Defaults.Exposed › Setup › SPF

How to set up SPF on Microsoft 365

Add an SPF record so the world knows Microsoft 365's servers are allowed to send email for your domain.

Why this matters to your business

SPF (Sender Policy Framework) is a short note in your domain’s DNS that lists which mail servers are allowed to send email “from” your domain. Without it, scammers can forge your address to send fake invoices, payment requests or quotes to your customers and suppliers — and your own legitimate email is more likely to land in spam. Setting SPF up is free, takes a few minutes, and is one of the strongest, cheapest things you can do to protect your name and keep your email getting delivered.

Important: where this actually gets done

This trips a lot of people up, so it’s worth being clear:

• Microsoft 365 runs your email (the mailboxes live on Exchange Online). But Microsoft 365 is the mail platform — it is not necessarily where your domain’s DNS lives.
• The SPF record is added in your DNS host — the company that controls your domain’s nameservers. That might be the registrar where you bought the domain (GoDaddy, Namecheap, etc.), a web host, or something like Cloudflare.
• If you let Microsoft manage your DNS, then your DNS host is Microsoft, and you’d edit the record in the Microsoft 365 admin center → Settings → Domains → DNS records. In that case Microsoft often adds the correct SPF record for you automatically when you set the domain up.

So: Microsoft tells you what the record should contain; you add it where your DNS lives. The mailbox settings inside Microsoft 365 do not hold this record unless Microsoft also runs your DNS.

First: which company runs your DNS?

A DNS record only takes effect if you add it at wherever your domain’s nameservers point. If you’re not sure, check the domain in your registrar account and look at the Nameservers section, or ask whoever set up your website. If the nameservers point somewhere other than Microsoft, add the SPF record in that company’s DNS settings (look for DNS / Records / Advanced DNS). Adding it in the wrong place will do nothing.

What you’ll add

A single TXT record for Microsoft 365. The standard value is:

v=spf1 include:spf.protection.outlook.com -all

• include:spf.protection.outlook.com authorises Microsoft 365’s mail servers to send for you.
• -all is the value Microsoft recommends — a “hard fail” that tells receivers to reject anything not listed. If you’re not yet certain every sender is included, you can start with the softer ~all and tighten to -all later.

You should have only one SPF record (one TXT starting with v=spf1) per domain. If you already have one — for example because you also send through a newsletter tool or a CRM — do not add a second. Edit the existing one and add Microsoft’s part into it, e.g.:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

Steps

1. Sign in to your DNS host (your registrar, web host, or DNS provider — or the Microsoft 365 admin center if Microsoft runs your DNS).
2. Open the DNS settings for your domain (look for DNS / Records / Advanced DNS).
3. Add a new record and choose TXT as the type.
4. In the Name / Host field, enter @ (this means “the domain itself”). Do not put your full domain name here.
5. In the Value / Data field, paste v=spf1 include:spf.protection.outlook.com -all (or your combined record if you have other senders).
6. Leave TTL at the default (1 hour is fine).
7. Save.

Quirks people get wrong

• It’s not a mailbox setting. People search Microsoft 365’s settings for “SPF” and can’t find a box to type it in — that’s because it belongs in your DNS, not in the mailbox or Exchange admin settings.
• Only one SPF record. Two records starting with v=spf1 breaks SPF completely. Combine senders into a single record using extra include: entries.
• @ for the name, not your domain. Putting the full domain in the Name field can create the record in the wrong place.
• Watch the quoting. Most DNS hosts add the quotes for you — paste the value plain. If your host shows the value already wrapped in "...", don’t add a second set; a double-quoted record is broken.
• Microsoft uses spf.protection.outlook.com. Older or copied-from-elsewhere records may reference different host names — make sure the include is exactly spf.protection.outlook.com.
• Changes aren’t instant. DNS can take from a few minutes up to a couple of hours to update everywhere.

Verify it worked

Once saved, confirm the record is live and correct with the free check on Defaults.Exposed. Enter your domain and it’ll tell you in plain language whether your SPF is set up properly. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.