AD2.5 SPF: Declaring Who Can Send as Your Domain

Building your SPF record

For an M365 environment where Exchange Online is your only email sending service, the SPF record is simple:

v=spf1 include:spf.protection.outlook.com -all

This record says: "The only servers authorized to send email as @northgateeng.com are Microsoft's Exchange Online servers (spf.protection.outlook.com). Everything else should fail (-all)."

If your organization also sends email through other services — a marketing platform (Mailchimp, HubSpot), a CRM (Salesforce), a support ticketing system (Zendesk), or a scanner/copier that sends via SMTP relay — you need to include those services in the SPF record. Each service provides their SPF include value in their documentation. The record might look like:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:_spf.salesforce.com -all

Important: SPF records have a 10-DNS-lookup limit. Each include: counts as one lookup. If you exceed 10 lookups, the entire SPF record fails — which means ALL your email fails SPF validation. Keep the record as simple as possible. If you're running into the lookup limit, some services offer IP-based SPF entries (ip4:x.x.x.x) that don't count against the lookup limit, or you can use SPF flattening services.

The -all vs ~all decision: -all (hard fail) tells receiving servers to reject email that fails SPF. ~all (soft fail) tells receiving servers to accept the email but mark it as suspicious. Start with ~all during initial deployment to avoid blocking legitimate email from services you forgot to include. After 2-4 weeks of monitoring with no delivery issues, switch to -all for stronger enforcement.

Adding the SPF record to DNS

Log into your DNS hosting provider (Cloudflare, GoDaddy, Azure DNS, Route 53, or wherever your domain's DNS is managed). Create a new TXT record:

Type: TXT Name: @ (or your domain name — some providers use the @ symbol, others require the full domain) Value: v=spf1 include:spf.protection.outlook.com -all TTL: 3600 (1 hour) or your provider's default

Important: You can only have ONE SPF record per domain. If an SPF record already exists, edit it to add the M365 include — don't create a second TXT record starting with v=spf1. Multiple SPF records cause validation failures because receiving servers don't know which one to use.

Verifying the SPF record

After creating the record, verify it with a DNS lookup. Open a command prompt or terminal:

nslookup -type=txt northgateeng.com

You should see your SPF record in the output. If you see two records starting with v=spf1, you have duplicate SPF records — remove the incorrect one.

For a more detailed validation, use MXToolbox (mxtoolbox.com/spf.aspx) — it checks the record syntax, counts the DNS lookups, and flags common errors. Run this check after every SPF change.

To verify SPF is working for outbound email, send a test email from your M365 tenant to an external email address (a personal Gmail or Outlook.com account). In the received email, check the message headers. Look for spf=pass in the Authentication-Results header. If you see spf=pass, your outbound email is SPF-authenticated. If you see spf=fail or spf=none, the SPF record isn't configured correctly — recheck the DNS entry.

Common SPF mistakes

Mistake 1 — Multiple SPF records. Two TXT records both starting with v=spf1. This causes SPF validation to fail for ALL email because the receiving server doesn't know which record to use. Fix: merge both records into a single TXT entry.

Mistake 2 — Exceeding 10 DNS lookups. Each include: in your SPF record triggers a DNS lookup. More than 10 lookups means SPF validation fails entirely. Fix: remove unnecessary includes, use ip4/ip6 directives for services that support them, or use SPF flattening.

Mistake 3 — Forgetting a legitimate sending service. You add the M365 include but forget that your marketing platform also sends email as your domain. Those marketing emails start failing SPF. Fix: audit all services that send email as your domain before publishing the SPF record. Ask your team: what services send email that looks like it comes from us?

Mistake 4 — Using +all instead of -all. +all means "everyone is authorized to send as our domain" — this defeats the entire purpose of SPF. Always use -all (hard fail) or ~all (soft fail during initial deployment).

Auditing all services that send as your domain

Before publishing your SPF record, you need to know every service that sends email as your domain. Miss one and its emails start failing SPF. Here's how to audit systematically.

Check Exchange Online message trace for the last 90 days. In PowerShell:

Connect-ExchangeOnline
$start = (Get-Date).AddDays(-90)
Get-MessageTrace -StartDate $start -EndDate (Get-Date) -Status "Delivered" |
    Where-Object { $_.SenderAddress -like "*@northgateeng.com" } |
    Group-Object SenderAddress |
    Sort-Object Count -Descending |
    Select-Object Name, Count -First 30

This shows every email address on your domain that sent email in the last 90 days. If you see addresses you don't recognize (marketing-noreply@northgateeng.com, support@northgateeng.com, scanner@northgateeng.com), investigate which service sends from each address.

Ask each department. Email is a surprisingly decentralized service. Marketing may use Mailchimp, HubSpot, or Constant Contact. Support may use Zendesk, Freshdesk, or ServiceNow. Sales may use Salesforce or HubSpot CRM. Finance may have an invoicing system that sends as your domain. Operations may have scanners or multifunction printers configured for email. Each of these needs to be in your SPF record.

Check your DNS for existing SPF. If someone previously configured SPF (perhaps a previous admin or a managed service provider), check what's already there:

Resolve-DnsName -Name northgateeng.com -Type TXT | Where-Object { $_.Strings -like "*spf*" }

If an SPF record exists, don't replace it — update it. If it doesn't exist, you're starting fresh. Either way, the audit of sending services comes first.

Validate with an SPF lookup count. After constructing your record, verify the DNS lookup count doesn't exceed 10. Use mxtoolbox.com/spf.aspx or the spf-tools open-source validator. Each include: counts as 1 lookup, and nested includes count recursively. A record like v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:_spf.salesforce.com -all uses 3 lookups at the top level, but each include may resolve to additional includes internally. The total across all levels must stay under 10.

Monitoring SPF health after deployment

SPF isn't a set-and-forget control. Your SPF record needs updating whenever your organization changes email sending services — which happens more often than you'd expect. Marketing switches platforms, support moves to a new ticketing system, a new office scanner sends email. Each change potentially breaks SPF for the new service.

Build a simple SPF monitoring check into your quarterly review. Run this verification:

# Check your SPF record resolves correctly
Resolve-DnsName -Name northgateeng.com -Type TXT |
    Where-Object { $_.Strings -like "*spf*" } |
    Select-Object -ExpandProperty Strings

# Verify outbound email SPF status via a test
# Send a test email to check-auth@verifier.port25.com
# This service replies with your authentication results including SPF

The Port25 verifier service (check-auth@verifier.port25.com) is a free email authentication testing tool. Send an email to this address from your M365 account. Within minutes, you'll receive an automated reply showing your SPF result, DKIM result, and DMARC result — with detailed diagnostics for any failures. This is the fastest way to verify all three authentication mechanisms in one check.

Also monitor your DMARC reports (AD2.7) for SPF failures from your domain. If a legitimate service starts failing SPF because you forgot to add it during a service migration, the DMARC aggregate report shows the source IP and failure count — alerting you to fix the SPF record before delivery issues escalate.

nslookup -type=txt yourdomain.com