SPF for Microsoft 365: Complete Setup Guide
Set up SPF for Microsoft 365 and Exchange Online. Learn the correct SPF include for Outlook, how to combine with other services, and avoid common mistakes.
Your Microsoft 365 Emails Are Failing Authentication
You migrated to Microsoft 365 for your company email. Outlook works fine, Teams is humming along, but your outbound emails keep getting flagged. A partner asks why your messages land in their junk folder. The answer is almost always the same: your domain's SPF record doesn't authorize Microsoft's sending servers.
The Microsoft 365 SPF Problem
When you send email through Microsoft 365, the message originates from Microsoft's Exchange Online infrastructure — not from your own servers. The recipient's mail server looks up your domain's SPF record to verify that Microsoft is allowed to send on your behalf. If that authorization is missing, the message fails SPF checks.
Microsoft's setup adds a few complications:
- The correct SPF include is specific to Exchange Online Protection and easy to confuse with other Microsoft domains
- Many organizations also use third-party services for marketing or transactional email, requiring a merged SPF record
- Microsoft's own documentation can be hard to navigate, and the include has changed over the years
Microsoft 365 requires include:spf.protection.outlook.com in your SPF record. This covers Exchange Online, Outlook.com sending infrastructure, and Microsoft-hosted email routing.
How SPF Creator Helps
Microsoft 365 preset
Select Microsoft 365 from the provider list and include:spf.protection.outlook.com is added automatically. No guessing which Microsoft domain to use.
Combine with other services
Using SendGrid for transactional email or HubSpot for marketing? SPF Creator merges all your providers into one valid SPF record.
Lookup counter
Microsoft's include consumes some of your 10 DNS lookup budget. SPF Creator shows you exactly how many lookups your full record requires.
Copy-paste ready
The generated record is formatted correctly and ready to paste into your DNS provider. No manual string assembly.
Monitor your Microsoft 365 email authentication
After creating your SPF record, keep it healthy. Get daily checks on SPF, DKIM, and DMARC.
Setting Up SPF for Microsoft 365
Open SPF Creator
Go to SPF Creator. Your record starts with v=spf1 by default.
Add Microsoft 365
Select Microsoft 365 from the provider dropdown. This adds include:spf.protection.outlook.com to your record.
Add additional senders
If your organization uses other email services — marketing platforms, CRM systems, transactional email providers — add each one. SPF Creator handles the merge.
Review the record
A Microsoft 365-only SPF record looks like: v=spf1 include:spf.protection.outlook.com ~all. Check the lookup count if you've added multiple providers.
Update your DNS
Log into your DNS provider and create (or update) a TXT record on your root domain. Paste the generated SPF value.
Verify in Microsoft 365 Admin Center
Microsoft 365 Admin Center has a domain health check. Run it after DNS propagation to confirm SPF is set up correctly. You can also use SPF Record Check to independently verify your record.
Common Microsoft 365 SPF Mistakes
Using the wrong Microsoft include
Microsoft has many domains. The correct SPF include is spf.protection.outlook.com. Not outlook.com, not microsoft.com, not office365.com. Using the wrong one means SPF checks fail silently.
Forgetting on-premises hybrid servers
If you run a hybrid Exchange setup with some mailboxes on-premises, you need to include your on-premises server IPs in addition to the Microsoft 365 include. A typical hybrid record might look like:
v=spf1 ip4:203.0.113.5 include:spf.protection.outlook.com ~all
Hybrid Exchange deployments are common during migrations. If you're in the middle of moving to Microsoft 365, make sure both your old servers and the new Microsoft infrastructure are covered in your SPF record.
Having multiple SPF records
Your domain can only have one SPF TXT record. If you have separate records for Microsoft and another service, receiving servers may ignore both. Merge everything into one:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all
Jumping straight to -all
Using -all (hardfail) before you've verified all sending sources are included can cause legitimate email to be rejected. Start with ~all (softfail) during setup and transition to -all once everything is confirmed.
After SPF is in place, strengthen your Microsoft 365 authentication by generating DKIM keys and creating a DMARC policy to complete the email security trio.
Microsoft 365 + Common Service Combos
| Services | SPF Record |
|---|---|
| M365 only | v=spf1 include:spf.protection.outlook.com ~all |
| M365 + SendGrid | v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all |
| M365 + Mailchimp | v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all |
| M365 + HubSpot | v=spf1 include:spf.protection.outlook.com include:spf.hubspot.com ~all |
| M365 + Salesforce | v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com ~all |
Pricing
Free
$0
- Up to 3 items
- Email alerts
- Basic support
Pro
$9/month
- Unlimited items
- Email + Slack alerts
- Priority support
- API access
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring