SPF for Microsoft 365: Complete Setup Guide for Office 365 Email
Set up SPF for Microsoft 365 (Office 365) with the correct include statement. Step-by-step DNS configuration, common mistakes, and how to verify your setup.
Last updated: 2026-04-18
Microsoft 365 (formerly Office 365) is one of the most widely used business email platforms. If you send email through Microsoft 365, you need an SPF record that authorizes Microsoft's servers to send on behalf of your domain. Without it, your emails may land in spam or get rejected.
For a comprehensive overview of SPF, see our complete SPF guide. This guide walks you through the setup step by step — no technical background required.
The Microsoft 365 SPF Include
To authorize Microsoft 365 to send email for your domain, you need this include statement in your SPF record (Microsoft 365 documentation):
include:spf.protection.outlook.com
This single include covers Exchange Online and all of Microsoft 365's email infrastructure. Microsoft maintains this record and updates it when their server IPs change, so you don't have to.
Use the exact domain
The correct include is spf.protection.outlook.com (Microsoft 365 documentation). Common mistakes include using outlook.com, microsoft.com, or office365.com — none of those are correct and won't authorize your email.
Setting Up SPF for Microsoft 365
If your domain doesn't have an SPF record yet, follow these steps to create one.
Find your DNS management panel
Log into the service where you manage your domain's DNS records. This is typically your domain registrar or a DNS provider — see our guides for Cloudflare, GoDaddy, or Namecheap. If you're not sure where your DNS is managed, ask your IT contact or check your domain registrar account.
Check for an existing SPF record
Look for a TXT record that starts with v=spf1. You should only have one SPF record per domain. Use the checker below to see what's currently published.
Create a new TXT record
If no SPF record exists, create a new TXT record with these settings:
- Type: TXT
- Name/Host:
@(or leave blank — this means the root domain) - Value:
v=spf1 include:spf.protection.outlook.com ~all - TTL: 3600 (or your provider's default)
Save and wait for DNS propagation
After saving, DNS changes typically take 1-4 hours to propagate worldwide. In some cases it can take up to 48 hours, but most providers propagate within an hour.
Verify in Microsoft 365 Admin Center
Go to the Microsoft 365 Admin Center. Navigate to Settings > Domains and select your domain. Microsoft will show you the status of your DNS records, including whether SPF is correctly configured.
Adding Microsoft 365 to an Existing SPF Record
If you already have an SPF record — maybe for another email service — you need to add Microsoft's include to it. Never create a second SPF record.
Before (Google Workspace only):
v=spf1 include:_spf.google.com ~all
After (Google Workspace + Microsoft 365):
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
Simply add include:spf.protection.outlook.com before the ~all at the end. The order of include statements doesn't matter.
One SPF record per domain
You must have exactly one SPF record (one TXT record starting with v=spf1). Having two separate SPF records causes a PermError, which means SPF fails for every email. Always edit your existing record rather than creating a new one.
Common Microsoft 365 SPF Mistakes
Using the wrong include domain
This is the most common error. Here are incorrect values people frequently use:
| Incorrect Include | Why It's Wrong |
|---|---|
| include:outlook.com | This is the consumer Outlook.com domain, not the SPF include |
| include:microsoft.com | Too generic — not the M365 mail infrastructure |
| include:office365.com | Not a valid SPF include domain |
| include:protection.outlook.com | Missing the 'spf.' prefix |
| include:spf.outlook.com | Missing 'protection.' in the middle |
The only correct value is: include:spf.protection.outlook.com
Confusing Exchange Online with Exchange on-premises
If your organization uses an on-premises Exchange server (not Microsoft 365), the SPF configuration is different. On-premises Exchange sends from your own servers with your own IP addresses, so you would use ip4: entries pointing to your mail server IPs instead of the Microsoft 365 include.
If you're in a hybrid setup (some mailboxes on-premises, some in Microsoft 365), you need both: the Microsoft 365 include for cloud mailboxes and ip4: entries for your on-premises servers.
v=spf1 ip4:203.0.113.25 include:spf.protection.outlook.com ~all
Creating duplicate SPF records
This happens especially during migrations. If you're moving to Microsoft 365 from another provider, edit your existing SPF record — don't create a new one alongside it.
Wrong (two SPF records):
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com ~all
Right (single combined record):
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
Forgetting to remove old providers
After migrating to Microsoft 365, remove the SPF include for your previous email provider once the migration is complete and you've confirmed no email is still routing through the old service. Keeping unnecessary includes wastes DNS lookups.
Verifying Your Microsoft 365 SPF Setup
After making changes, verify everything is working correctly.
Check via the Admin Center
In the Microsoft 365 Admin Center, go to Settings > Domains. Select your domain and look at the DNS records section. Microsoft will flag any issues with your SPF configuration.
Send a test email
Send an email from your Microsoft 365 account to a personal Gmail address. In Gmail, open the email, click the three dots, and select "Show original." Look for the SPF result:
spf=pass (google.com: domain of [email protected] designates [IP] as permitted sender)
If you see spf=pass, your SPF record is working correctly.
Check DMARC reports
If you have DMARC configured with reporting, your aggregate reports will show SPF pass/fail rates over time. This is the best way to monitor ongoing authentication health.
Complete Email Authentication for Microsoft 365
SPF is only one part of email authentication. Microsoft 365 supports all three major protocols:
DKIM — Microsoft 365 supports DKIM signing. In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Email authentication settings to configure DKIM for your domain. Verify your setup with a DKIM checker.
DMARC — After SPF and DKIM are configured, publish a DMARC record to tell receiving servers how to handle authentication failures. Start with a monitoring policy (p=none) and work toward enforcement. Check your DMARC with a DMARC record checker.
Microsoft 365 with Other Email Services
Most businesses use additional email services beyond Microsoft 365. Each service needs its own include in your SPF record. See our guide on SPF for multiple ESPs for best practices on combining providers.
Example with Microsoft 365 + SendGrid + Mailchimp:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:spf.mandrillapp.com ~all
Keep an eye on your total DNS lookup count. Microsoft 365's include uses approximately 2-3 lookups. With multiple services, you can approach the 10 DNS lookup limit quickly.
If you need help constructing your record, SPF Creator can generate the correct syntax based on your email services.
Monitor Your SPF Records
Email infrastructure changes over time — providers update their servers, team members modify DNS records, and domain migrations can overwrite settings. Continuous monitoring catches these problems before they impact deliverability.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Microsoft 365: Set up SPF to help prevent spoofing — Official Microsoft 365 SPF configuration guide
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring