DNS records

External DNS records required for SPF in Microsoft 365

DNS records
DMARC Report
External DNS records required for SPF in Microsoft 365
Loading
/

SPF records are TXT records that prevent unauthorized emails sent from your domain from landing in the recipients’ inboxes. This minimizes the chances of someone getting duped under the impression that an official representative from your company is communicating with them, asking for sensitive details or transferring money. 

Domain owners are allowed to have only one SPF record per domain. A single SPF record can have multiple inclusions; however, you should ensure the total number of DNS lookups is at most 10. 

SPF record

Why is there a DNS lookup limit of 10?

Staying within the DNS lookup limit of 10 is important to avoid SPF PermError. Otherwise, SPF validation will fail, prompting receiving servers to invalidate your SPF record altogether. 

The DNS lookup limit exists for two primary reasons- DNS query overhead and network latency.

DNS query overhead

Upon receiving an email from your domain, the recipient’s server retrieves the SPF record corresponding to your domain. It sends queries to DNS, and this process sometimes involves multiple lookups. Had unlimited DNS lookup been allowed, the DNS server would get bombarded with requests, leading to technical issues or frequent crash-downs. So, to avoid these problems, the DNS lookup limit exists. 

Network latency

Network latency

Excessive DNS lookups in your SPF record can cause delays in email delivery due to network latency. This delay can negatively impact time-sensitive communications.

Spam filters often view high network latency as a sign of poorly configured or suspicious servers. As a result, they may flag your emails as spam or even reject them, regardless of the SPF check.

Additionally, network latency can slow down the SMTP handshake, which is the process that establishes a secure connection between the sending and receiving mail servers. This further contributes to delays in email delivery.

spam

Structure of an SPF record

An SPF record consists of three parts-

  1. The declaration that it’s an SPF record.
  2. Mail servers and IP addresses you allow to be used to send emails from your domain. 
  3. An enforcement rule.

Here’s an example of a standard SPF recordv=spf1 include:spf.protection.outlook.com -all

When a server receives an email from your domain, it checks the corresponding SPF record. If the sender’s email server was a Microsoft 365 server, the message is accepted. However, if the sending server was your old email system or a malicious system on the internet, the SPF verification will fail. In this case, the email will be subjected to the enforcement rule– either an SPF Soft fail (~all) or an SPF Hard fail (-all).

malicious

The right SPF record structure

This table is particularly useful if you are not using Exchange Online email for Microsoft 365

If you are usingPurpose‘Includes’ to add
All email systems (required)It specifies the SPF version being used. All SPF records begin with this.v=spf1
Exchange online (common)Use with Exchange Online only include:spf.protection.outlook.com
Third-party email system (less common)Like Gmail, Amazon SESinclude:_spf.google.com ~all
On-premises mail system (less common)For Exchange Online Protection or Exchange Online plus another mail systemip4:<0.0.0.0>ip6:< : : >include:<spf.protection.outlook.com>The value in brackets (<>) should be other mail systems that send email for your domain.
All email systems (required)-all

We suggest you pair SPF with DKIM and DMARC for the best protection against spoofing. Indulging in best email protection practices also increases the domain’s integrity and engagement rate of marketing campaigns. Get started with DMARC with us

Similar Posts