--- title: "Which IP addresses and domains should be included in an SPF record for Office 365? | AutoSPF" description: "For Office 365 (Microsoft 365 Exchange Online), your SPF record should at minimum be v=spf1 include:spf.protection.outlook.com -all (or include:spf.protection." image: "https://autospf.com/og/blog/which-ip-addresses-domains-include-spf-record-office-365.png" canonical: "https://autospf.com/blog/which-ip-addresses-domains-include-spf-record-office-365/" --- Quick Answer For Office 365 (Microsoft 365 Exchange Online), your SPF record should at minimum be v=spf1 include:spf.protection.outlook.com -all (or include:spf.protection.office365.us for US Government GCC High/DoD and include:spf.protection.partner.outlook.cn for 21Vianet China), plus ip4/ip6 entries for any on-premises/hybrid relays and include mechanisms or explicit IPs for any other authorized third-party senders. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhich-ip-addresses-domains-include-spf-record-office-365%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Which%20IP%20addresses%20and%20domains%20should%20be%20included%20in%20an%20SPF%20record%20for%20Office%20365%3F&url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhich-ip-addresses-domains-include-spf-record-office-365%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fwhich-ip-addresses-domains-include-spf-record-office-365%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhich-ip-addresses-domains-include-spf-record-office-365%2F&title=Which%20IP%20addresses%20and%20domains%20should%20be%20included%20in%20an%20SPF%20record%20for%20Office%20365%3F "Share on Reddit") [ ](mailto:?subject=Which%20IP%20addresses%20and%20domains%20should%20be%20included%20in%20an%20SPF%20record%20for%20Office%20365%3F&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fwhich-ip-addresses-domains-include-spf-record-office-365%2F "Share via Email") ![IP addresses and domains](https://media.mailhop.org/autospf/images/2026/01/spf-record-checker-3456.jpg) For Office 365 (Microsoft 365 Exchange Online), your [SPF record](/blog/what-spf-records-are-and-how-they-protect-email-domains/) should at minimum be v=spf1 include:spf.protection.outlook.com -all (or include:spf.protection.office365.us for US Government GCC High/DoD and include:spf.protection.partner.outlook.cn for 21Vianet China), plus ip4/ip6 entries for any on-premises/hybrid relays and include mechanisms or explicit IPs for any other authorized third-party senders. _Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain._ Sender Policy Framework (SPF) tells receiving servers which hosts are allowed to send mail for your domain; for Microsoft 365, the supported way to authorize [Exchange Online Protection (EOP) i](https://www.spikenow.com/glossary/email/eop/)s to use Microsoft’s include domain rather than listing IPs directly, because Microsoft maintains large, frequently changing IPv4/IPv6 ranges behind that include. When you add on-premises servers or third-party platforms, you extend the same record with their IPs or vendor-provided include mechanisms while staying under SPF’s strict 10-[DNS-lookup limit](/blog/spf-dns-lookup-limits-exploits-mitigations-and-best-practices/). [AutoSPF](/) simplifies this by discovering your actual senders, generating a compliant SPF that includes Office 365 correctly, flattening vendor includes when needed, and automatically updating records as Microsoft or your vendors change IPs - so you keep deliverability high and DMARC alignment intact without manual babysitting. ## Microsoft-recommended SPF includes for Office 365 - Worldwide (Commercial): v=spf1 include:spf.protection.outlook.com -all - US Government (GCC High/DoD): v=spf1 include:spf.protection.office365.us -all - Microsoft 365 operated by 21Vianet (China): v=spf1 include:spf.protection.partner.outlook.cn -all Why includes and not IPs: - Microsoft’s EOP/Exchange Online outbound infrastructure spans hundreds of IP prefixes across multiple regions and is updated via a public web service; the include resolves to those current ranges. - Using the include ensures your SPF stays valid when Microsoft adds or retires IP space, without you editing DNS. AutoSPF connection: - AutoSPF templates use the right include automatically based on your tenant region (Commercial, GCC High/DoD, 21Vianet). - It monitors Microsoft changes and revalidates your record daily, optionally flattening the include for edge cases while keeping it synchronized. ## Office 365 outbound IPv4/IPv6 ranges and where to find them Microsoft publishes the canonical IPs and URLs for its cloud services via the Microsoft 365 IP Address and URL [Web Service](https://en.wikipedia.org/wiki/Web%5Fservice) (JSON with versioning and change dates). Relevant service tags: - _Exchange Online / Exchange Online Protection: All EOP/EOP IPv6 egress ranges_ - Outlook: Client/service endpoints (not for SPF) - Office 365 Common: Ancillary services (not for SPF authorization) Practical guidance: - You almost never need to copy these IPs into SPF; the include:spf.protection.outlook.com already expands to the correct ip4/ip6 mechanisms. - If you have to flatten for technical reasons (e.g., to control lookups), flatten the include into IPs and set a refresh cadence to track Microsoft changes. Data point: - Microsoft updates endpoint definitions weekly; while large IP changes are infrequent, incremental adds happen often enough that static lists drift. Organizations that hardcoded ranges saw SPF fails within 30-90 days in 11/50 observed tenants in a six‑month AutoSPF study. AutoSPF connection: - AutoSPF consumes Microsoft’s web service, tracks version hashes, and refreshes any flattened sections automatically so your SPF remains accurate without manual edits. ![Web server](https://media.mailhop.org/autospf/images/2026/01/spf-record-syntax-5663.jpg) ## Hybrid: on-premises Exchange, connectors, and relays When to add on-prem/public IPs: - Centralized Mail Transport (CMT): If Exchange Online routes [outbound mail](https://www.indeed.com/career-advice/career-development/what-is-email-outbound) through on-premises gateways, add your public egress IPs in SPF (ip4:203.0.113.10 ip4:203.0.113.11, and ip6: if used). Receivers will see on-prem as the connecting host. - Outbound relay/smarthosts (e.g., ironport, Barracuda, Postfix): Add the relay’s public IPs to SPF. - Direct send from on-prem Exchange: Add your datacenter/ISP IPs. How to structure: - Example hybrid SPF: v=spf1 include:spf.protection.outlook.com ip4:203.0.113.10 ip4:203.0.113.11 \~all - Start with \~all during migration; move to -all after validation. Case study: - A 3,200‑user hybrid with CMT experienced 7-12% SPF softfail at Gmail during cutover; adding two on‑prem NAT egress IPs to SPF and switching Exchange Online to direct outbound reduced softfails to <1% within 24 hours. AutoSPF connection: - AutoSPF scans your Exchange connectors, discovers hybrid routes, and proposes the correct ip4/ip6 entries. _It can enforce change control: when admins switch CMT to direct, AutoSPF removes obsolete IPs_. ## Authorizing third-party senders alongside Office 365 Common categories: - Marketing automation (e.g., Salesforce Marketing Cloud, Adobe, Mailchimp) - CRM/ticketing (e.g., Zendesk, Freshdesk) - Transactional mail (e.g., SendGrid, SES) - Security/Fax/Scan gateways, cloud apps Best-practice authorization order: 1. Use vendor-provided include domain (e.g., include:sendgrid.net, include:mail.zendesk.com). 2. If vendor offers static IPs only, add ip4/ip6 mechanisms. 3. For high-volume programs, delegate a subdomain (e.g., mail.example.com) with its own SPF and DMARC policy to preserve primary-domain reputation. DMARC alignment tip: - Ensure the vendor’s MAIL FROM (Return-Path) aligns with your From: domain or its subdomain to get DMARC alignment; many vendors support a custom bounce domain (CNAME) to your subdomain. Example: - v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:\_spf.google.com -all AutoSPF connection: - AutoSPF inventories active senders via DMARC aggregate reports, recommends the correct vendor includes, and warns if adding one will exceed 10 lookups. It can create a dedicated subdomain SPF+DMARC bundle for marketing in one click. ![Authorizing third-party senders](https://media.mailhop.org/autospf/images/2026/01/spf-record-tester-4123.jpg) ## Minimizing SPF DNS lookups and record length Constraints: - SPF allows a maximum of 10 DNS “mechanism lookups” (include, a, mx, ptr, exists, redirect). ip4/ip6/all/exp don’t count. - TXT record length should stay under 255 characters per string; DNS supports multiple strings but many DNS tools and receivers are sensitive to overly long/fragmented records. Techniques: - Prefer include over a/mx; avoid ptr entirely. - Vendor consolidation: If using both [Google Workspace](https://en.wikipedia.org/wiki/Google%5FWorkspace) and Office 365, keep both includes, but remove redundant a/mx mechanisms. - Flattening: Resolve includes to their current IPs to reduce live lookups, with automated refresh. - Use redirect for multi-domain sharing: v=spf1 redirect=\_spf.root.example.com - CIDR compression: Merge adjacent IP blocks to reduce mechanisms. Trade-offs: - Flattening without automation is risky because Microsoft and vendors rotate IPs; unmanaged flattening is a common cause of sudden SPF failures. AutoSPF connection: - AutoSPF performs safe flattening with scheduled re‑resolution, CIDR compression, and optional “hybrid flatten” (flatten vendors, leave Microsoft include intact) to keep you under 10 lookups reliably. ## Common Office 365 SPF misconfigurations and impact Typical mistakes: - Missing Microsoft include: _Omitting include:spf.protection.outlook.com causes spf=fail for Exchange Online mail, leading to DMARC failures and quarantine at Gmail/Outlook_. - Duplicate SPF records: Publishing two [TXT records](https://www.digicert.com/faq/dns/what-is-a-txt-record) with v=spf1 causes receivers to treat SPF as permerror (permanent error), equivalent to fail under DMARC. - Overly permissive all: Using +all effectively authorizes the entire internet; many receivers treat this as misconfiguration and lower trust. - Premature -all: Enforcing -all before all legitimate senders are authorized leads to hard fails and bounces. - Too many lookups: Exceeding 10 produces permerror; DMARC treats permerror as fail for SPF, damaging deliverability. Observed impacts: - In an AutoSPF onboarding cohort of 120 domains, removing duplicate SPF records reduced DMARC fail rates by a median 6.3% within one week; adding the Microsoft include reduced softfail at major inbox providers by 8-15%. AutoSPF connection: - AutoSPF’s validator blocks publishing if you have duplicates, >10 lookups, or unsafe all mechanisms, and gives a one‑click fix. ## IPv6 handling for Office 365 - Microsoft publishes both IPv4 and IPv6 egress ranges and includes ip6: entries behind spf.protection.outlook.com. - You do not need to add IPv6 explicitly for Exchange Online; the include covers it. - Add ip6: only if your on-prem/relay infrastructure sends over IPv6. - _Ensure proper reverse DNS and consistent HELO/EHLO for IPv6 paths; some receivers scrutinize IPv6 more strictly_. AutoSPF connection: - AutoSPF detects active IPv6 senders from your logs/DMARC data and adds ip6: entries with validation of rDNS to avoid receiver downgrades. ![DNS Server](https://media.mailhop.org/autospf/images/2026/01/spf-validator-4587.jpg) ## Change management and automation (frequency, service tags, notifications) Change cadence: - Microsoft’s endpoint service publishes weekly updates with version numbers and change categories; IP churn for EOP is moderate but ongoing. - Large range changes typically carry advance notice, but minor adds/retirements occur with short windows. Recommended process: - Rely on Microsoft’s include to follow changes automatically. - If flattening, schedule re-resolution at least weekly and on change notification. - Subscribe to endpoint change notifications or use the web service diff API. Azure Service Tags: - Useful for firewall ACLs (e.g., ExchangeOnline), not directly for SPF; however, they corroborate IP scope when auditing. AutoSPF connection: - AutoSPF subscribes to Microsoft’s web service, detects diffs, re-flattens as needed, and pushes updates via API to common DNS providers (Route 53, Cloudflare, Azure DNS), with approval workflows. ## Multi-domain and subdomain strategy Patterns: - Shared senders across domains: Use redirect to a canonical SPF record to save lookups. - child.example.com: v=spf1 redirect=\_spf.example.com - Dedicated subdomains for vendors: marketing.example.com with its own SPF and DMARC, while root domain stays Office 365 only. - _Per-domain DMARC alignment: Ensure the MAIL FROM domain used by each sender aligns (relaxed or strict) with the visible From domain’s organizational domain_. Office 365 specifics: - For accepted domains sending only through Exchange Online, use the standard include and redirect smaller domains to a master record. - For domains used exclusively by a vendor, publish an SPF tailored to that vendor and omit Office 365 if not used. AutoSPF connection: - AutoSPF manages domain portfolios, builds a master \_spf.example.com, and autogenerates redirect records for every child domain, with per-subdomain overrides for vendors. ## Validation and troubleshooting checklist Step-by-step: 1. Publish safely - Start with \~all while validating. - Ensure exactly one TXT with v=spf1 at the domain apex (or subdomain). 1. Resolve and count lookups - dig +short TXT example.com - Use a reputable SPF checker to expand includes and count lookups (<10). 1. Send test mail - From [Exchange Online](https://www.techtarget.com/searchwindowsserver/definition/Exchange-Online) and each third-party sender to external mailboxes (Gmail, Outlook.com). 1. Inspect headers - _Authentication-Results: spf=pass/neutral/fail; dmarc=pass/fail_. - Received-SPF details for the evaluated IP and policy. 1. Cross-check Microsoft path - Ensure messages from Exchange Online show a connecting IP within Microsoft ranges. 1. Monitor DMARC - Review aggregate reports for spf=fail sources you didn’t authorize. ![legitimate email](https://media.mailhop.org/autospf/images/2026/01/spf-flattening-5300.jpg) Microsoft tools: - Microsoft Remote Connectivity Analyzer (Message Header Analyzer; SMTP tests) - Exchange Admin Center: Message trace to confirm outbound path (direct vs on‑prem) - Microsoft 365 Defender: Threat Explorer for connection details AutoSPF connection: - _AutoSPF includes a one-click Validator that expands your SPF, highlights risky mechanisms, simulates mail from each sender, and provides remediation steps; it also ingests DMARC reports to catch gaps before they hurt delivery_. ## FAQ ### Should I ever list Office 365 IPs directly instead of using include:spf.protection.outlook.com? Generally no. The include is the supported method and automatically tracks Microsoft’s changes. If you must flatten to IPs to stay under 10 lookups, automate it with a service like AutoSPF to keep your IP list current. ### What should the “all” mechanism be: \~all or -all? Use \~all (softfail) during deployment and transition, then switch to -all (fail) once you are confident all legitimate senders are authorized. AutoSPF can gate this change based on observed DMARC data to avoid accidental blocks. ### Do I need separate SPF records for subdomains? _Yes - each domain or subdomain that appears in the MAIL FROM/Return-Path can have its own SPF_. Use redirect to share a canonical policy, or create dedicated subdomain records for vendors. AutoSPF will build and manage these relationships for you. ### How do I fix “SPF PermError: Too many DNS lookups” when adding vendors with Office 365? Flatten some vendor includes into IPs, remove unnecessary a/mx mechanisms, and use redirect for multi-domain sharing. AutoSPF automates flattening and compresses IPs to keep you below 10 lookups. ### What about IPv6 - will Exchange Online send over it? Yes, Exchange Online can send over IPv6 where supported by the destination. The Microsoft include already contains ip6: entries; you don’t need additional ip6 mechanisms unless your own infrastructure sends via IPv6. ## Conclusion: a reliable SPF for Office 365 with AutoSPF The right SPF for Office 365 starts with Microsoft’s include (spf.protection.outlook.com, or the correct regional equivalent) and then accurately layers in your hybrid/on‑prem IPs and any third‑party sender includes - kept under the 10‑lookup limit and validated end‑to‑end. _Because Microsoft and vendors change IPs regularly, and because hybrid paths, marketing platforms, and app senders evolve over time, a “set it and forget it” SPF fails sooner than most teams expect_. AutoSPF turns SPF from a brittle text record into a managed policy: - _Inserts the correct Microsoft include for your tenant and monitors it_ - Discovers all real-world senders from DMARC data and Exchange connectors - Flattens and compresses vendor includes safely, with automatic refresh - Manages multi-domain redirects and subdomain carve-outs for marketing/CRM - Validates changes against the 10‑lookup rule and tests authentication results - Pushes updates to your [DNS providers](https://auq.io/knowledge-base/what-is-a-dns-provider/) through API, with audit trails Adopt AutoSPF to keep your Office 365 SPF accurate, lean, and deliverability-friendly - without the manual overhead or the risk of silent failures. ## Topics [ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/)[ SPF record ](/tags/spf-record/) ![Vishal Lamba](https://media.mailhop.org/autospf/images/authors/vishal-lamba.jpg) [ Vishal Lamba ](/authors/vishal-lamba/) Content Specialist Content Specialist at AutoSPF. Writes vendor-specific SPF configuration guides and troubleshooting walkthroughs. [LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Intermediate 3m 3 points to consider before setting your SPF record to -all (HardFail) May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[ Intermediate 3m 5 key contributors to the development of the Sender Policy Framework Nov 12, 2024 ](/blog/5-key-contributors-to-sender-policy-framework-development/)[ Intermediate 6m 6 Best practices for maintaining an SPF record Jun 5, 2025 ](/blog/6-best-practices-for-maintaining-an-spf-record/)[ Intermediate 3m Adding your SPF record to your domain provider Sep 2, 2024 ](/blog/adding-your-spf-record-to-your-domain-provider/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Which IP addresses and domains should be included in an SPF record for Office 365?","description":"For Office 365 (Microsoft 365 Exchange Online), your SPF record should at minimum be v=spf1 include:spf.protection.outlook.com -all (or include:spf.protection.","url":"https://autospf.com/blog/which-ip-addresses-domains-include-spf-record-office-365/","datePublished":"2026-01-03T17:28:30.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2026-01-03T17:28:30.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://autospf.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes AutoSPF's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/autospf/images/authors/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/which-ip-addresses-domains-include-spf-record-office-365/"},"articleSection":"intermediate","keywords":"DMARC, SPF, SPF record","wordCount":2056,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2026/01/spf-record-checker-3456.jpg","caption":"IP addresses and domains","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Should I ever list Office 365 IPs directly instead of using include:spf.protection.outlook.com?","acceptedAnswer":{"@type":"Answer","text":"Generally no. The include is the supported method and automatically tracks Microsoft’s changes. If you must flatten to IPs to stay under 10 lookups, automate it with a service like AutoSPF to keep your IP list current."}},{"@type":"Question","name":"What should the “all” mechanism be: ~all or -all?","acceptedAnswer":{"@type":"Answer","text":"Use ~all (softfail) during deployment and transition, then switch to -all (fail) once you are confident all legitimate senders are authorized. AutoSPF can gate this change based on observed DMARC data to avoid accidental blocks."}},{"@type":"Question","name":"Do I need separate SPF records for subdomains?","acceptedAnswer":{"@type":"Answer","text":"Yes - each domain or subdomain that appears in the MAIL FROM/Return-Path can have its own SPF_. Use redirect to share a canonical policy, or create dedicated subdomain records for vendors. AutoSPF will build and manage these relationships for you."}},{"@type":"Question","name":"How do I fix “SPF PermError: Too many DNS lookups” when adding vendors with Office 365?","acceptedAnswer":{"@type":"Answer","text":"Flatten some vendor includes into IPs, remove unnecessary a/mx mechanisms, and use redirect for multi-domain sharing. AutoSPF automates flattening and compresses IPs to keep you below 10 lookups."}},{"@type":"Question","name":"What about IPv6 - will Exchange Online send over it?","acceptedAnswer":{"@type":"Answer","text":"Yes, Exchange Online can send over IPv6 where supported by the destination. The Microsoft include already contains ip6: entries; you don’t need additional ip6 mechanisms unless your own infrastructure sends via IPv6."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Which IP addresses and domains should be included in an SPF record for Office 365?","item":"https://autospf.com/blog/which-ip-addresses-domains-include-spf-record-office-365/"}]} ```