Office 365 - SPF Records
Sender Policy Framework (SPF) records allow domain owners to specify which hosts are permitted to send email on behalf of their domains. Normal SMTP allows any computer to send an email claiming to be from anyone. Thus, it's easy for spammers to send emails with forged From: addresses. SPF allows a domain owner to use a special format of DNS TXT records to specify which machines/hosts are authorized to transmit email for their domain, making it difficult to forge From: addresses.
How are SPF records used?
A domain's SPF records are used by other servers in 2 ways.
- First, they could block mail that forges the From: addresses using your domain if the sending server is prohibited by the SPF records to send on behalf of the domain. However, this practice has some negative side effects (specifically involving forwarding mail servers) so it is not very common for restrictive SPF records to be published.
- Second, they can be used for whitelisting. For example, mail originating from an authorized server might be less likely to be rated as spam or rejected by other servers. Thus, SPF does not require you to publish restrictive records in order to reap some benefits.
What do Office 365 SPF records say?
Office 365 team has published a basic set of unrestricted SPF records. You can look them up by querying the TXT record for the domain. For example:
> dig +short TXT wisc.edu "v=spf1 redirect=_spf.wiscmail.wisc.edu"
This SPF record tells other servers to reference the SPF records in the "_spf.wiscmail.wisc.edu" domain. They look like this:
> dig +short TXT _spf.wiscmail.wisc.edu "v=spf1 ip4:22.214.171.124/25 ?all"
This record tells other servers that any server in the IP range of 126.96.36.199/25 is allowed to send for the domain. The "?all" modifier at the end means that all other servers should be allowed to send mail on behalf of the domain as if there were no SPF records published at all.
Do I have to worry about mail from my server being rejected?
As you can see, the SPF records for the wisc.edu domain are not restrictive. If mail with a From: address of @wisc.edu is sent through UW-Madison's central mail servers either via Office 365, smtpauth.wiscmail.wisc.edu, smtp.wiscmail.wisc.edu or relay.mail.wisc.edu an SPF check should return a PASS response. However, if you are running a server that is sending mail using From: addresses in the @wisc.edu domain, but the server is not explicitly listed in the SPF record an SPF check will result in a neutral return. It is unusual for a receiving system to reject mail solely based on a neutral SPF return value.
SPF records for Office 365 hosted domains
If your domain is hosted by Office 365, we encourage you to publish SPF records that reference the _spf.wiscmail.wisc.edu SPF record. You can either:
- Publish the basic "redirect" record exactly like the Office 365 domains.
- If you would like to include additional servers in your SPF record, you can publish something like this:
"v=spf1 ip4:188.8.131.52 include:_spf.wiscmail.wisc.edu ?all"
- A more complex example might include both server DNS names as well as IP ranges.
"v=spf1 a:smtp.doit.wisc.edu ip4:184.108.40.206/24 include:_spf.wiscmail.wisc.edu ?all"
- Finally, if you want to publish something more restrictive so that spammers can't forge mail using your domain, you can do something like this:
"v=spf1 ip4:220.127.116.11 include:_spf.wiscmail.wisc.edu -all"
Be aware that specifying -all (Fail) instead of ~all (SoftFail) or ?all (Neutral) may result in delivery problems.
Where can I get more information?
For more information about SPF record syntax: http://www.openspf.org/SPF_Record_Syntax
If you are an Office 365 domain administrator and you would like assistance reviewing the SPF record for your domain, please contact email@example.com.