--- title: "External DNS records required for SPF in Microsoft 365 | DMARC Report" description: "DMARC Report External DNS records required for SPF in Microsoft 365 Play Episode Pause Episode Mute/Unmute Episode Rewind 10 Seconds 1x Fast Forward 30 seconds." image: "https://dmarcreport.com/og/blog/external-dns-records-required-for-spf-in-microsoft-365.png" canonical: "https://dmarcreport.com/blog/external-dns-records-required-for-spf-in-microsoft-365/" --- Quick Answer SPF records are TXT records that prevent unauthorized emails sent from your domain from landing in the recipients’ inboxes. This minimizes the chances of someone getting duped under the impression that an official representative from your company is communicating with them, asking for sensitive details or transferring money. Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fexternal-dns-records-required-for-spf-in-microsoft-365%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=External%20DNS%20records%20required%20for%20SPF%20in%20Microsoft%20365&url=undefined%2Fblog%2Fexternal-dns-records-required-for-spf-in-microsoft-365%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fexternal-dns-records-required-for-spf-in-microsoft-365%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fexternal-dns-records-required-for-spf-in-microsoft-365%2F&title=External%20DNS%20records%20required%20for%20SPF%20in%20Microsoft%20365 "Share on Reddit") [ ](mailto:?subject=External%20DNS%20records%20required%20for%20SPF%20in%20Microsoft%20365&body=Check out this article: undefined%2Fblog%2Fexternal-dns-records-required-for-spf-in-microsoft-365%2F "Share via Email") ![unauthorized emails](https://media.mailhop.org/dmarcreport/images/2024/11/dmarc-record-7812.jpg) ![unauthorized emails](https://media.mailhop.org/dmarcreport/images/2024/11/dmarc-record-7813-150x150.jpg) DMARC Report External DNS records required for SPF in Microsoft 365 Play Episode Pause Episode ![Loading](https://dmarc.temp927.kinsta.cloud/wp-content/plugins/seriously-simple-podcasting/assets/css/images/player/images/icon-loader.svg) Mute/Unmute Episode Rewind 10 Seconds 1x Fast Forward 30 seconds 00:00 / 2:04 Subscribe Share RSS Feed Share Link Embed SPF records are [TXT records](https://en.wikipedia.org/wiki/TXT%5Frecord) that prevent [unauthorized emails](https://news.trendmicro.com/2023/12/05/unauthorized-log-in-attempt-notification-email/) sent from your domain from landing in the recipients’ inboxes. This minimizes the chances of someone getting duped under the impression that an official representative from your company is communicating with them, asking for **sensitive details** or transferring money. **Domain owners** are allowed to have only one SPF record per domain. A single SPF record can have multiple inclusions; however, you should ensure the total number of [DNS lookups](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) is at most 10\. ## Why is there a DNS lookup limit of 10? Staying within the DNS lookup limit of 10 is important to avoid **SPF PermError**. Otherwise, [SPF](/dmarc-fundamentals/what-is-spf/) validation will fail, prompting receiving servers to invalidate your SPF record altogether. The DNS lookup limit exists for two primary reasons- [DNS query](https://bunny.net/academy/dns/what-is-a-dns-and-recursive-query/) **overhead and network latency**. ### **DNS query** overhead _Upon receiving an email from your domain, the recipient’s server retrieves the SPF record corresponding to your domain_. It sends queries to DNS\*\*,\*\* and this process sometimes involves multiple lookups. Had unlimited DNS lookup been allowed, the [DNS server](https://www.ibm.com/topics/dns-server) would get bombarded with requests, leading to technical issues or frequent crash-downs. So, to avoid these problems, the **DNS lookup limit** exists. ![Network latency](https://media.mailhop.org/dmarcreport/images/2024/11/create-dmarc-record-2.jpg) ### Network latency Excessive DNS lookups in your SPF record can cause delays in [email delivery](/blog/why-is-email-deliverability-important-for-online-businesses/) due to network latency. This delay can negatively impact **time-sensitive communications**. [Spam filters](https://www.techradar.com/pro/ai-arms-race-the-evolving-battle-between-email-spam-and-spam-filters) often view **high network latency** as a sign of poorly configured or suspicious servers. As a result, they may flag your [emails as spam](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/) or even reject them, regardless of the SPF check. Additionally, network latency can slow down the **SMTP handshake**, which is the process that establishes a secure connection between the sending and receiving [mail servers](https://www.cloudflare.com/learning/email-security/what-is-a-mail-server/). This further contributes to delays in email delivery. ![unauthorized emails](https://media.mailhop.org/dmarcreport/images/2024/11/what-is-dmarc-7812.jpg) ## Structure of an SPF record An SPF record consists of three parts- 1. _The declaration that it’s an SPF record._ 2. Mail servers and [IP addresses](https://www.nbcnews.com/news/us-news/internet-now-officially-too-big-ip-addresses-run-out-n386081) you allow to be used to send emails from your domain. 3. An **enforcement rule**. Here’s an example of a standard SPF record, _v=spf1 include:spf.protection.outlook.com -all_ _When a server receives an email from your domain, it checks the corresponding SPF record_. If the sender’s email server was a [Microsoft 365 server](https://www.acecloudhosting.com/knowledgebase/how-to-activate-microsoft-office-365-on-the-server/), the message is accepted. However, if the sending server was your old email system or a [malicious system](https://www.gmanetwork.com/news/topstories/nation/914211/dnd-fake-video-of-marcos-a-maliciously-crude-destab-attempt/story/) on the internet, the SPF verification will fail. In this case, the email will be subjected to the **enforcement rule**, either an [SPF Soft fail (\~all) or an SPF Hard fail (-all](/blog/spf-softfail-or-spf-hardfail-whats-right-for-your-domain/)). ## The right SPF record structure This table is particularly useful if you are not using [Exchange Online email for Microsoft 365](https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-mistakenly-tags-emails-as-malware/). | If you are using | Purpose | ‘Includes’ to add | | -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | All email systems (required) | It specifies the SPF version being used. All SPF records begin with this. | v=spf1 | | Exchange online (common) | Use with Exchange Online only | include:spf.protection.outlook.com | | Third-party email system (less common) | Like Gmail, [Amazon SES](https://dmarc.temp927.kinsta.cloud/blog/learning-to-configure-spf-for-amazon-ses/) | include:\_spf.google.com \~all | | On-premises mail system (less common) | For [Exchange Online Protection](https://www.spikenow.com/glossary/email/eop/) or Exchange Online plus another mail system | ip4:<0.0.0.0>ip6:< : : >include:The value in brackets (<>) should be other mail systems that send email for your domain. | | All email systems (required) | \-all | | We suggest you pair SPF with [DKIM](/dmarc-fundamentals/what-is-dkim/) and [DMARC](/) for the best protection against spoofing. Indulging in best **email protection practices** also increases the domain’s integrity and engagement rate of [marketing campaigns](https://www.investopedia.com/terms/m/marketing-campaign.asp). [Get started with DMARC with us](/contact/). ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ dns record ](/tags/dns-record/)[ SPF ](/tags/spf/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Uncategorized 8m Best DMARC Tools for 2025 Oct 9, 2025 ](/blog/best-dmarc-tools-for-2025/)[ Uncategorized 13m What are the best practices for setting a strict DMARC policy when sending to Gmail addresses? Mar 12, 2026 ](/blog/best-practices-setting-strict-dmarc-policy-sending-gmail-addresses/)[ Uncategorized 11m Complete Guide to Setting Up a DMARC Policy for Gmail Domains Mar 16, 2026 ](/blog/complete-guide-to-setting-dmarc-policy-for-gmail-domains/)[ Uncategorized 12m Comprehensive Guide To DMARC Monitoring Services For Msps And Service Providers Aug 26, 2025 ](/blog/comprehensive-guide-to-dmarc-monitoring-for-msps-and-service-providers/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"External DNS records required for SPF in Microsoft 365","description":"DMARC Report External DNS records required for SPF in Microsoft 365 Play Episode Pause Episode Mute/Unmute Episode Rewind 10 Seconds 1x Fast Forward 30 seconds.","url":"https://dmarcreport.com/blog/external-dns-records-required-for-spf-in-microsoft-365/","datePublished":"2024-11-08T20:36:02.000Z","dateModified":"2025-06-10T11:54:21.000Z","dateCreated":"2024-11-08T20:36:02.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/external-dns-records-required-for-spf-in-microsoft-365/"},"articleSection":"uncategorized","keywords":"dkim, DMARC, dns record, SPF","wordCount":581,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2024/11/dmarc-record-7812.jpg","caption":"unauthorized emails","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Uncategorized","item":"https://dmarcreport.com/uncategorized/"},{"@type":"ListItem","position":4,"name":"External DNS records required for SPF in Microsoft 365","item":"https://dmarcreport.com/blog/external-dns-records-required-for-spf-in-microsoft-365/"}]} ```