email authentication, prevent spoofing, and enhance deliverability.","url":"https://autospf.com/blog/messagelabs-spf-setup-how-to-configure-spf-records-correctly/","datePublished":"2026-06-17T00:00:00.000Z","dateModified":"2026-06-17T00:00:00.000Z","dateCreated":"2026-06-17T00:00:00.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/messagelabs-spf-setup-how-to-configure-spf-records-correctly/"},"articleSection":"intermediate","keywords":"","image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/spf-records-in-dns-5928-1781688460893.jpg","caption":"MessageLabs SPF Setup"},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"MessageLabs SPF Setup: How To Configure SPF Records Correctly","item":"https://autospf.com/blog/messagelabs-spf-setup-how-to-configure-spf-records-correctly/"}]}
```